Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
inxVlfQD8T.exe

Overview

General Information

Sample name:inxVlfQD8T.exe
renamed because original name is a hash value
Original sample name:29caab9a27e99e61bf3b056eda3bb63e.exe
Analysis ID:1446925
MD5:29caab9a27e99e61bf3b056eda3bb63e
SHA1:f58cad4cb6b5cefc0ca98e0b0df406bea0ca5d74
SHA256:e1612f1eb7384250bddbbe3633589076a659e5104f003ba5cd29adb9bfc6b075
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Module File Created By Non-PowerShell Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • inxVlfQD8T.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\inxVlfQD8T.exe" MD5: 29CAAB9A27E99E61BF3B056EDA3BB63E)
    • schtasks.exe (PID: 7700 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7716 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7732 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7748 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7764 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7780 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7796 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7812 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7836 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7852 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7868 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7884 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7904 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7932 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7952 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7972 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 11 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7988 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8004 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8020 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8036 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8052 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8088 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8108 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8124 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8148 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8168 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8180 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7200 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\winlogon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7248 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 2228 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7328 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7392 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7412 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5812 cmdline: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1456 cmdline: schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 2664 cmdline: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 3852 cmdline: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\xzCoZyfxKxCkf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • xzCoZyfxKxCkf.exe (PID: 8060 cmdline: C:\Recovery\xzCoZyfxKxCkf.exe MD5: 29CAAB9A27E99E61BF3B056EDA3BB63E)
  • xzCoZyfxKxCkf.exe (PID: 8080 cmdline: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe" MD5: 29CAAB9A27E99E61BF3B056EDA3BB63E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"b\":\")\",\"V\":\"#\",\"=\":\"_\",\"Q\":\"*\",\"B\":\"`\",\"i\":\">\",\"G\":\"@\",\"h\":\" \",\"g\":\"%\",\"J\":\"!\",\"6\":\"$\",\"S\":\"<\",\"3\":\"^\",\"j\":\";\",\"H\":\"|\",\"E\":\"(\",\"A\":\".\",\"5\":\",\",\"I\":\"&\",\"L\":\"-\",\"p\":\"~\"}", "PCRT": "{\"Q\":\">\",\"b\":\"%\",\"t\":\")\",\"0\":\"^\",\"a\":\"@\",\"U\":\".\",\"d\":\"&\",\"B\":\"~\",\"h\":\"*\",\"J\":\"|\",\"q\":\"-\",\"n\":\"`\",\"s\":\"<\",\"W\":\",\",\"2\":\"(\",\"3\":\"_\",\"8\":\"$\",\"D\":\"#\",\"F\":\"!\",\"G\":\" \",\"S\":\";\"}", "TAG": "", "MUTEX": "DCR_MUTEX-mq7QKLCmhs9t6SblOAG0", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a0984800.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "H2": "http://a0984800.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "T": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1680174059.0000000002DA7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000000.00000002.1680174059.0000000002861000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000017.00000002.1758461967.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000016.00000002.1758511140.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000000.00000002.1681557653.000000001286F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\inxVlfQD8T.exe, ProcessId: 7644, TargetFilename: C:\Recovery\winlogon.exe
            Sigma detected: PowerShell Module File Created By Non-PowerShell Process
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\inxVlfQD8T.exe, ProcessId: 7644, TargetFilename: C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /f, CommandLine: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\inxVlfQD8T.exe", ParentImage: C:\Users\user\Desktop\inxVlfQD8T.exe, ParentProcessId: 7644, ParentProcessName: inxVlfQD8T.exe, ProcessCommandLine: schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /f, ProcessId: 7852, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: inxVlfQD8T.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://a0984800.xsph.ru/@zd3bk5Wa3RHb1FmZlR0XAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Recovery\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Found malware configuration
            Source: 00000000.00000002.1681557653.000000001286F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"b\":\")\",\"V\":\"#\",\"=\":\"_\",\"Q\":\"*\",\"B\":\"`\",\"i\":\">\",\"G\":\"@\",\"h\":\" \",\"g\":\"%\",\"J\":\"!\",\"6\":\"$\",\"S\":\"<\",\"3\":\"^\",\"j\":\";\",\"H\":\"|\",\"E\":\"(\",\"A\":\".\",\"5\":\",\",\"I\":\"&\",\"L\":\"-\",\"p\":\"~\"}", "PCRT": "{\"Q\":\">\",\"b\":\"%\",\"t\":\")\",\"0\":\"^\",\"a\":\"@\",\"U\":\".\",\"d\":\"&\",\"B\":\"~\",\"h\":\"*\",\"J\":\"|\",\"q\":\"-\",\"n\":\"`\",\"s\":\"<\",\"W\":\",\",\"2\":\"(\",\"3\":\"_\",\"8\":\"$\",\"D\":\"#\",\"F\":\"!\",\"G\":\" \",\"S\":\";\"}", "TAG": "", "MUTEX": "DCR_MUTEX-mq7QKLCmhs9t6SblOAG0", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a0984800.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "H2": "http://a0984800.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "T": "0"}
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Program Files (x86)\Windows Defender\en-GB\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Recovery\winlogon.exeReversingLabs: Detection: 84%
            Source: C:\Recovery\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Users\Default\Favorites\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Source: C:\Windows\addins\xzCoZyfxKxCkf.exeReversingLabs: Detection: 84%
            Multi AV Scanner detection for submitted file
            Source: inxVlfQD8T.exeReversingLabs: Detection: 84%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
            Machine Learning detection for dropped file
            Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Recovery\winlogon.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: inxVlfQD8T.exeJoe Sandbox ML: detected
            Source: inxVlfQD8T.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Uninstall Information\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\7-Zip\Lang\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\69ddcba757bf72Jump to behavior
            Source: inxVlfQD8T.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://a0984800.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X
            Source: inxVlfQD8T.exe, 00000000.00000002.1680174059.0000000002DA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\addins\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\addins\xzCoZyfxKxCkf.exe\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\addins\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exe\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\Microsoft.NET\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B88ABC00_2_00007FFD9B88ABC0
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B88A87D0_2_00007FFD9B88A87D
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B88C7E90_2_00007FFD9B88C7E9
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B8938380_2_00007FFD9B893838
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B8938480_2_00007FFD9B893848
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B894F000_2_00007FFD9B894F00
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B8835EA0_2_00007FFD9B8835EA
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B88CD980_2_00007FFD9B88CD98
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B889CA70_2_00007FFD9B889CA7
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B894B180_2_00007FFD9B894B18
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B894A680_2_00007FFD9B894A68
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B889CA70_2_00007FFD9B889CA7
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B8949480_2_00007FFD9B894948
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B889CA70_2_00007FFD9B889CA7
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B889CC90_2_00007FFD9B889CC9
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B889CA70_2_00007FFD9B889CA7
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B8943B80_2_00007FFD9B8943B8
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B895A150_2_00007FFD9B895A15
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B8948090_2_00007FFD9B894809
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B8946D80_2_00007FFD9B8946D8
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B8945B80_2_00007FFD9B8945B8
            Source: C:\Recovery\xzCoZyfxKxCkf.exeCode function: 22_2_00007FFD9B8935EA22_2_00007FFD9B8935EA
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeCode function: 23_2_00007FFD9B8A35EA23_2_00007FFD9B8A35EA
            Source: inxVlfQD8T.exeStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: winlogon.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: xzCoZyfxKxCkf.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: smss.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: xzCoZyfxKxCkf.exe0.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: inxVlfQD8T.exe, 00000000.00000002.1680174059.0000000002861000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBSoDProtection.dclib4 vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exe, 00000000.00000002.1680174059.0000000002861000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename( vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exe, 00000000.00000002.1680174059.0000000002861000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMessageOnStart.dclib4 vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exe, 00000000.00000000.1633887394.00000000005E0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exe, 00000000.00000002.1679684516.0000000000F80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename$ vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exe, 00000000.00000002.1681557653.000000001286F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename$ vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exe, 00000000.00000002.1692631107.000000001B200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMessageOnStart.dclib4 vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exe, 00000000.00000002.1679648350.0000000000F60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBSoDProtection.dclib4 vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exe, 00000000.00000002.1692496201.000000001B190000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs inxVlfQD8T.exe
            Source: inxVlfQD8T.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: inxVlfQD8T.exe, rwCOZZZE5W8NFFaybi5.csCryptographic APIs: 'TransformBlock'
            Source: inxVlfQD8T.exe, rwCOZZZE5W8NFFaybi5.csCryptographic APIs: 'TransformFinalBlock'
            Source: inxVlfQD8T.exe, UkD7xbGSvF2WJSQfMo4.csCryptographic APIs: 'CreateDecryptor'
            Source: inxVlfQD8T.exe, UkD7xbGSvF2WJSQfMo4.csCryptographic APIs: 'CreateDecryptor'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@41/44@0/0
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Users\Default\Favorites\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeMutant created: NULL
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeMutant created: \Sessions\1\BaseNamedObjects\Local\c40c95821fcad23af2113f1b095add3c42702f68
            Source: inxVlfQD8T.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: inxVlfQD8T.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: inxVlfQD8T.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile read: C:\Users\user\Desktop\inxVlfQD8T.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\inxVlfQD8T.exe "C:\Users\user\Desktop\inxVlfQD8T.exe"
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 11 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Recovery\xzCoZyfxKxCkf.exe C:\Recovery\xzCoZyfxKxCkf.exe
            Source: unknownProcess created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe"
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\winlogon.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /fJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: version.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Uninstall Information\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\7-Zip\Lang\016488274f7f2bJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exeJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\69ddcba757bf72Jump to behavior
            Source: inxVlfQD8T.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: inxVlfQD8T.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: inxVlfQD8T.exeStatic file information: File size 1229824 > 1048576
            Source: inxVlfQD8T.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x128a00
            Source: inxVlfQD8T.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: inxVlfQD8T.exe, UkD7xbGSvF2WJSQfMo4.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: inxVlfQD8T.exe, foU9KGXCMQeYCrhbtoj.cs.Net Code: FoK9nlWlEr System.AppDomain.Load(byte[])
            Source: inxVlfQD8T.exe, foU9KGXCMQeYCrhbtoj.cs.Net Code: FoK9nlWlEr System.Reflection.Assembly.Load(byte[])
            Source: inxVlfQD8T.exe, foU9KGXCMQeYCrhbtoj.cs.Net Code: FoK9nlWlEr
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeCode function: 0_2_00007FFD9B89373D push ebx; retf 0_2_00007FFD9B89374A
            Source: inxVlfQD8T.exeStatic PE information: section name: .text entropy: 6.952450390290568
            Source: winlogon.exe.0.drStatic PE information: section name: .text entropy: 6.952450390290568
            Source: xzCoZyfxKxCkf.exe.0.drStatic PE information: section name: .text entropy: 6.952450390290568
            Source: smss.exe.0.drStatic PE information: section name: .text entropy: 6.952450390290568
            Source: xzCoZyfxKxCkf.exe0.0.drStatic PE information: section name: .text entropy: 6.952450390290568
            Source: inxVlfQD8T.exe, lyWkaUZBpJepMga8Uqr.csHigh entropy of concatenated method names: 'jDi1DsgucG', 'Q4p1rbFKaL', 'GNq1gJB26U', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'Bii1OknNPV'
            Source: inxVlfQD8T.exe, XF5kxCDMw1Q4K1hHUwl.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'Y8kEgFFnWA6tFm2GhSG', 'KROwEVFGxhJoPQnyscc', 'dXAPa7FJrbeC6pCt4uJ', 'VbiPp1FMNDPaPDKh6Ks', 'CJcTeVF3cbKiIhHdHPg', 'xsOAdkFBZXpyN3W406G'
            Source: inxVlfQD8T.exe, BuGGM6Xmr7ZUM5oGjBo.csHigh entropy of concatenated method names: 'O6O9LQgZhF', 'IFBoUCCH5RkKteSSOqJ', 'DOfy1mCZYLugENccwls', 'D0twbOCxHtRNaMBF3Dx', 'NNg4a2Cd0h4DXb4LJ7a', 'nqkSyiCPpO5j8kMNhAQ', 'Qgq2eLCqOWM1YQRXw1O', 'Q5WObvCpNSeBZGyIBdf', 'yygVP2CQgy4xm26PBW9', 'Hsqwp8CTOcMVCfPcjFK'
            Source: inxVlfQD8T.exe, z4h62BtcBaIVCN9HGAR.csHigh entropy of concatenated method names: '_7zt', 'wScpNL5q0f', 'riYpMbUUW9', 'v8fpdR8Lnr', 'Lx1ptRuiM1', 'YJDpmUV6D4', 'FONp3sNS0P', 'oKJHqHeRUme8YlaPxID', 'Cdv038eb4Oyqkhk8Y7g', 'SU4d3DeWVc4dUTFwHNX'
            Source: inxVlfQD8T.exe, sVRQrTZ10ylp3LD24bi.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'pKqCbE655c', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: inxVlfQD8T.exe, kaANwMlfTffU2XvW92.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'sWTxqOPqikhsTMaLxZX', 'EdcHmcPpAQJsMsa0AfM', 'mYxrE3PQT4hKKf6wUGd', 'tOYL6ePTBGSPjkVPP3D', 'gNxqexPvdqw9DRPGw2r', 'KNaildPFI8pcpBjgKjd'
            Source: inxVlfQD8T.exe, lt3UjPtgceRXLZdJyl4.csHigh entropy of concatenated method names: 'mGOOyKBx2D', 'h6FlvdE5a1MrOtuC2ip', 'gqkBkTEDO4FH9CnqRQb', 'ys0UqoENIRkNM9XjVWu', 'Y6ddKBEYaBeDYwKCXcc', 'nocrSunq5m', 'jL3rWIIgeu', 'HF7rsSJrCP', 'q98raiOQge', 'm8pr8mQuX8'
            Source: inxVlfQD8T.exe, A8xrXWZJQtcwLayTYl6.csHigh entropy of concatenated method names: 'VPP78ZtZXl1piwjqqeq', 'jFkmartPj1MO9An30bf', 'ViFKBXtdyQntImJL5sa', 'cYJ1FPtH3rIsaCaZpQR', 't1t18HiTqW', 'WM4', '_499', 'hp51E5XS4Z', 'lwq1IdNrg0', 'WP6176PcZy'
            Source: inxVlfQD8T.exe, nVX8mHDHg9pIHVgYyce.csHigh entropy of concatenated method names: 'd92Rh9oefs', 'k7WQh3QYggK7YLw6SJ0', 'KgalUPQ5BrxGHUxW3NJ', 'MKWtMqQrrMMnZDOe3uJ', 'WvjxNMQNsmAIh2uVVUN', 'UfWvspQDI0lWv25fgJy', 'sn2hYYQwmn7RoJxlXJU', 'NdyooxQWNblalmyVox5', 'O0eUsnQ2p3XCJMRpHbE', 'f28'
            Source: inxVlfQD8T.exe, FcJaHBDxBLVdkOnReVy.csHigh entropy of concatenated method names: 'GOxGNbh9Xl', 'UJ7jZsLqBR2HaaRnO6I', 'uSIhNXLpZvCKqymr80l', 'Ibx208LZNGAUB1AuvJP', 'wt4s6lLPIogdF1nlswB', 'TiC6ZPLQLhR05hGOfq2', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: inxVlfQD8T.exe, foU9KGXCMQeYCrhbtoj.csHigh entropy of concatenated method names: 'rvu9sEiQNO', 't0I9acmwa3', 'GFO983kNxj', 'cVC9EBqFJm', 'WBM9Iy3cWk', 'WSZ970CV3U', 'AAg96DGjPy', 'rxlwwuy6mI6L8E04pjV', 'IdOKwyyRxLagLmiobDT', 'HuCA4HybHgGZrIgK6N9'
            Source: inxVlfQD8T.exe, YtYHkUW9jmCvhVqUWE.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'ilTsZVPVjan8GeFWnl0', 'QOMPNLPrS4xyUMJMv05', 'GslwJrPNITlYFQfPg00', 'xH2tc9PYRtHtJJHHlnr', 'nuevVGP5P1bT7rJjxdk', 'mhNluJPDoNjHr29dluN'
            Source: inxVlfQD8T.exe, hmuhkPDTPnOa4AuvQhB.csHigh entropy of concatenated method names: 'PZbRFD5pLv', 'GM9cICvdgglwYydBa6d', 'eVLtZTvHVuCOD9SIPQO', 'hyd7ixvshYQvJbMCjMZ', 'XFBtTuvxKGgvhj22k0u', 'rMgrFtvZrniGuveDL7U', 'PnRXuqvPkDX9T5MKeQc', 'a63U2lvqp9GZoBRXu3q', 'Nh4RuQx5Ve', 'kJUpZ9vTOfq0ChUQf42'
            Source: inxVlfQD8T.exe, CFgtwrD0Dy64eP4Zaw6.csHigh entropy of concatenated method names: 'WBaGROORZ1', 'RwmGGoFI8a', 'SImG9IVyeC', 'ALJl2ZvJYMhXfdgtj3M', 'lRoQd3vMjP1RZ35CbOP', 'SoEw0bvnAKbdl0f2EZK', 'w7k2a4vGniO1BSdJc0w', 'LS1MPav3HID8yRmx33y', 'd3C6VTvBMWL6R2f8Ico', 'B1t71nv8w6mdnkSJeh9'
            Source: inxVlfQD8T.exe, KPXNVuDWwhytyfRs0jB.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'E6XkVhFuAqbqE9EbJOL', 'MbUxkWFKg5ZfHnr9vZ1', 'su4noGF9b7MYfESKq3r', 'FicA2cF1599DnZoWicd', 'OvkdEhFS2biPmGSlhb5', 'x28nniF49ux9uoE1wJW'
            Source: inxVlfQD8T.exe, VFYiRlXE76RtV0M4GPP.csHigh entropy of concatenated method names: 'MSRG4EIWkW', 'fAkGC0Rs0A', 'QcgG1MqkTA', 'AtCkR1LKwoLkjx6mCAT', 't8MkyKL9cEMKlEkVPoa', 'R7MYEML1bp6TZbxHe0v', 'sjgOljLSDK1w5XfjceZ', 'B408jxL4jHqLxy6gwnp', 'mbsC4mLf1ulNWtgpheO', 'seqnMPLOX3Hj2Ct7qwB'
            Source: inxVlfQD8T.exe, LijSCrgCKME7FvndGhw.csHigh entropy of concatenated method names: 'rNibMhnhMm', 'n3nbdxc44f', 'LHaIYqS38eJfHmo7nwS', 'dpwU39SBjLBByRhu2pT', 'SILmfES8MRGdpSCF4Kj', 'gPI16PScLE78NmKFZ1j', 'yuCrgoSiKBeKI8mb1dC', 'jFrkHvS7uDi44dcQkpY', 'yk3OerSzaBV9G8Tq4xB', 'q4xG9m4sKjilngcGfNy'
            Source: inxVlfQD8T.exe, XARgt6pWtEMxEjFToLs.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'sVjrg3sNje', 'Syisp1w03Z', 'FD9rObcy9j', 'ecdsjgdJso', 'XPHFnAbfdtjuFLuWyGP', 'jk5PuObl8O4A6AcJaZ1', 'mRoknfbSM4116AVdWQ0'
            Source: inxVlfQD8T.exe, wbcMyTplURw06YmoMZN.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'E9NsrWcj8Y', '_168', 'rZw7wUbEvMmfB1UtfFB', 'VkJx1wbeLd0r8CmZovM', 'FT06qXbapw4P1BB9ltE', 'KNasq4bge7d7oqli4P3', 'Q3BCXabILSuej4sdMPF'
            Source: inxVlfQD8T.exe, Y6xmNMD9HYkbMpwwjot.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'Y08CE4QsSDSbD2iLliK', 'LNyvjPQxl98gCgALx2J', 'U7rCpKQd1rcGKaOYLdb', 'kb6od5QHn9NMiucyAf6', 'Ft5N1ZQZwsP7uMS1cCE', 'fkoP7FQPxqETjnnSYGt'
            Source: inxVlfQD8T.exe, OABtu4DCiuKDNtbZ4P9.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'H02LtdppJpyU8CMDfBU', 'wrjLphpQ7J0TwbrZd4p', 'JV0oJvpTH1KBAviCjGH', 'anyNlGpvFGS4MmZ863S', 'T7OcaSpFSCb01KbsJKt', 'hqPAXrpLtgGBnhwxUWO'
            Source: inxVlfQD8T.exe, jqg3u1AeNjLTxHc1r7.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'me5N9ZZtuD7m4tAWRDC', 'hbMAYOZ0syxKy2001rC', 'dQ00OTZXbB8YjtL7TBg', 'Np9iEkZjfMArosnR0Xk', 'Txa59nZkkeNlSHclKnd', 'L6IbnMZnGKYmZC2RnON'
            Source: inxVlfQD8T.exe, jIQUwHDySPlH6nP0Gi6.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'k9XqYoQ7LWJbhHYyVOJ', 'EtCbbrQzyfbTQo7eW1t', 'mXDbjnTs1teEpSPNxQj', 'hQsJlPTxDljasiSOPLh', 'OVrMylTdXHJcTo4twtk', 'AEwbgRTHiT52ypJDxsU'
            Source: inxVlfQD8T.exe, dfPPWhpzsQmdq6LBSdW.csHigh entropy of concatenated method names: 'nCsrin6t03', 'aserXvcHhq', 'oAGrhPjqrq', 'Wf9aS46hGZgV4mICfNX', 'HdmLlA6m1Deb974Kmei', 'jWP5ML6lkZkF2Sm1vkN', 'FvG8PX6AXBPXDAaKraV', 'zSuEZO6tfhw0kbblmyd', 'kLT2jY60X2LNaSVrdw0', 's3ipOe6XdqMXvXL6UvH'
            Source: inxVlfQD8T.exe, C0V82cp5W1ImUi0dY3V.csHigh entropy of concatenated method names: 'DQSAacEW62', 'dHBA89m1og', 'BwAAEXpV3q', 'Fo3JA1WChoPXX0T1a7g', 'R5dbubWoBAh4rMcsJNL', 'BkBsnvWyaV9W81sP5nX', 'TUa69OWViXf8MU1LbHn', 'dSIAou3Z3L', 'BgUAJQQ7uL', 'VL8Ay5gctU'
            Source: inxVlfQD8T.exe, JfEMtXX4VQLBfNp88si.csHigh entropy of concatenated method names: 'jpeV4Hctn8', 'KpxGmy5GjDblDkGNAR9', 'gu9LxO5kxHvue17NeoU', 'bOG2Pw5nNFHV6DZcRGt', 'tTt0xf5JSnCrI89Ugys', 'epbaxU5MAwRxHgKv5Be', 'XfqV0296Kt', 'ekRVNV8KEI', 'xE0VMsWHyv', 'b2dVdFY7hC'
            Source: inxVlfQD8T.exe, HUIafmgnhGmfBgRTlt7.csHigh entropy of concatenated method names: 'Skx4QlY8o3', 'UkW4wtpPPj', 'q5J4lmDTkC', 'et44VNKL5E', 'cFT4AGYx1g', 'c6N4DdTZ5w', 'xv34ruVj2H', 'hgh4gFDFPV', 'MaF4OcUI2k', 'fm84ppGEx8'
            Source: inxVlfQD8T.exe, tkZJSHtPay2RkeboGSw.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'AFVnorrU0r', 'XaAnJZTdTi', 'r8j', 'LS1', '_55S'
            Source: inxVlfQD8T.exe, DPJkw5piI1UlX8rLVNg.csHigh entropy of concatenated method names: '_5u9', 'GM2sQjl69H', 'rhKrUTrr0B', 'mjjswbUEgw', 'MFVjtCRc8UNa7qZQIgC', 'KQOMrHRiou0dYdWtLdx', 'IbCHubR7q0mBMjvNvGR', 'dqFcgnRBgr6qyesdRHH', 'cr77hlR8cpvWNNkyqc0', 'r85YIrRzOT3WpJrayhf'
            Source: inxVlfQD8T.exe, GhRIqIZZtIror28mrG2.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: inxVlfQD8T.exe, O9sNGlgvkPm5DpkQdbs.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'coP43VMBui', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: inxVlfQD8T.exe, JTDlQatMLMtY4DACnhG.csHigh entropy of concatenated method names: 'RPPnfaVu5U', 'gwNn86nX64', 'XeKnEgSIOX', 'wLJnIuN1Ng', 'yiTn7fLEfW', 'uOYn6XxS8S', 'shUnZpAj8o', 'GgYnxwC9u5', 'Y9cnTDQqyc', 'uTMnPdLJv4'
            Source: inxVlfQD8T.exe, PygOvVp9dAThUXC8MUX.csHigh entropy of concatenated method names: 'JhbABpPVxQ', 'KjfA5Bxo8L', 'FBrAHJmZPK', 'xCgALyr7pk', 'n5ZAexnpIx', 'qgigF52qWmP8AFQH0iN', 'HIBgOp2piHs1xuMeCge', 'e2aEAP2ZNfRsYeBFtkJ', 'egkPlx2PxWKL0KPthJm', 'mGDZH52QUwuJ1T1wbRh'
            Source: inxVlfQD8T.exe, x0TQOZi42aExV6VvPs.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'eTwjEmZYKlSgpeRkA7o', 'jJOfUWZ5iVHqlTwmCfl', 'cPbqfvZDxOWNtvPaxfk', 'sctDjPZwp0vHAdItK2x', 'RfLaCYZWLZwABuZ4ebO', 'kpY1JWZ2vkRXPsqdidW'
            Source: inxVlfQD8T.exe, qudyZ9gdlwoflkxWkNj.csHigh entropy of concatenated method names: 'wNjbBx22RN', 'cRob5pjTpO', 'UIebHikhOU', 'CArbL9qKKP', 'MDMbePyBI0', 'dsFbfY8mGK', 'TLsAox4kguGRfyF4Yii', 'y9awlL4XdMxZfLG9wGh', 'vwFnGn4jX0cc6hdVSlH', 'kClrWU4nv5CUfwcLDis'
            Source: inxVlfQD8T.exe, XovHDpXrFbI6oqsapSa.csHigh entropy of concatenated method names: 'N7OlA6N8Mu', 'SexlD9j2LX', 'aQe0gOYBMcumAQSWxUo', 'bYVMdbY8Uwg2XF6YMl1', 'DvHOnIYMAeCNEFunEmJ', 'bLZLSEY3PCiN1DCUm32', 'qTNlyLADq3', 'v7UpP85sIx0j1CVpndC', 'YhXlrn5xwIDAxwGtIhB', 'jvZV6UY7X7xyax55NLj'
            Source: inxVlfQD8T.exe, Xu7gujD7whXxDRm0JbE.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'P6G2cRpaagJ8J9R9pgW', 'JswSUopgKXUqNOClRNb', 'H5jIDCpI4fswb1Ij9Uv', 'IvT53DpUI1duHK5LGt1', 'vQIJXNpOe09uEfudyc7', 'KmP0Ncpuj2HRZgYjdAh'
            Source: inxVlfQD8T.exe, I6OPmSqUpLyRQLh8y6.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'bLj5CSdFvI3Y7KVypT6', 'ru04LjdLk0Q3rC15Jhc', 't3i9MVdocQ4hr4lXWBO', 'fWOAoYdyihEDl49n32A', 'pjGAMidCJei7PerH3eO', 'HaMWQ6dVQoY4YAYDutK'
            Source: inxVlfQD8T.exe, SDl7Nvp6DgbK2WjnKSK.csHigh entropy of concatenated method names: 'sg9', 'p71sRAFEJ9', 'pw3DfK1wLv', 'ahisG2Hvlx', 'S8SLfDRk0GVdpfaGRrJ', 'WtFiZoRnPMomLxU16PO', 'OqSWw7RGTQ0KuoN1t03', 'qBRkcxRX2tRHhGYVlb8', 'Fng3WLRjyTYV7vN3OmG', 'F65QtWRJQw5g82wpWTT'
            Source: inxVlfQD8T.exe, HaF5YMXj4N9tTUGy92I.csHigh entropy of concatenated method names: 'FVL9fsgD6j', 'wGm9kFmcHQ', 'rQ71WkCDREYMPjT25aZ', 'P37WZBCw34mogfsmbrO', 'SlQLSqCWt0g2vGLGhoW', 'GTmZjaC2OnRbvJHBKiU', 'nhUi9SCR7mCyDeyw71f', 'eeSdd8CbRgiJhOmQN3O', 'p4oMFbC6YDgcnG7jdZ2', 'slJloSCElICOnVhaQoU'
            Source: inxVlfQD8T.exe, yZgdg6F6NmjDZ503cC.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'dLme1lHSjoeH30yJUSk', 'D6AgELH4JCgDmv9E4nK', 'KwcNkGHfLk82yW55cKY', 'RiHfNrHlKiKiDDycnt9', 'gM0K4IHAGmTBk38pd8t', 'dvNq7yHhA5uk0DTYJ4t'
            Source: inxVlfQD8T.exe, tYJngDtj88VL846wEUe.csHigh entropy of concatenated method names: 'Vp6pQaZ8oB', 'UVkpwmNxW1', 'udhplnjKj5', 'bhwfAmeNcaAO0QTeGSB', 'U9oFgheYO9aJpcwnwqc', 'SXNnajeVVKOVwxmeCHU', 'MIpdetergKCB1819OM8', 'Pg1aCRe5vi93c1UFEsN', 'iVBPv5eDk83F5itL0d4', 'gcfPuAewsObyZ1pbQ2T'
            Source: inxVlfQD8T.exe, j1wxvXpLctIcriBQPEM.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'gQy0dKRybdZSCacTUPn', 'qq7J7bRCJk3fOlsEB69', 'HRIO8ORVOtbg92iB4ah', 'DCWrZKRrRHuyNA1t83N'
            Source: inxVlfQD8T.exe, q07shIpAmVUhMXOV1fc.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'aa0sVyaCXV', 'WJbrQxmB0h', 'w1OsAG5pwd', 'W9qknSby8ENsBoCihU7', 'mDGJ84bCMORBlPiy3xm', 'xxaUt9bVb95C4C1yyaZ', 'XVsmDFbrhflDbcTP4OB', 'Qw26Q6bNdAokDIk6v0j'
            Source: inxVlfQD8T.exe, NKkSiWXICZpQaFXE65B.csHigh entropy of concatenated method names: 'AkFQdQk4Jl', 'E4OQtMHpD6', 'PjnQmjWiVK', 'jZ4Q3eCoEx', 'fkWQbWemKO', 'nPk58Brs8ghNkXj8buR', 'gLgSifrxMmyTmla2BBd', 'd2GQ4DV7yhW173SqW46', 'TBUWQtVzsH9aS2h5PwD', 'eCOLJ0rdWkZFfNF2S5P'
            Source: inxVlfQD8T.exe, arYXcJXc09OeZEjpDfq.csHigh entropy of concatenated method names: 'Kkh9zoTQ9S', 'y6qQUqCRu8', 'RFlQRqFah0', 'j56QG2v6fC', 'bu4Q9ChVxy', 'pKxQQAJKjO', 'pGXQwUYZ4V', 'KmZQlVJjQ4', 'e9vQVaSdFP', 'W9lQAWXsuH'
            Source: inxVlfQD8T.exe, TH8PAnZy0bTgxHeVIsG.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: inxVlfQD8T.exe, xgDBCFDp6R3nnsO9uu5.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'Cs0BDNqUtggVQa7Wtic', 'I5moy2qO7TPvgJGuf0S', 'J1aqNyquxHDnVN5VX4M', 'Hu5PriqKiaMp4dYVmvL', 'gD7JvOq9HldEpmOWjPO', 'KvaSeDq1xN112EUC6fH'
            Source: inxVlfQD8T.exe, aGBIrrDlDexLUwdiMPE.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'HVZClvFWEfhQAIxdsxt', 'N7RSAgF214Tum9JYaI4', 'jcCBbGFRiqr7Eky2fJC', 'PkioUYFbPii6D2EhHXD', 'SU6x9MF6eHTg4xUwfp4', 'PIm2Z6FEjnqiS0E2n6l'
            Source: inxVlfQD8T.exe, sZ977FtsnWTUwZfar5M.csHigh entropy of concatenated method names: 'lWYpas5c0I', 'wPjp8pHi6w', 'M6epEAjKAe', 'cebpIHZaY6', 'o0fp7gp2WM', 'fnW9soe110qDk9NCwWC', 'drQhUDeSMRd2pifydr0', 'q3AMdTeKpFPBMTi7hLu', 'UZI6j3e9xUsXXyfviLI', 'KNFN2Be4vI2aOXH41NR'
            Source: inxVlfQD8T.exe, PZn7m0pMUbgiJbacZlW.csHigh entropy of concatenated method names: '_269', '_5E7', 'dFVsnFJweA', 'Mz8', 'sjDsJ3uEjp', 'nI5LILbJEo7q4Sy0Ei9', 'UQATSrbM2PYkQQJS8Yj', 'djPWtMb367u77pfIOp6', 'vvE0OpbBEFGy8B5sL7x', 'wvccuKb8s2eCVUPtmwv'
            Source: inxVlfQD8T.exe, lZTBU4DFwMPjNMF11l4.csHigh entropy of concatenated method names: 'eSHRf7Ck5k', 'Q2T1hMv4STneHwyYNEF', 'PGX2YwvfU38A47gKkBe', 'Gw7wqhv1xJO8W2HFqZS', 'IIET3DvSvfdI2If876I', 'gFrB94vlhcr5l1m44m7', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: inxVlfQD8T.exe, gt8uA0pxNY4SaHd25Z5.csHigh entropy of concatenated method names: 'ubnpnh6452Ye9wI9bRq', 'OteQNa6fBQ6BFZEGrYt', 'LNcvvM61C0DQ2L2Pgj7', 'VsVNga6SlCSdliTiGnM', 'IWF', 'j72', 'GgJryDK9KY', 'wMorYFic9D', 'j4z', 's7Mr0NaGco'
            Source: inxVlfQD8T.exe, x6jKUI6BKYjRsTI6nu.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'tHxP2uZFELLKrEnalSi', 'KIE64iZLAQtL5MmMxGG', 'p2hNv1ZojfWHUA52gIH', 'jVe6otZyhK22Gl9iooK', 'X6ZH59ZCvjTMA4QGs82', 'JI6o0tZVIaO1ZD1gqKc'
            Source: inxVlfQD8T.exe, TkX9OcZXtZMG6hIEOu6.csHigh entropy of concatenated method names: 'wrlCAfuAQC', 'q2xCDiYs4M', '_8r1', 'p2QCrdvL4X', 'uKfCgwSiYq', 'UUwCOsy0Rv', 'CnkCptfAGb', 'P9YhTeArLScR9vjPfoa', 'qDgNlYANSOmHRcd78VZ', 'BcUUIpAYAUXTD7yUZml'
            Source: inxVlfQD8T.exe, oe3Zk8tyR3OWkuFH6K9.csHigh entropy of concatenated method names: 'vjOjaAqU0M', 'F5gj8pPEIt', 'sAWjElrTiA', 'NnmjI7bogU', 'OBEj7qFZig', 'G0ojFIaDqQhZ0ipmxy1', 'Rk9fDMaYp2typ9wrx9P', 'WhHpKfa5OgCAgCZstEx', 'hwiXe1awsE6yibjNhNy', 'UOxtOTaWxtEoIQDlriv'
            Source: inxVlfQD8T.exe, kyqZa8pHvIrZYdKxodU.csHigh entropy of concatenated method names: 'poNDoRw8Q2', 'UyvDJ1xTIf', 'B6SDyf0S1M', 'yEA5Rn2txrcYfuoUqhJ', 'oQHtim2hXTbgUAJerUM', 'yor50J2mTF9tPWuGbHA', 'pXdZAa204T5GormZwO9', 'UN6Dlk5K8w', 'OJSDVVcuLG', 'wKXDA1YtRU'
            Source: inxVlfQD8T.exe, XwdWvYXBnv24FCWNDVd.csHigh entropy of concatenated method names: 'MwVQfxFcyj', 'hXoQkQ9to0', 'avBQzogb0Q', 'TZEwUhmwXw', 'vCrwRh57NX', 'zTswGioVlK', 'qrWw9Qi0PK', 'qvAwQw6XZ9', 'xj0wwjALAn', 'AiBUKPrBRiTiEJvsDdA'
            Source: inxVlfQD8T.exe, rwCOZZZE5W8NFFaybi5.csHigh entropy of concatenated method names: 'Uty4Fy95e9', 'AVm4qFdw1Q', 'ViN4uRHWZh', 'YRy42kmd78', 'V6Z4caARTK', 'IFk4KKGJIx', '_838', 'vVb', 'g24', '_9oL'
            Source: inxVlfQD8T.exe, tPrw42DDox55hiKAoX2.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'zqOLxDqD0F0k5Q6higM', 'hX2fa9qw0RbRZHCwA33', 'bi7LPcqWJg8cRaaNi7D', 'VXvvCTq2RvG2RI37OEm', 'o2oiJrqRjKKYpm752ry', 'FPrKWFqbM3d319EHhZi'
            Source: inxVlfQD8T.exe, GQpRAfziXQk0bnt7vd.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'F56yorqHEMq4H0BDd4h', 'MFBICNqZaZEkv4DDwHN', 'a8HTNrqP2XSEFpdBY2e', 'gwybPuqqVvg1oKHEeEL', 'U064pLqpNURhbsqAfAq', 'Um6N4ZqQH9Gii4jvNlH'
            Source: inxVlfQD8T.exe, doteQAgbhpAABgY1sNf.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: inxVlfQD8T.exe, kcRMCdZY8e5qwsO06Bn.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: inxVlfQD8T.exe, Yt68BLtuVtUsDToQX1E.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: inxVlfQD8T.exe, CN8sHxtfgH7LVyJu8v3.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'UpMjUB9mEO', '_3il', 'CGgjR298SW', 'sP0jGYuu1V', '_78N', 'z3K'
            Source: inxVlfQD8T.exe, LWFfhPDuK4EPwq39cQC.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'urq301pD425CZVCoexs', 'SvUYWvpwWIQipWMvyeG', 'B3S4ZypWolE4jOpDDG4', 'zIewDqp28A4qORDKEDy', 'K4HOwlpRAI7E6l58Mnn', 'Y8y6UhpbiyFyTbfBOdU'
            Source: inxVlfQD8T.exe, mGjmN5MJWbJOs77cZx.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'FSJ3mjPg0he5hc9bw6C', 'oWL4UkPIBhg1rg7rg5u', 'zaKGZMPUhU9eijuK5ge', 'p44d30POvdFZJthmeGV', 'FuTKCHPucelIfCq03TU', 'cGbXXoPKIfxWenwarbR'
            Source: inxVlfQD8T.exe, VpDxGHD4Eb0ItLyNlfc.csHigh entropy of concatenated method names: 'XqYGmpJVLb', 'qRBG3aTIvu', 'IW9GbLO9y6', 'XZN2iNLFRes4dq8uYYs', 'JSt4QBLTRkCG24KIUAc', 'GZ6wQlLvTZuKUkqLQcy', 'lxGOBSLLTZyqtwJEtYg', 'OwEvtALoxnxnCHbDQH3', 'pCOEjDLyW5t0OAcOxQy', 'zlW96lLCWBuPTr8Zbux'
            Source: inxVlfQD8T.exe, KprM2ngT1TJJr2OE9II.csHigh entropy of concatenated method names: 'XQmbubOYve', 'dOcb2H3jhB', 'rLkbcZnIVP', 'p6ffvo4ATEoH6vDB184', 'rwTYTR4f0dCH9ihGvoq', 'H1qCXe4lhS4FNExOb3Q', 'd9HRpt4hDLPAO6WRDeh', 'Bf1ypk4mlLMdOoo0l6m', 'yPAQln4tuMOlnoWrVZr', 'X1OHeV40MtNrcBhDevw'
            Source: inxVlfQD8T.exe, XrsL4px0X7AnVtNSHT.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'Yqy4xRP0nW115fdQNbQ', 'yyG1XEPXBDRuEejZwOk', 'SdF351Pjf4jQS6H3LJT', 'GHCvUGPkZvyc0uVgyIR', 'hSJ7buPnlNx0nLHFk3H', 'kqdYouPGakXDV6yA6Va'
            Source: inxVlfQD8T.exe, q7s41DDmWejK9PGKssy.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'BP8VN7plEFUFu9bwnf8', 'upqjHWpAAqBODW8GCwg', 'Dakgt1phOtsrRqSddic', 'DguKuJpmDL3OokLpSmr', 'HwOnaGptdp0kNFVpDjN', 'GbbuyWp0obq7TtZYDFQ'
            Source: inxVlfQD8T.exe, w6qCDWGY8juJuR5CDxd.csHigh entropy of concatenated method names: 'jJwWbeIupu', 's60W4v8oV0', 'oINWC1N2sn', 'ryAW1ZH9fR', 'aDFWiXJgXd', 'b9sWXy8W6o', 'SlAWh8dPdE', 'XLLWS7sLtW', 'imsWWUd6hM', 'N89Wsx6wW0'
            Source: inxVlfQD8T.exe, KDkCCmaVYpjZRINOtC.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'eGfZnYH0G', 'xVRhBmdDBjnmmixw32P', 'zcvwJtdwnuUos1nWtSb', 'N7I0IddWAMeOssowJgt', 'QigmRFd2xAeBKgKWjx8', 'mjF134dRV2NZykVsI2n'
            Source: inxVlfQD8T.exe, Dm2AedDGH0JaxZvYkba.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'ib80D7qByQuf7cKdSLZ', 'm7RwD5q8l2kmaC6aTgV', 'V4eyllqcu5PctXtBN1t', 'uY9d4XqivqilFNAUx4y', 'bb4arwq7kC5MgWQXtL2', 'biQjXMqzikyIubspATI'
            Source: inxVlfQD8T.exe, zHYZvA3epDEdExWlRO.csHigh entropy of concatenated method names: 'QMr80uQnt', 'lMrEx6nGc', 'ykVIVmRIQ', 'gHF4eAxfOw12DBwMeIa', 'nSlFwOxSHY8QkDYt2Ky', 'fCUj9Dx4PsTlm0nNfmL', 'iW2x0Uxl3bvVqnD0ToM', 'lgHw1pxAZdcNsO9sc5K', 'g1oiEAxhgBbbVXvCXRT', 'Gvl0raxmn1nb7N02kuS'
            Source: inxVlfQD8T.exe, lTr33vg4KKhntywk1Dr.csHigh entropy of concatenated method names: 'SyR4iAkhuq', 'Dwl4X63vaT', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'rfr4hdUIxj', '_5f9', 'A6Y'
            Source: inxVlfQD8T.exe, YOajy7pDCM44Gb6nfau.csHigh entropy of concatenated method names: 'n5oVh8tG6N', 'O1cVSfFrib', 'gvoVWqawyv', 'KaDVsd0RQI', 'HAENZV5zdHfP1cipDnM', 'fo4UwY5igdXTtUlZblb', 'daMnb857jFZSvrTp8IB', 'sxCAP0Dsy9oxLwS2eyF', 'qv8QBfDxC5UGKFZRPQ0', 'WTg9wKDd3qOQwsJZsZf'
            Source: inxVlfQD8T.exe, l4AXsfGfd0NTsUjvjc.csHigh entropy of concatenated method names: 'xMrjpraQP', 'teLS2DKMXDrWNqgxKA', 'IFTGUTOG8YCuT53STv', 'IOguiguDKT85Jx965O', 'bI0vRZ90AauD1p52RM', 'QHYNst1vosm8d4EjYP', 'g3nGGf6vH', 'nbn9vVkYJ', 'EAbQAjNhv', 'fbLwuIn3g'
            Source: inxVlfQD8T.exe, hAvmkvpKVgM8T9noQHg.csHigh entropy of concatenated method names: 'WclA20oXei', 'nogAcUWWm3', 'MHeAKeCeCI', 'scguEgWXG9XRQSfg2GS', 'pKtCBrWjjiiC5XfZCQI', 'ViDhQSWkq4nUmIhJ79y', 'lpUI4xWnTespaDvvcJk', 'kv6l2GWGaJpqvieKJUr', 'WXuSU3WJW7O15yEoLty', 'IDJGPJWMTXOarWomyXk'
            Source: inxVlfQD8T.exe, fSblHsDA3otKfVK6PTM.csHigh entropy of concatenated method names: 'zkDGgQfaKg', 'IMEGOQAQSr', 'E8lUdaFLjbfbbB9MCpb', 'r89K8LFvAoQf41EN7yV', 'UZTrSXFF53vPPyB5WoE', 'KX8WLwFo4aYckaGAU27', 'ApXFrLFy9AtOFceu7H7', 'qPyBTKFCKdEMl1FCsh8', 'vdH3QBFVwoK98SuJgu0', 'TOPJ9HFrdwsOV75hdSq'
            Source: inxVlfQD8T.exe, eb0eRnDLybEAarKDmn8.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'IDybaQQ6blnWVe2UESh', 'nPWUMLQENPEQSP0iwcs', 'wYfeGSQe9OWfxA9a5hv', 'sfojSEQaun0WgyvekRW', 'lkX5FgQgxr4I8uIBGcN', 'i0aBgDQIOa4v7sykHeb'
            Source: inxVlfQD8T.exe, mfRZB3gpADl4DXUY1f5.csHigh entropy of concatenated method names: 'biqduFKRBhVtCRSKRji', 'iERMa0Kb0ayo0cYoqrp', 'mqvpcrKWOYt4xDlYHAX', 'yYUZyWK21JYbUaiObWw', 'n1rMbfMfJG', 'jSX48oKe1bE9RC1dPWp', 'ymycanKatdtDrGXlAmQ', 'IZ7qplK6Tcug1xbu6qF', 'AOlwLgKENpKAnTWgoOd', 'hXDkLKKgmfVgQOQHurr'
            Source: inxVlfQD8T.exe, hUN2biDwUYDDr1upXYt.csHigh entropy of concatenated method names: 'fc6R5KMWGE', 'o5OFMIv65lpe2cSFr3I', 'awT1RyvEKOv92DjmwoQ', 'HErhd9vR6AKLyJyEvb2', 'voyGrKvb8AKNho63CRl', 't6EnnGvekynH9n7AGg1', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: inxVlfQD8T.exe, X07W1jp7AyWMiRdD0ck.csHigh entropy of concatenated method names: '_223', 'ekyTx3WYDSGwPl6oN9Q', 'X7dgIuW5yhmg9p7OgXY', 'dUGb1BWDyK9jhjh1hga', 'FRnehoWwchvwMmn3SsB', 'MJNFGfWWJVMAWjS0xeF', 'lh73nLW2MTYdTxStGWc', 'rqO9XmWRAcToNiLDHSn', 'pmAmu5WboxQgV6Fc1Kd', 'ws1F0QW6Di6IpYhptsv'
            Source: inxVlfQD8T.exe, RNFY1KZLNdCSVZ04oVO.csHigh entropy of concatenated method names: 'pAiCMKv7RC', 'dsOCdCBVqW', 'bIVCtMvN5X', 'XNOCmj4ZhM', 'auAC3affqb', 'hmrvbhAcGZDwhAXHGN6', 'SUNALNAi90K1yFi7aP1', 'ngFeSlA7GxTeBDUNCyv', 'iExEN4AzJYVgGn3YLJA', 'i28KarhsB3kih2HcvwW'
            Source: inxVlfQD8T.exe, EHGZkeDgefTx8S5TVsf.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'FrjlTPqXaej8tlR7gok', 'l0US0Oqjvpp33C20ItV', 'UJcJKnqkqgkfpsY5XUP', 'F4vpivqnl772dsewkHp', 'MTPrdQqGFBiQWiDPjt6', 'EkSqKfqJG6DM33UaCpw'
            Source: inxVlfQD8T.exe, wVERs0UUPMkRxTT4GU.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'ngR7YHP3hKZk3vmTsPl', 'wqjks8PBDtJqEr11LeN', 'dHfKlsP8Zcs7v06JtMR', 'OGjhBrPcVMo6KFNEgSX', 'VxUjt4Picd4P8tmH5b8', 'sbhQyIP7shj5alTg2UI'
            Source: inxVlfQD8T.exe, Jj6JfGZahMuUdNgSm1i.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'xcQ14Atn55', 'Qx61COCCoK', 'wgO11Ctnac', 'jKv1iJApwP', 'h2y1XY9hDc', 'wWR1hx6RP2', 'R0HA2cm42t5h8ETB6M8'
            Source: inxVlfQD8T.exe, r0FyOhX2Zy4cl50a90J.csHigh entropy of concatenated method names: 'Ah5QjqWBXE', 'y1xQndE1An', 'xFjHfrV6PNUNsApTQt4', 'JE7EZ0VEYF74bAUVJ0v', 'y0S2tSVREOU35qpFi0q', 'BGbi6PVbx8qRHujoSYB', 'qkIAAtVe62LngwxVK87', 'Rr2khgVaJvsEmAbr6ID', 'EwrKpJVgLm1ZFwxMw4a', 'pUrPeuVIT6Lnm7QQe6x'
            Source: inxVlfQD8T.exe, qvkC4gI3XD8skEh53a.csHigh entropy of concatenated method names: 'TUAb8vSTC', 'Syi41w03Z', 'ecdCgdJso', 'dFV1FJweA', 'VlXiWM7eD', 'sjDX3uEjp', 'dhdhO4vW7', 'UCAImJxQqRIAdNcpfyS', 'nO7ytSxT7sPuF68sy4X', 'OqmDKNxveTtqYRCurYb'
            Source: inxVlfQD8T.exe, h8wA9lDYpAmfm8lrwZ6.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'TPNtExQjaxljoZhvwG4', 'Q7ZpHQQkRh5yfaX8FPO', 'xyOIruQnyfwMkea7TX5', 'rvSSSjQGjgA9CIyglme', 'NDp20uQJJFJ4jcwrM4r', 'nSWbiJQMANsBJL6y83J'
            Source: inxVlfQD8T.exe, b4kyHJrokANNTqG2A0.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'zp0qYEH89ssVyARWbW0', 'r4SW6iHcNnHpYH0wAtW', 'L5JlRkHiZB01fvB2hYS', 'BYqnrHH7EtCyF4rxPj2', 'NeIF1RHz3sVMJMO9xtT', 'Gk62FIZsdAMrtsOLUnD'
            Source: inxVlfQD8T.exe, aH8ActZhHqLjf8x3NQn.csHigh entropy of concatenated method names: 'PaeX7bq7S5', 'EOBEAbtUAXAVhgFnCUq', 'aq0FNrtOLDWfQy8brwe', 'sbSLgetg4kbFYK50hxC', 'BT6X0XtILFIrJaDbAlS', '_1fi', 'LcLiKJQ6lx', '_676', 'IG9', 'mdP'
            Source: inxVlfQD8T.exe, T4Cnc4XXQlf9WOfpiao.csHigh entropy of concatenated method names: 'IRmGuIxNZh', 'IP9G20Gm8G', 'GiNGc9CNyh', 'SLAGKFfhhk', 'Q4qGBGShvQ', 'ClyG5D0bCF', 't4QmtroYf2OshqwgQQl', 'Ka3oVdo5KfP7JYUJGd3', 'OL1mSxormiYwfr41J39', 'aTfvXloNm7tyhVcE9ye'
            Source: inxVlfQD8T.exe, yWb7eFtxvQ56Z8qw9hi.csHigh entropy of concatenated method names: 'XAVo4Fdn1F', 'MY9o1ACXoD', 'dEvojfuDu5', 'A8nondUlRf', 'uakooNqlLB', 'BgBoJSguwJ', 'cEToylmhm9', 'TNKoYs30RX', 'qp9o01x8wG', 'ksZoNioGG0'
            Source: inxVlfQD8T.exe, w3GrXfZPp9EC43ZNpyu.csHigh entropy of concatenated method names: 'Sdbhm2uixS', '_1kO', '_9v4', '_294', 'SEeh3xpMDE', 'euj', 'cIHhbIhAbn', 'QjCh4xHgrU', 'o87', 'W32hCftgl0'
            Source: inxVlfQD8T.exe, l8W0LTXw4Z9TZiVOHaP.csHigh entropy of concatenated method names: 'QmAwhuiNYy', 'VafHClNip0sPJrQ8kC7', 'srmwSfN7NKbPaExjpAX', 'qlm0ufN8F2t2TfiMVsY', 'FGqKVVNcfwNbwLlerkh', 'Xv36jiNzFsKg3AbjGwW', 'sASLaXYscSb2sLNY5st', 'EkUTutYxBAglUxUxNsX', 'GVYfc0YdsOds641eiWO', 'KWscrYYHnmh6KJEOuZy'
            Source: inxVlfQD8T.exe, j61t9ipm1k2E59byxDj.csHigh entropy of concatenated method names: 'yvuAPnmZ1K', 'uqsAvGw1l6', 'uIFAFmq8fQ', 'yx1Aq7PspK', 'sk8M9bW9iSKhT3AG5JQ', 'V3jHQyW1UD6C5vROcQm', 'xHTd2gWSim6ID0DrAD3', 'x2oCZqWuR6QZUqMtu8f', 'WJZOaMWKWLgruXP2Zet', 'lKbDrQW4B7WsbiMMSXf'
            Source: inxVlfQD8T.exe, Nmw0T1tU8t9TvytPQeE.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: inxVlfQD8T.exe, RVZjBrJdrk0UQWJW9V.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'JnnPjCQNp', 'UkZ9ptd1AQU3KDT0SNG', 'K6KUi3dSKVJ1grpmlDe', 'tMM0U8d4fJHNYUAVuQR', 'gQHaXVdfhftphHjqfN0', 'u0LR9cdlQOLT08Qp494'
            Source: inxVlfQD8T.exe, mG05MHDBpD8Pm3hJwPd.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'NBQTGFTSaq74G63cq1q', 'Va9JBNT4XrBSvHxWs6J', 'srKu4fTfn4Q3V73s7sl', 'NR6UDgTlPFQWYEGT8O4', 'lTwYWPTALxl1iYKPNiN', 'rkRngWThu244Xwn9nWU'
            Source: inxVlfQD8T.exe, yRCtW6ZiBgtOI9YCmoX.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'iA2hDGDtU3', 'BGYhrYiJD5', 'd9fhgi2qG2', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: inxVlfQD8T.exe, UkD7xbGSvF2WJSQfMo4.csHigh entropy of concatenated method names: 'kP53juXen01r6LkV2e8', 'yLpUVSXad5b6JOO8IHw', 'rlk0d1X6WBPBTYluf0k', 'QD9exoXEftTlc32WD03', 'SfrWngt6LZ', 'cHx7cKXUvr0McmOyYEE', 'A0Rs4FXO02YYUwxMx7A', 'aBfBh8XuVSkL14DL6g3', 'Jk3KySXKWxtVtmXHGRY', 'qHGyFiX94xqFkklYP8J'
            Source: inxVlfQD8T.exe, dKOHKFGusnMslQdwUBS.csHigh entropy of concatenated method names: 'PgJ1paNNxMMra', 'sCFkhUXVEZitryWyFsb', 'J9kC8iXrq2HRxwbnVL1', 'tUgAnBXNyJuPhXnEmV1', 'ERTS2xXYVOF7refwsVC', 'tMV7OKX5KIE3ZecvKGG', 'aNjh5SXy5XjHGLWAy0g', 'sFLSEIXC5laHEQx2ZH9', 'OQTaKyXDXJ2bEmdqIqT', 'u7YgjvXwVgtdeV0ZUK8'
            Source: inxVlfQD8T.exe, xrK1qDDKVYhZqhSoyD6.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'uKt3v8pMZjTIPsQdd7L', 'nh3OYBp3AxEISIZVXHp', 'M19eDApBKCUF29wN18E', 'nTFLyFp8q5xPoAfsQDV', 'aw47Aypca1ti7eAZUc7', 'YgC6iHpiQWVpWQYJrxX'
            Source: inxVlfQD8T.exe, FJfmMnt7OvbfdKQiPXq.csHigh entropy of concatenated method names: 'NaOOEKcjxM', 'd12OItmjpr', 's11O7Go0pR', 'TEvO6kE8EC', 'Nv8OZya7Fw', 'DUZJAQE7NXl2H44Ur1S', 's0SntUEznEt8VvhObZa', 'D1Wc8IEc2dAP72ut5dN', 'y1L383Eitts0FRHWFDm', 'SlLrB9es3N5WQ2xtZ0c'
            Source: inxVlfQD8T.exe, CTHDto8PpoKyxZlqCJ.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'HZUNyWdic8ogSJ4DkIc', 'XLCffbd7FlQANsh5g0a', 'AKmNr6dzaX1nrNoZr6B', 'N4h8RqHsvdNCyx8sFtV', 'eqoFVhHxIX8hOLo22wF', 'Lh09G8Hd0bHfM31odjn'
            Source: inxVlfQD8T.exe, tY7Z2NptWYF8Ccg8Pvm.csHigh entropy of concatenated method names: 'MJxVTZs9lU', 'utXVPd9Ony', 'CwUVvjObBd', 'j1ZVFgaYQ3', 'nOhVqeTAo8', 'uvsVuW7Bx0', 'D57A45DI2L3CNnQ0AN1', 'fDZrkwDahKd6Tn4JhQP', 'SRh2fxDgXc4M3BFwseW', 'YNCW8JDUi7jtB4I7vgI'
            Source: inxVlfQD8T.exe, HMfpcggyF43feJstIg7.csHigh entropy of concatenated method names: 'agib6bCVyY', 'JEGbZFu4aW', 'AOTbxGI8Hb', 'RbybTPvFV9', 'lsFbPUr8ZE', 'qsneiN4gy6dVsLAL7nh', 'JZQUf34ePjxIEuCW2Xr', 'vVWGxL4aX9ionbhrG9N', 'vUueUP4IjXHu2bYcY65', 'jqrF6G4UpPvcpRd56uF'
            Source: inxVlfQD8T.exe, xjcyeZtCUCAf9WB6SYi.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: inxVlfQD8T.exe, nLqloXD1TJanZerUJcv.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'Bv5CE7Q10gZ4gpWJaVg', 'I2ZRWRQS7lJdRba80hw', 'yK6kqxQ4YJbaSm7B3Ua', 'RLGBB2Qfs6xWwbsetMT', 'rBKmP9Qlv3ZnuZcaqog', 'rCFpafQA331wGYf8TGk'
            Source: inxVlfQD8T.exe, vR7KTLXFl8NYk7bFsbV.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'y1tw84jmTi', 'iCkwEm9ys4', 'lLowI5FRmZ', 'aKIw76tGMD', 'sf4w6bcdfJ', 'mXA968YTyLdsjbQSX4K', 'mikCHhYv4YQCurjRZnJ', 'rXlJAdYpXvlYUEuZKfj'

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Drops PE files with benign system names
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files (x86)\Windows NT\TableTextService\en-US\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Users\Default\Favorites\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Recovery\winlogon.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\addins\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Recovery\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Program Files (x86)\Windows Defender\en-GB\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exeJump to dropped file
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile created: C:\Windows\addins\xzCoZyfxKxCkf.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /f
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeMemory allocated: 1A860000 memory reserve | memory write watchJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeMemory allocated: 1ADA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeMemory allocated: 1AED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWindow / User API: threadDelayed 1617Jump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeWindow / User API: threadDelayed 583Jump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeWindow / User API: threadDelayed 468Jump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeWindow / User API: threadDelayed 485Jump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exe TID: 7692Thread sleep count: 1617 > 30Jump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exe TID: 7684Thread sleep count: 583 > 30Jump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exe TID: 7668Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exe TID: 4324Thread sleep count: 468 > 30Jump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe TID: 5960Thread sleep count: 485 > 30Jump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe TID: 2504Thread sleep count: 87 > 30Jump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe TID: 7232Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: inxVlfQD8T.exe, 00000000.00000002.1695181027.000000001BE26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /fJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeQueries volume information: C:\Users\user\Desktop\inxVlfQD8T.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Recovery\xzCoZyfxKxCkf.exeQueries volume information: C:\Recovery\xzCoZyfxKxCkf.exe VolumeInformationJump to behavior
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exeQueries volume information: C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inxVlfQD8T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000000.00000002.1680174059.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1680174059.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.1758461967.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.1758511140.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1681557653.000000001286F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: inxVlfQD8T.exe PID: 7644, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xzCoZyfxKxCkf.exe PID: 8060, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xzCoZyfxKxCkf.exe PID: 8080, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000000.00000002.1680174059.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1680174059.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.1758461967.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.1758511140.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1681557653.000000001286F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: inxVlfQD8T.exe PID: 7644, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xzCoZyfxKxCkf.exe PID: 8060, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xzCoZyfxKxCkf.exe PID: 8080, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		123
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials14
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446925 Sample: inxVlfQD8T.exe Startdate: 24/05/2024 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Antivirus detection for URL or domain 2->32 34 Antivirus detection for dropped file 2->34 36 12 other signatures 2->36 6 inxVlfQD8T.exe 1 47 2->6         started        10 xzCoZyfxKxCkf.exe 2 2->10         started        12 xzCoZyfxKxCkf.exe 2 2->12         started        process3 file4 22 C:\Windows\addins\xzCoZyfxKxCkf.exe, PE32 6->22 dropped 24 C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exe, PE32 6->24 dropped 26 C:\Users\Default\...\xzCoZyfxKxCkf.exe, PE32 6->26 dropped 28 11 other malicious files 6->28 dropped 38 Uses schtasks.exe or at.exe to add and modify task schedules 6->38 40 Creates processes via WMI 6->40 42 Drops PE files with benign system names 6->42 14 schtasks.exe 6->14         started        16 schtasks.exe 6->16         started        18 schtasks.exe 6->18         started        20 34 other processes 6->20 44 Multi AV Scanner detection for dropped file 10->44 signatures5 process6

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            inxVlfQD8T.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            inxVlfQD8T.exe100%AviraHEUR/AGEN.1323984
            inxVlfQD8T.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Recovery\winlogon.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Recovery\winlogon.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files (x86)\Windows Defender\en-GB\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files (x86)\Windows NT\TableTextService\en-US\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Recovery\winlogon.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Recovery\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Users\Default\Favorites\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Windows\addins\xzCoZyfxKxCkf.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://a0984800.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://a0984800.xsph.ru/@zd3bk5Wa3RHb1FmZlR0Xtrue
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameinxVlfQD8T.exe, 00000000.00000002.1680174059.0000000002DA7000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1446925
            Start date and time:2024-05-24 01:26:07 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 49s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:40
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:inxVlfQD8T.exe
            renamed because original name is a hash value
            Original Sample Name:29caab9a27e99e61bf3b056eda3bb63e.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@41/44@0/0
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 58%
            • Number of executed functions: 250
            • Number of non-executed functions: 1
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target inxVlfQD8T.exe, PID 7644 because it is empty
            • Execution Graph export aborted for target xzCoZyfxKxCkf.exe, PID 8060 because it is empty
            • Execution Graph export aborted for target xzCoZyfxKxCkf.exe, PID 8080 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: inxVlfQD8T.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            00:26:57Task SchedulerRun new task: xzCoZyfxKxCkf path: "C:\Recovery\xzCoZyfxKxCkf.exe"
            00:26:57Task SchedulerRun new task: xzCoZyfxKxCkfx path: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe"
            00:26:59Task SchedulerRun new task: smss path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe"
            00:26:59Task SchedulerRun new task: smsss path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe"
            00:26:59Task SchedulerRun new task: winlogon path: "C:\Recovery\winlogon.exe"
            00:26:59Task SchedulerRun new task: winlogonw path: "C:\Recovery\winlogon.exe"

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\Java\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (664), with no line terminators
            Category:dropped
            Size (bytes):664
            Entropy (8bit):5.882519868239775
            Encrypted:false
            SSDEEP:12:Dzi+F1dmLcLpkEwCIrufMgLxxFUG93jDknBw7o/NpY:HiMULyp3dFjUG1sBsoVe
            MD5:9F6BDFE0412E813E0C2E9EBADF44EF9A
            SHA1:924B006959863C6E71E17AAEB16882AA7891A866
            SHA-256:60FABBBDA278D921B2783A84D0B5E291A29CD735E036DE4F236FBA7E3E960C73
            SHA-512:86F81EE65A70DADB17ED2DB74B54F55A5AF0DECADC96BEAA6D264BB1E7796B891237861172EABF830514278526EC9CB5465493815018DFCA43EB7056FFE71B71
            Malicious:false
            Preview:imlo2btgQ5fVskDH5MIora4JHXhDLX5Q73HfqgofJ2FmNcs2hJ6K1f7Isbhf4pU2APYycibYhmfyUS5opogCbuYb69xO8JldiNl8E3Z9shmOAJyZg3zPJSaP162duMZYBBPGr7jvPhU4IKawLXsFUVUQwVHIB6OfHOM94rsiTDAm8gHqfGSXeUEqq9UV0buTSyx37a1eoJwQVrSQOam4n0AxKgS4WXs1SrTJsNtFOysVhxV9rDHaz0pcyAtaH6HRb57nYIhAqgpzIpPWLTNTQRBcB1UseT7Rqb4l0rkifGuSK0UJuWPytyBJ4fmgxzgXjYIqungetoxJhsSLhL7HDJi2avrUEDuqjXtwrnYG0uEEA1lLNa9m1ZTazPQ95LZp4HjK9fd4w1QSEd2jJgHoEIyKDS6bXZKoVZK2RbMr7F0AIAWWXq0ZEvlwSZGqjBgXqm7oT9SsTaq8SyBD6kEqjvkkyYj1UfH5icTgDrCXYIFnEmdeXDt960y5BW05ZaXxSvazefAPhrRbp6fM4FdRwI8soYfq1H78uRVSLo92CebPiXQF0nAU6FBKxrKG9UYauTqXlNAPFlPRqtKRIZzNGnCpPLfee32sGBfPq2dnnvOV0ueEh27jfKTHQBHasgvLsgKoO4lQ6LjVYryfqa6l6SM5

            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\Java\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Program Files (x86)\Windows Defender\en-GB\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (499), with no line terminators
            Category:dropped
            Size (bytes):499
            Entropy (8bit):5.865826423170417
            Encrypted:false
            SSDEEP:12:99g2Ze/dR6wsXVLpd104KojrMOcX0w2Zpax1gnwkcnCwCLJRD:9ho6fZpzJXM2IbdCwCzD
            MD5:0E67D7C662FEA6B480AA028DCCD9C492
            SHA1:329902DDF7F6D8FDE27B4F0E791282046DAED441
            SHA-256:204B323E4020B71251FD4655E914C0191B2253CCDACDF4F4D8EE831F90F42D43
            SHA-512:3F75940FC2E24F2429976D3752426E2AE151E9669EF8EE9F37D0E613018214009F7ECBE92F1C778184C1EEEDC6E5690215AA605639D317CB22FD913FE489455A
            Malicious:false
            Preview:u7rl1VBcP8XhDwgTH0tbd7f6ujSujUc2uY2LbVnhiUMAmEklrkJh2DBxcu1RDR24ffwo4V2wNL3IueUq9rD9L5ArXFtrdVeRcSeHR5qWsXUqK2C7aLSVO3tkfFRzlKS1rmqcAMYEAqQxlThfCwRSDICii3lMn0vhFc8iLj7NwNUhm69Lhwwz3AyijH4GkMaJ5tsJU9TdyDfzxf6m4ao0E5oEnZ8Dp0mkxLl2N00idTAze9vDLSMKikF9Fnf5AQy7b5Bm3DYDjFXu5ykno51WocBNFmxkU5iMeCYi7IJH3IkcMUDQD1QEYbT83yhRPysnhKQ3aBpfvudf1jAuihhcpdyDtZpIl22Fa64BEKzBMvTo8xHTywtrRP8EWMJBWg332XF4p8pXsfQ4JKE6RVUzIKxK8zp1Axop1ZvkrMozGV9v8E4LINtBMEusj560SyW40lCuYdOErfsxKCL34dtxEncxoDAvQxgS9F4XBKxo8oTrV7hhtC6

            C:\Program Files (x86)\Windows Defender\en-GB\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\Windows Defender\en-GB\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Program Files (x86)\Windows NT\TableTextService\en-US\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):168
            Entropy (8bit):5.7074239741100286
            Encrypted:false
            SSDEEP:3:ATaJpCZgwGspXT6FM1nIuWvu0hrpQvsQQuLd0XYXLSPJwWfOGwuWcODH:ATaJpzwGEfiu0hrdFuLd0XY7wwWIcu
            MD5:3001A66161C3FF2608FBBCB8B5CFF2AF
            SHA1:71B051CB07A17CEBF71BBFADAF92E6DAC3BB183E
            SHA-256:83A0D9DAEE4D60442FA49AF430ACB143B85A073C785285CD64790CC68A53450B
            SHA-512:222983251D4BA50BAF1E70A69B9C585098CAF552321A5F75859EDE905799CD3FEC7094B2E9A86B7FC526754FC70DA44775BCC6120FD66EE7760A1832AA11CD47
            Malicious:false
            Preview:guoChQvYRcnOA4w4JBQugdggKGEKZcelOpVnGrm2zjR3xGZAiElwzNnCNH2bLl8z8B9VjIybYX57LntDqEmV0swACSa8zLrNkc5vGEaZPJXbSp1kYyuH9n8QP8SRr0mNqrWtr77mnMGrUUsWbzjBakN7epgHvJrZgKvkTH2b

            C:\Program Files (x86)\Windows NT\TableTextService\en-US\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\Windows NT\TableTextService\en-US\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (335), with no line terminators
            Category:dropped
            Size (bytes):335
            Entropy (8bit):5.81287769950189
            Encrypted:false
            SSDEEP:6:x8PSetLgkWEqThEF/MOG7AVWq704r3w/tp2iHWdEijzJgRKzzHZac85Ra:xDiLHM41GmWyrA/tcRdXgmzHH85Ra
            MD5:DA53F8ED76BCFDEBEE0F7530F7079EA1
            SHA1:C913EB785EC31F14A90ACDB2A005A1A7300C18FE
            SHA-256:B4853463D33A67637E6768D5E885C8E818CCD108B9890375751CD4D9E8CEE37B
            SHA-512:71FF72AD1F29F4F30C42AFB5CCC0D024BE05B2B8793AEA37E3EE1962DB7E0D3D917EAC1B2E9E629519428B9DCE36B858A2599F242FF15BBE4A1D4ACBFEF883B6
            Malicious:false
            Preview:oOcqYH6ZFy5P9fEurYgpEw79wFLogoYEHPZCEJzwGBWC3FMnSEOL2OP1Rc3S6S2aa0HuGBqiiuiDa4Fr3hWcaMM29hulPh0yI5lC7bgQXqnIqMbWWMYY5aAOoPuiRFSB4t4eTDtcBFEtiEMxGXOCIb2s4WXsq79SXlO6R6DTd6X0WRpkD7c31Q2c0Mk6pBvDFvV70PgJU4jMECWnrxotfGbHtvFEVGnbKUvk5stxbSi6qqXyz7P1WCh9UNNEJbxNRHBuRvr8E1RMhebDYROY1vEHwvPrepn9eUpjomhEPQxfuVbzwKq2MZWfC38fg9eYNRrNz1YvtKIl8jW

            C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Program Files\7-Zip\Lang\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):270
            Entropy (8bit):5.774688319136408
            Encrypted:false
            SSDEEP:6:0N2nXH1BsVY2cN2EQ2iSMIjnVP72TTmF/ROdAW71V8PJo:02X/2ckEQ3ITVP72TadsAW71VeJo
            MD5:C07C3934FD6ED5D3B732DE1A158677A8
            SHA1:6FFF9DF89E788A0B7D9D5B96BD631696F8A7794F
            SHA-256:E90026618013D20820F16AD0739B9863F1B335C24E5E3AB4133339785F5C23FE
            SHA-512:62629F58A3C28EF313B8FABAA3D3A9E34DB2ACC6CBDFC470073B69E3BD3B0736B628856E78493430F8B85B715A4BB96B23AAF2EEFEC31F59C8AFF770E497480E
            Malicious:false
            Preview:6MrvBDNE3oZrAbwChvDq1mRI23DsHmvwA9fMuky1IH4W4By7oved8BYU4j2H9f7R2mqB5kR67Litr5N0FFDWHSy8kLRLrq1nKndSUwBEdhgwdom9WBC4bkKkxsauTGPQT4jEb4gSD92jvCe5jRzpo7Ljc2emWRvXSPciFhibft1crkzvNeLBRjmWs9lia36vNfRgj60BsXK4Gt22DsZ1GtFsmGzG59AlxFOLTTMRoJS3ZsP9HtereEpeai3cGtFtXiGAeqjugIN6aM

            C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Program Files\Common Files\microsoft shared\Stationery\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (387), with no line terminators
            Category:dropped
            Size (bytes):387
            Entropy (8bit):5.828140943724095
            Encrypted:false
            SSDEEP:12:BVJiZmsAcjJsCxV6s07QydymquRlPipWtw9xQ:BziEs5jJseTeQOymqagWtw9xQ
            MD5:9D0E6E88156545086B822D30644C9D2F
            SHA1:7FFDCED5B0A1E0317A5B3A61398C7ED2002491AE
            SHA-256:7F024C8B73263EA3AF8AD43F2C1C10D8C11FF3932AFC650CF4A5D637D84338BD
            SHA-512:31B7D3492551DDB27CFE8CD274A303A77377966393525F02790726277102E4FF87BB678CDB9807252E53FACA1E39D61FEEDCFA7707DBF541AB293E1843591D97
            Malicious:false
            Preview:vSodDbpDuLvGucE43WhnrHhI3etpQuxQFPn08hOfSuepAsnbBEOABdpougjisAx9YfAeyO6VICV7m1HL1RnLgwOmj9Gc8pwR6eRfrImxI319HsB3YXraWldmRY4zIeXdPEAIkldsp0Dm4Pe17NDk8W5UApOTNxpogYtDr3Sx38ugi0rB3D14axf3IqH5XKe2LYGggbKE4Qq9lZvK7MaK5uNs304BvXZtd2VJtLfb3xAKGfRt477KuU6aLXmpgISg06fsDlawr8QItCmXiLGyaO9J548Wiz5uedTK9ipSgLdvDyrJvPGVCdGm7WxJnEN1DgnPscYAfySPvNFGNykTsjsAXrMmvgoc7lshLbaT0G0NL10tQq6ye3Jdxn1APvP9JzR

            C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Program Files\Microsoft\OneDrive\ListSync\settings\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (778), with no line terminators
            Category:dropped
            Size (bytes):778
            Entropy (8bit):5.879134933971694
            Encrypted:false
            SSDEEP:12:tRxNflt0hzHclUa2/BXCTKwaElmC7Mvd4T/pZzJyUSy6uEqI0hb+:t3NflM7a2NAuC7MuT/Lwy6uEd0w
            MD5:6EDDB6007FBD54C86C16E5BF3D99A26E
            SHA1:4D9EB824608187467FCE5648BF32D3AD8926A5C7
            SHA-256:81653F8B90313CF00B4489CEA980C12FA1799B15000B7D7AD2D7FBF15C9D7A37
            SHA-512:AB11A844534DC2E9FC077F8FAE1A09A0ADD8532C02842C560475C1B354230E84E47BB0D3F6CAB69C9241727E1526BC6213F8F62935421A4D4316A6DD12321F56
            Malicious:false
            Preview:0tQ4TnLlR77IC2bCItg8S9p4dgidKjbgI1vGXOqZeTgxGUKBq3F69vd1DVbwEsargaALGVp3DHd8c2yIWhxQefhXY4CBx3Uw3yQpU94UOL22ReYKgSah5KNB3nxMSnGJxrFnmJyXncBSmoF3g2efdw1slPvrLsBlFsFkZuiXdD4cI4YPh4paIkqAzWCWXGL4aaN3jeewTHBa2Ykq0gJRCldeCFuCrL9W19CsqfqCZ3HAiQHawVg1741z6s1etcEIHoi3W29UzG1Jec6v7TPVpHZ7IMv8oMT7z833rOE4VLB0CsVewFgaMsc9PlvJHBqnx4UfjCDtPVAdFj4Z1QMip3vGg3oFd5xUfYCIX05tBwK0s94prVS0zH84IN8pY7QUiq8rgvBBVch2s4Yg88YHm6eXZI9K1PUDg0SCBMJ5TQeWkFMOzcqajIrlLkRYw1KGIdW1mWfwydyWcIxU5vUZi4eYJq0a5uJbGYOGsUld64lGTUJDw7cAgvhN97s5fF1ETWPD3qllJ1cnSXEyhxo8SJ5V0AHulq81Dhw7FFJFV10pS45l34Yra3vKb4N3j09d2lkvkHtboimaSPC6Fg1qRRaKvmfK1Qge1WwqTJAwL6D1QV1L1RxC9TLlLaA8likYCIj5cWm5gEeVOi3auUSkcdfiKLf3JBLnWoyIw6tfp1g4y0XmgjOQP95jmAuR0swe318jtuoykx4k6ltUx3Wjx4XWtPfvLbo7FCA61y2v5ZqcFVnBQae7VNq8em0eO2nJI7f3kxc8Al

            C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Program Files\Reference Assemblies\Microsoft\Framework\69ddcba757bf72

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (750), with no line terminators
            Category:dropped
            Size (bytes):750
            Entropy (8bit):5.8853498651636444
            Encrypted:false
            SSDEEP:12:QRgb8R8H70TITx9bntqbJitz0ZHG48HNMvJMgyUfrks5LCHXme:JbR7LTvwbJitwJ2NMagHTLC3me
            MD5:98A190D42DF5B9EB5DA58079FD75AD3C
            SHA1:B1FE619F6B9CA239E73B0A82D59EAE9C2DB8391E
            SHA-256:10569A88A0A64485C57C00050DAFFD3D64C11425C111860A65C459ABAD85BA8C
            SHA-512:5226F93C15759CD8CC4FC4AD7D7BBCE525537EC56936F971340C9906D2E1E2026AF24F2DC2B1F0F6EEA35424FA28DB222367E685F5466619BF497150501C0788
            Malicious:false
            Preview:ZtK4Ejf0lPeaKuLW1sDNP9lPu3OEbYku4yVw7S20qcSlViBuGu1srieaH5JKVaZNougWZZZizMhxqA3M2d8rg2DWT4oCJrfPDE6lBpVrUS2eBrtHB7S2crrwrKCeuXZHrRumDRKNHQWN9iUmLhALZmwVXK41n1673uxt7GDtxFuMUdwIzZTNWOsEeYP3XSjQUZUPvlpEdRXU1kA4XvBNhskpCsOi1KWefe15IhXOtPuF0XM3XVflQWslyoMCWGMS52zXtFv0YxdS7fzogVKgpuOIvQHdUV2nDcJ7izKSjoNd2anSzigB6pnKoqlc8RgD50OfV1GqK27AhvQVmyovy1qXy9S2NrUSHKhBLH67bz0Dsmn3ZQ0JnuOEJ1qWjOccip3XNOJe2qU9AnpMVYc71KoW5d2UakYNWYfDtQqLGVR6aPEgLeBKvekXAgbuWzDSSGmlImdFsR1f3r5qZVJ6iNc1xHDMz6yQS9oUmcXjB6cenFdSkuVAqHtEouyAjQPwckN4DlD78k5mu8OsnulElykKQjq2nW9vqpBC1jP9rXCFLGUqgGXyoLLo9Cod4LTlkK6E6L0EfmXNve8JPAWh9KGeeXCy4wFfEafBJPtUPSTCy82eDeN3zvlZDckjICKsg1IU97AAQBSr1EpgfiuZiLpSzG8qoKLNHkf6zhfGeMnxd3i8wEEkRvJVLzf38TVG0EjQjsq7Co5Vi2z5h93kGk6WaJvABmHK1g7YUSZEXGimzy

            C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Program Files\Uninstall Information\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (817), with no line terminators
            Category:dropped
            Size (bytes):817
            Entropy (8bit):5.9006841964289585
            Encrypted:false
            SSDEEP:24:mixrTImEhovn3MNM3PzQRHqHbrfb00oN2xSl8k:5rTIm8Ccm37XgTN2sl8k
            MD5:7ED92817A7F8501AA8CAA5294E601B2E
            SHA1:89B51A3E25A682CAACAC48AEB7B0C695E8DE192D
            SHA-256:6EDC23C0485D4C05B126289B9B0D60DAA5FE6E005BBE0F3C5C95C010EAC792EA
            SHA-512:473BFB0CF5738635257C433F2B0916B12D69C9D3ADC27B09EE2FD1B4D7FB8259259534E004CE0BAE5E7566F221ACCE48646B83C5AAE5F4643413A90AD5DBC4A5
            Malicious:false
            Preview:38ayEHy1tqEyZUvbrfdCN1rNZPrOwFcLg0as5JdZ4LMJ9vb2XyYy9alBQMYzZkFoN3Si3CghCDHCpiNoyy17qnLFPYbsvn9UFi5Gd28UR0w6TjWs9uBltH7jsMTfkxwZDw6HmHK5zgqz1PwqBstAlYl7kWYQidtdEW3gmPG1jGvMbHsdane2EvxoL8gPs3WWxMveVPDwm1bfnYgco50591ZSiOUns0IptYYPWNHKjrPNUSAwcElxDbX6wc5H4aDvsvwPAQGbyqWRlM8QNiKoPVmSBbc3R9PJoeeifvvL8K9XFFVkdp3WPZfXJeNiyMJyaMnGrZubw8qFVPM5G1ZlF23P8HZBiNXvAL62cO3E4bjQsaB4RSc6whsiTXHkAt3jl4EKTUc28VroSmghFfuPva9ccYiEGTDLhAoyW1l6zj8a0EPq1kef8nxL5lr4vXvpSfGS7rLO3yaLcimYJ2MgyiM4Nd2uKqKcySIU86sKYQlKNmtX9Sv3KO1tTMFezbENn8WJZRaMJCIh6Cqkufu14QRjbZBv1OU7MXhPPk8s2juHGTwQfetUqMTWqxrAPoU4sKVjfaVKgC8UgJcImuPXeAQ9EKic27cNPzZ67NvFJjxoO8zhUiXeY7ar4WeU13RjjvFrtgLZ9KO4NmvGVBHUk7yRZsBltaNPSOEc2IxyX8fOtfeRkY9zw78m6xSBejpj68m9hSNMOS6lcki3NuAVaYdUPcgFzvTxS5Ru2fuSKwldAWJWOYxujUIieRtFvHWc9ITgSxBsAsKnwAU2SK0b7jO7xtQkvogDZId2DnDaWFu0Kevd7

            C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Recovery\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (917), with no line terminators
            Category:dropped
            Size (bytes):917
            Entropy (8bit):5.91215637744986
            Encrypted:false
            SSDEEP:24:QTaPQtmL5oaURuSIMG40qQNkaRwE1LiiId6kLmESmLChCS:QTaP5ohADqQNkaacGiIYrESvb
            MD5:A9E52A0713546C4C3E24C0B488C400FB
            SHA1:DFD607A154EAFEF70A0892D2D95748490DA53BA3
            SHA-256:88AB07ECB56EDD953B8D25C4883DBD35EB6EE5C36BFC45369181F6ACD3CC1D82
            SHA-512:660160F3FD58E9B2DBE54117CB28C70FD2EC89F6D87026EC0F20D52BAF9F08E8D90D4A3D79BF5FAAB511105DF15A8CCEA797DA77CDF3FC4C13565F68D4F3C07A
            Malicious:false
            Preview:Q6z2QlwFeYPCaz1eeqKKiHDT6IKSGZaNtl1zUzJ5XqG420ABQ9T0GvWJ3f5Hbe8E8CSz8BJohOw2AIbGIIBHGjG8Pr6y4Bd3rC60hKDOzoT28dIuEz9Sc17Y6UjQFVufu3L7Mli7FwScQO9vjLtECLb0Fh3MlxJd3xHFSKidQBMpjeHsVyr3mqdjcV2orVWSnyidH4dYnQyA8vQkaL1wFQ0NThn7S3v4p4Bu6olaUSPW1dkqEROfdjMX7VJjRfFue3UEtgovkbbxAeV0663BoQbFrowkeBJzNe28Ig6hnc4CHZWd9TmUmEFNbPXFuDRjRmjfmWraAVXMWY8RRTlLYzMIYog3I0xjLVuez10mlMURq31DQFyacGKcaaG80yRJixABndcad8jMe5cfwdmDCWHEKSEYu2wx4Ks230ZxnX7dg87e8lLWLNGLq60VYDplMwRTMjm6DzapYohMUjaIqZlqEhM79EYjrWQuqnSY9OTWxbwBYoAyng4wLkPpXp79a07CXxfqRBJcGO3nuKiVDk6LcejFYmBURU66euolJTglXcq6rm5MGl5z4wj3NZSp9yKwR7J9g7LtDUxAxmYwrzOpYGBsKuXtB1miR4ptd5pIaLwk8jFlAg8KkeXK5azvkcsLsOs36oSvJFPMUbtkpvsf3b7xgeyCG4i7dl2u1MoVNMBfPK0erOGytNSQQ5Wb0QpPhStsj9sdHWRrachWoUU1xtNQTld6zMf6gw87bH4sfnrX5k0yXAxg6xbxEcZ7gwn41VKodk4gZmVKC0UsvojyY8AtUL28s6Mt9wgkaMUwFRGTcQuOIrM1Mzf2UbTSs6ycamLQUuRjUxsH2qQEao0BuUgJQnP92BDJdo30Fd3XZngZGYAnKP1EGwsFFBAqeRqStjoOxa87uclHxHD1n

            C:\Recovery\cc11b995f2a76d

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (948), with no line terminators
            Category:dropped
            Size (bytes):948
            Entropy (8bit):5.918280696281116
            Encrypted:false
            SSDEEP:24:BKowj2hKmzQSgMSklTNUu2Q+MMDdRzdP5B7wojL:BFN3zQqZmQ+MMDd7Lwo/
            MD5:2FE2A9DFC2F1D064CA22059F251EFC93
            SHA1:D26F5AEE230290E6C2116627B4D01D9BF9057A65
            SHA-256:ACF10C6C5870A9020939BAECE2362D7DC3D4378EF3E97C439EBCCCB31C6F89A5
            SHA-512:3E9FD6E91A819436323F8D632585275769EFD445DA4991CCC902EB48EEECC5993553E9F0D55EDE21DDC1148C8FB2F2ADD1A59F812164717A1029233F2972A81D
            Malicious:false
            Preview:VLHNohbzpGaE2yXxS8xm525wenD8r3e36IZpDQH6gBHe01mlfiaktyBdPVtAddIvmgItZstB01G3ub5nAbcIc4JHG6ashHcD3V1Us3MxzZt2rHsyZG9CA9SsWAmdSBetYDAZjl4HPpTDKRa8NlSbHaC3DJ7sQtfx4AdoHTPyL1wUpOhFknPqsDl8AGVZnM1fJgIKyw14WePPnrOyl2ImdzE1YenA7zL9AQKJGXRyvUTOxWVS2hxuEOBUbRvTI17hSPPWhEsOlT0Jf0DCJUHZBa5wO0syl7p4Xw5hG8vxzjJuX2zlNtJxthf2UcHqW3mno6vt4f5KiTkcRLZWBHl2x1K0RDNo1Eb67fFaHGqry9OZ7CkJDvpPRuzwv4b0SQSe2nfwF8O4a4Dymu3OcElGYLoNpTpMozYhquhThyDEguzWqBKABMXOpMFr8SHwTBQkfgI1NjroAgjoWSgoJoKbcK1dpzUPrRveeO1K2SxcftNJnbVqvcnp0zIVooMXOc7suEJHaWv00s5s6s0OeodOoGopGgfOFZODvfYiROPYrwyI3ZY6y73j8sEoaeA40hube26bTR6QYEg2SfwqHjZIgoFCbuIxNUiKBXnAc6mhBnL3MMW4sUxQHm50x4AiIJCDgW052vNK62G2cL0PYOE3hRDYbxNi6EY1kHX0VaC7GmUOfCXlDvK4EJgOSbdEhpO2ePSVyA37LHx57y3ZZmfL3dwalIh477aaXbtQuCxC1Ms6WkRdiDo5JC8Ac1uqd99OrWhfFmpXycTqv0EA0DV4SeRVdty2RHj2NePADwY5XQGrtRPmxuzanF5MFMCVyxGr3bdQkD6DoZgCYjlLdLFhRJOHjC51uCHkKYxRx9BtxvvNj3yfk02mrjauNWriIFTlS519wUXeKWtfXAhqOaQ4Ke3l8DEbSckscJ5oBytPcYcVz4WMyAUs

            C:\Recovery\winlogon.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Recovery\winlogon.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Recovery\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Recovery\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\Default\Favorites\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (593), with no line terminators
            Category:dropped
            Size (bytes):593
            Entropy (8bit):5.880270456624233
            Encrypted:false
            SSDEEP:12:97MjfQKptKoQ8cEMdeb6n5ZfTWh8sXJFU0YyAolXyreSS0:97M1Mofcbeb65ZfTWhrjU0JVyS10
            MD5:9D9B03D11297F7E8E5AA7527B9527ABF
            SHA1:831A2928B13715B2EC414E862AED6F96B7159B7E
            SHA-256:40F0EF172643E6E7550023ABF6DF6A3D1C777EBEBA798F011BF72CFC378A059C
            SHA-512:A21C7F5221E39F082DE743546C93D0BF34BEC304F28A57409F204420047410BDB5142337E0A2E175E4DE2CAA532D1A826FF711DB56F2D9F1EA3E098A05FC0162
            Malicious:false
            Preview:KjAFtK75UGIQuuvU0F8qcHW8omkQsiGb9XaXkf4sc06hdgns6X6RUKHCNBaGjqMv9rQWUYtVKPOlLyeI82UVmzGzPXJjExJvoKhwQQYhnkGE5g1YgSIrW1JKkaG6OKQXGc7ARs1rewrBsB3tgvCwpbZxBXMzJbTdUt7ci0HyaaNjKHcigXadIdrpCK94gChCdNr8DbLpnOWPO0n34nSwBzV0CSaY0NSX2LG6aefFLuz3HbbMhF93uvAn205vAxya68XDtqdaIMkQ9btk1N0vNZnHKcDkitEY6Z7JEYc0miuhKuobHV3x6DMhVP2Rn22YHMUkdjfduAIpoF7aymdNzRc2MayzfLNtqWa8ZD7hzaC55h2PSccBZoi0tcXCvq8jxY8Rp8Buo5YZOg7phigCsLUBxjO7p4vIcdIgilkTbsWdQJlMesfNK51lE7dFuDFuKP6vYaG68MlAz0vo8Bc7Zi8hlhclHejXmmTBMzyEliO7T0wNMzHslHUlRZJ18fzdnOXMgtbINXW1TANuuOZRX1vfRstwp7GFsvUFdjrcY8fNvdRQLYGtFiGvc25yAocPRQIiqIRLh73ZVhtya

            C:\Users\Default\Favorites\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\Default\Favorites\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\inxVlfQD8T.exe.log

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1830
            Entropy (8bit):5.3661116947161815
            Encrypted:false
            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
            MD5:FE86BB9E3E84E6086797C4D5A9C909F2
            SHA1:14605A3EA146BAB4EE536375A445B0214CD40A97
            SHA-256:214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
            SHA-512:07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xzCoZyfxKxCkf.exe.log

            Download File
            Process:C:\Recovery\xzCoZyfxKxCkf.exe
            File Type:CSV text
            Category:dropped
            Size (bytes):1281
            Entropy (8bit):5.370111951859942
            Encrypted:false
            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
            MD5:12C61586CD59AA6F2A21DF30501F71BD
            SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
            SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
            SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

            C:\Windows\Microsoft.NET\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with very long lines (321), with no line terminators
            Category:dropped
            Size (bytes):321
            Entropy (8bit):5.788248890798407
            Encrypted:false
            SSDEEP:6:XMApnRX1OlZA41+Murt4E29yWWj/9uvof8Hpii8GLKwA9FI7uTWn:rpnRFONuCE29lj48HZ8GGnIDn
            MD5:04D4811547ADCF22FD7479E73164CD1C
            SHA1:6D03DC7B3588C305F73460DD1329D575AF947C2E
            SHA-256:F1C6487B82BABF4B491169D9039722D6A73EF3A30F8075209CB376FF9BBBF1AF
            SHA-512:AA01D1B5D09D9CE4208C30D8E8A9E74BEC1E0DCE1C55CCDAED287FF4509343F7A4172B06E2C8A0385626609E4AE1DA16793116A44A2B0B76D9E5D9E139BD7DB6
            Malicious:false
            Preview:kCbcLsJiheaaQ7kCq7rE4RMYeSz0DJSlO2cdNB8p007suEgmJcJ7fXYT0D823TeXMyMXeGyo9CNETdnawNrlAVG0eInKCGwhVkf52IHCne7dKU9WZiFql3X1sV3Wcnm3Ppst8sinFo7fXmpJIRveAG6bMoNgPvj92ENflQYqAbk661eFptNL2H2JsRgTfBYTE8mSZKi22Feif9fVKH0fiYHvMDwUtEL8DR27PMqfKVSwnUotvLJXK3vq01FVYOIy3gfNGhG8bVUMFUH2ZCii5xxJfLGXGVH6Ne3HyamNFL6ziilgtN5Vpj2GsVs5as1FO

            C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Microsoft.NET\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Windows\addins\016488274f7f2b

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):50
            Entropy (8bit):4.958562939644918
            Encrypted:false
            SSDEEP:3:Obsy4O+qpcLxW:o4O+fxW
            MD5:9BD00580995955CFB26498123379A3E7
            SHA1:FADCA5D5B8211BDFEF956985EA3F833D57C0806B
            SHA-256:0846BD24DF50A69749D15B53B525204D02FAE0125B9AC47419EA0B88473E8034
            SHA-512:AD00A4488BC1E674FD5463694BBD9209FDB8051C507835C405A9FE387867210642D23B0448112943C31758DD58AFE62DC21A4D86556E65624977A345EAAD3A13
            Malicious:false
            Preview:TgmWbAbQIuGgrPGcAGsKHGETvZj8FZki9NzqMCgpeJYAYeMKew

            C:\Windows\addins\xzCoZyfxKxCkf.exe

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1229824
            Entropy (8bit):6.918760307928908
            Encrypted:false
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            MD5:29CAAB9A27E99E61BF3B056EDA3BB63E
            SHA1:F58CAD4CB6B5CEFC0CA98E0B0DF406BEA0CA5D74
            SHA-256:E1612F1EB7384250BDDBBE3633589076A659E5104F003BA5CD29ADB9BFC6B075
            SHA-512:7637989C759F44685DBAA679267FFE5C5E0D4BE565FA4921BFA3E6EF931BCD75A61516A08321C6083041E083820C02CE46243429FACDCD79409C8EF3FFEE9542
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 84%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\addins\xzCoZyfxKxCkf.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\inxVlfQD8T.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):6.918760307928908
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Win16/32 Executable Delphi generic (2074/23) 0.01%
            File name:inxVlfQD8T.exe
            File size:1'229'824 bytes
            MD5:29caab9a27e99e61bf3b056eda3bb63e
            SHA1:f58cad4cb6b5cefc0ca98e0b0df406bea0ca5d74
            SHA256:e1612f1eb7384250bddbbe3633589076a659e5104f003ba5cd29adb9bfc6b075
            SHA512:7637989c759f44685dbaa679267ffe5c5e0d4be565fa4921bfa3e6ef931bcd75a61516a08321c6083041e083820c02ce46243429facdcd79409c8ef3ffee9542
            SSDEEP:12288:MiPYs0zwquEGq5QH9/vXt+g8Z6ztM1Mqti1ZGX5bZJORuSF3YMDUr46xFHU962uB:mLz5uE18NvXx8U5M1Nz5NSNYMD162u
            TLSH:D7455A027E84CA52F0191633C6EF454887B0AD516AB6E32B7DBA37AD55133A73C0D9CB
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.....................6......n.... ........@.. .......................@............@................................

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x52a86e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x12a8200x4b.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1300000x218.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1320000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x1288740x128a00addcebd855e76789a20bb96ae36e4532False0.6612747906131479data6.952450390290568IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .sdata0x12c0000x2fdf0x30001df1fa535e87e1ff82fd0d2b540e916bFalse0.3102213541666667data3.2432516243007665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x1300000x2180x4007088fc9747b26f17366bfd566d8692caFalse0.26171875data1.8282194552185358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1320000xc0x200da7d770cf03aa9c2d6a58ae267ca2ef9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x1300580x1c0ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishUnited States0.5223214285714286

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:19:26:54
            Start date:23/05/2024
            Path:C:\Users\user\Desktop\inxVlfQD8T.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\inxVlfQD8T.exe"
            Imagebase:0x4b0000
            File size:1'229'824 bytes
            MD5 hash:29CAAB9A27E99E61BF3B056EDA3BB63E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1680174059.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1680174059.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1681557653.000000001286F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:low
            Has exited:true

            General

            Target ID:1
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:7
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:11
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:12
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:13
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:14
            Start time:19:26:55
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:15
            Start time:19:26:56
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows nt\TableTextService\en-US\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:16
            Start time:19:26:56
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 11 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:17
            Start time:19:26:56
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:18
            Start time:19:26:56
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Recovery\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:19
            Start time:19:26:56
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:20
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:21
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:22
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Recovery\xzCoZyfxKxCkf.exe
            Wow64 process (32bit):false
            Commandline:C:\Recovery\xzCoZyfxKxCkf.exe
            Imagebase:0xa70000
            File size:1'229'824 bytes
            MD5 hash:29CAAB9A27E99E61BF3B056EDA3BB63E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.1758511140.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 84%, ReversingLabs
            Has exited:true

            General

            Target ID:23
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Microsoft\OneDrive\ListSync\settings\xzCoZyfxKxCkf.exe"
            Imagebase:0x990000
            File size:1'229'824 bytes
            MD5 hash:29CAAB9A27E99E61BF3B056EDA3BB63E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.1758461967.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 84%, ReversingLabs
            Has exited:true

            General

            Target ID:24
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:25
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:26
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows defender\en-GB\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:27
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:28
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:29
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:30
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\winlogon.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:31
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:32
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:33
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:34
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkf" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:35
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\xzCoZyfxKxCkf.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:36
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:37
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:38
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:39
            Start time:19:26:57
            Start date:23/05/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "xzCoZyfxKxCkfx" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\xzCoZyfxKxCkf.exe'" /f
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            Disassembly

            Reset < >

              Executed Functions

              Function 00007FFD9B895A15 Relevance: 1.6, Instructions: 1637COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb93896e76c90b6f7a151845ea4c0fa9ae716da446c4c7aefcc84d60ae99d4af
              • Instruction ID: f0caadc1b63662bef5e56fde1ce9412c6ff05a150f12ef49e6bada71e76bbe03
              • Opcode Fuzzy Hash: eb93896e76c90b6f7a151845ea4c0fa9ae716da446c4c7aefcc84d60ae99d4af
              • Instruction Fuzzy Hash: E2D2E974A0991D8FDFA9EB58C8A5BA8B7F5FF59300F1105E9D01DE3295CA34AA81CF40
              Function 00007FFD9B8943B8 Relevance: 1.4, Instructions: 1402COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f269a289673382c3a334b12d3bdbe8450cad1ad656baca6682aaf31e721c28e
              • Instruction ID: a2425f6499e542494154e635f8aa80ceed6d29b60acfd64bdb5206c1536e42f0
              • Opcode Fuzzy Hash: 0f269a289673382c3a334b12d3bdbe8450cad1ad656baca6682aaf31e721c28e
              • Instruction Fuzzy Hash: DBB29270A0E68E8FEB659B6488696F97FF0FF1A300F0505BED458C71E2DA7866448742
              Function 00007FFD9B889CA7 Relevance: 1.3, Instructions: 1290COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91a604571a399973018182ef1922c0485322ea4d71f63651e6f31aaec0f25a50
              • Instruction ID: 1f6e521941a7fd82cc7a44a9f06d6e214b4fcd4eec6e9049f3572c6619330e02
              • Opcode Fuzzy Hash: 91a604571a399973018182ef1922c0485322ea4d71f63651e6f31aaec0f25a50
              • Instruction Fuzzy Hash: F5A2A030A0EA8E9FDB56DB64C8695A93FF0FF1A300F0605EBD459CB1A3DA38A545C711
              Function 00007FFD9B8945B8 Relevance: 1.2, Instructions: 1215COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: de74476a3a1d60bdf907217b10a98ef5c73182a97e32924ab6065316fb993031
              • Instruction ID: 5e0cadc4769a7ccdeb6431696d03b4c55af83fb0cbafedb3dde6775ebe0c1fec
              • Opcode Fuzzy Hash: de74476a3a1d60bdf907217b10a98ef5c73182a97e32924ab6065316fb993031
              • Instruction Fuzzy Hash: 04927171A0E68E8FEFA5DF6488696F97FE0FF19300F0505BED418C71A2EA7866448741
              Function 00007FFD9B8946D8 Relevance: 1.1, Instructions: 1125COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 715243c4444b598eb5c76c5a417dcd1556e485d026674b39f40db1c3e8604116
              • Instruction ID: da966a4e707acf922a6ea6292286188268a4240d31a7cbc43231061e5e567c8b
              • Opcode Fuzzy Hash: 715243c4444b598eb5c76c5a417dcd1556e485d026674b39f40db1c3e8604116
              • Instruction Fuzzy Hash: 51826171A0E68E8FEBA5DB6488696FD7FE0FF19300F0505BED418C71A2EA7866448741
              Function 00007FFD9B894809 Relevance: 1.0, Instructions: 1035COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44b9c68c8e0420cf0518e8820b9bca6307451dcb8a14fec693ef488ce8892ee2
              • Instruction ID: 085d47e92b436bf4adb067d5604dc4be0c56bef73e62957f87220094d96b9b0c
              • Opcode Fuzzy Hash: 44b9c68c8e0420cf0518e8820b9bca6307451dcb8a14fec693ef488ce8892ee2
              • Instruction Fuzzy Hash: 78727171A0E68E8FEFA5DB6488696FD7FE0FF19300F0505BED418C71A2EA7866448741
              Function 00007FFD9B894948 Relevance: .9, Instructions: 932COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cd2743d1c98123f02f51863989530fed16decb44b5f87b12e354f96ffadd171d
              • Instruction ID: 5c19dcde25ae0aff2455bea4397ec9409c8269e6a8dc02b98df840ab79226ef6
              • Opcode Fuzzy Hash: cd2743d1c98123f02f51863989530fed16decb44b5f87b12e354f96ffadd171d
              • Instruction Fuzzy Hash: DC627171A0E68E8FEBA5DB6488696FD7FF0FF19300F0505BED418C71A2EA7866448741
              Function 00007FFD9B894A68 Relevance: .8, Instructions: 846COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8e30fddd2342e882ddbad83d436f022af1a32ff765f250da98f134987b4fb87
              • Instruction ID: 409d0b8ab470da7c608ba357918fd9adbb71bbedee907b1490079eb97bafc88b
              • Opcode Fuzzy Hash: e8e30fddd2342e882ddbad83d436f022af1a32ff765f250da98f134987b4fb87
              • Instruction Fuzzy Hash: 63527071A0E68E8FEBA5DB6488696FD7FF0FF19300F0505BED418C71A2EA7866448741
              Function 00007FFD9B893848 Relevance: .8, Instructions: 784COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e396a66bc93e7cc6b7f4d8cc7e9e1b79aff289eb23690e758df0ce838954a4a
              • Instruction ID: e2a060cca2875d5318fb90225201c362222d78119c3660ebce8254d0bdace3a4
              • Opcode Fuzzy Hash: 7e396a66bc93e7cc6b7f4d8cc7e9e1b79aff289eb23690e758df0ce838954a4a
              • Instruction Fuzzy Hash: 30529130A0E68E8FEB65EF64C8696B97FE0FF19304F0505BED419C71A6DA38A644C741
              Function 00007FFD9B894B18 Relevance: .8, Instructions: 781COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d90bb9fd06d1140df94a87e626aa36992dd8d592ffd33be4923d5959ef967d23
              • Instruction ID: 2eda2e9d3696e20b371cd51ce81554f27275fa5fc29d699065e0604ebd223dac
              • Opcode Fuzzy Hash: d90bb9fd06d1140df94a87e626aa36992dd8d592ffd33be4923d5959ef967d23
              • Instruction Fuzzy Hash: EC428031A0E68E8FEBA5DB6488696FD7FF0FF19300F0505BED418C71A2EA7866448741
              Function 00007FFD9B894F00 Relevance: .6, Instructions: 577COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2bd6373e4ec6ddc4b6758c0daf8d85dfe27611f2fd16cf60a237cfe895983978
              • Instruction ID: 6fb80e1a838a6ef4bc5d7715a1bffe35b5cff2c81ee2984df23d15cc45ad634f
              • Opcode Fuzzy Hash: 2bd6373e4ec6ddc4b6758c0daf8d85dfe27611f2fd16cf60a237cfe895983978
              • Instruction Fuzzy Hash: C6127230A1AA4E8FEBA5EB64C8696FD7BF0FF19300F0505BAD419C71A6DE34A544CB41
              Function 00007FFD9B88CD98 Relevance: .4, Instructions: 424COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fee27aed58ab38348042597433523c6ce259822cf443d356c519112e35cfeed3
              • Instruction ID: ebe3caf7f3773bc4f0d8f045f85a1486d16be6633b6dd25a991f9a0a6f0bd7e6
              • Opcode Fuzzy Hash: fee27aed58ab38348042597433523c6ce259822cf443d356c519112e35cfeed3
              • Instruction Fuzzy Hash: 53E19070A0A64E8FEBA5EB6488696FD7BF0FF19300F0145BAD41DC71A6DE386644CB41
              Function 00007FFD9B88A87D Relevance: .3, Instructions: 332COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf39814bff65183e67796cc8511566228ab589fb8e361e0ea291e2519576fff0
              • Instruction ID: 3d8881b331b1e93c3f7612a73deca478821b66b67b04f7fdd9287a661c93e48b
              • Opcode Fuzzy Hash: bf39814bff65183e67796cc8511566228ab589fb8e361e0ea291e2519576fff0
              • Instruction Fuzzy Hash: 6EB1AF30A5AA4E9FD755EB64C8696F97BF0FF09300F0645BBD429C60E2DA38A644C741
              Function 00007FFD9B893838 Relevance: .3, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 295c3b166216d23eb064e61a82bfa5f354887f92df0effb9d94d949b8e7ab536
              • Instruction ID: a9d4369cb32ce6acd0c1a7a44988819203c34d577e71786ae46e67283ec42923
              • Opcode Fuzzy Hash: 295c3b166216d23eb064e61a82bfa5f354887f92df0effb9d94d949b8e7ab536
              • Instruction Fuzzy Hash: B1A1E030A0E68E8FEB69EB6488696BD7BF0FF19304F0505BED419C71E6DA386644C741
              Function 00007FFD9B88ABC0 Relevance: .2, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6bf55c489d736806e3dc306079ee39be224c4a9ba58d05bfa35519ed0fe3c6e
              • Instruction ID: 4e4e9563c77c713844df101590d83ffa7aa309f5bd1d04a06a3ec70cceb32d3c
              • Opcode Fuzzy Hash: c6bf55c489d736806e3dc306079ee39be224c4a9ba58d05bfa35519ed0fe3c6e
              • Instruction Fuzzy Hash: A9818B30A0A64E8FEB59EFA4C4656FE7BE0FF1C304F11457AD419D31A5DA38A645CB40
              Function 00007FFD9B88C7E9 Relevance: .2, Instructions: 228COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7800822162b228dcae74149a94410f7aa7cd11677876d722a9e0c559340f922d
              • Instruction ID: 242cc73e91aa88481b7090ba57bfbe1fd2be4f5a2342c52d8c94de713df52251
              • Opcode Fuzzy Hash: 7800822162b228dcae74149a94410f7aa7cd11677876d722a9e0c559340f922d
              • Instruction Fuzzy Hash: 9C711230A0A64E8FDB99DF64C8696FE3BE0FF58300F1145BED819C71A5CA34A694C750
              Function 00007FFD9B8835EA Relevance: .2, Instructions: 203COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db1c190d0da8fc4558b92e0e5114ce989eada10e062a0af850a1233a3c6d6db7
              • Instruction ID: d4027d58ed026fd4bf6656c70d006334e4afb801ba9b20eef3615de04373b451
              • Opcode Fuzzy Hash: db1c190d0da8fc4558b92e0e5114ce989eada10e062a0af850a1233a3c6d6db7
              • Instruction Fuzzy Hash: 2661B472A18D4D8FEB58DBACD8257AD7BE1EB99350F90017AD01CC32CADBF414068741
              Function 00007FFD9B88EDF0 Relevance: 3.8, Strings: 3, Instructions: 82COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: [$]$g
              • API String ID: 0-3773536528
              • Opcode ID: 119df42caabe3b8705a77adf826bc15c8c88b8e5afc42950e66cf57bee976a7b
              • Instruction ID: a6b9960ef7838f0e94bc3de5052e268e00225d38f1863e7ac9a5818c456bbd2b
              • Opcode Fuzzy Hash: 119df42caabe3b8705a77adf826bc15c8c88b8e5afc42950e66cf57bee976a7b
              • Instruction Fuzzy Hash: A241A570E09A2E8FEB79DF54C8557F9B6B1BB58301F0145FAD41DA62A1CB781A84DF00
              Function 00007FFD9B88EFF8 Relevance: 2.6, Strings: 2, Instructions: 59COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: U${
              • API String ID: 0-2735307867
              • Opcode ID: c7e43faaad9e3a8ac0c5656701c5fb6a236625944fd0e6085730b7b08b54beb8
              • Instruction ID: 1961a32b15717c8161ac70ec502d1da25eac5651ba631ed9e43c8c65cd21232c
              • Opcode Fuzzy Hash: c7e43faaad9e3a8ac0c5656701c5fb6a236625944fd0e6085730b7b08b54beb8
              • Instruction Fuzzy Hash: CF21EA70A09A6D8FEB79DF54C8647B976B1BF58301F1146FED41EE22A1CB781A848F01
              Function 00007FFD9B8915B9 Relevance: 2.5, Strings: 2, Instructions: 27COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: %$*
              • API String ID: 0-3952375145
              • Opcode ID: 37b7f484b6fdd35017a2f4b21de3891940addd746d972f1d67b11b836a3e2f41
              • Instruction ID: c9e6e430f393e0d1b793dc8a9b8428528025bda9fbf0a118445f51abf799e06a
              • Opcode Fuzzy Hash: 37b7f484b6fdd35017a2f4b21de3891940addd746d972f1d67b11b836a3e2f41
              • Instruction Fuzzy Hash: A2F01730E0C61D8AEB25AF90CC686EDB7B1EB55301F04422AC4099B2A4DBB86944CF45
              Function 00007FFD9B8829B0 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: UWVH
              • API String ID: 0-545401801
              • Opcode ID: fc0f5e3c9c7a465b84ddf4824fbb9bca6823249ee777593a6a49ebd96de9d88d
              • Instruction ID: 48f84d04f7e9de2280dc8ed7393547e9a2a3a3c8e24c410a2b62edb4c5a66fab
              • Opcode Fuzzy Hash: fc0f5e3c9c7a465b84ddf4824fbb9bca6823249ee777593a6a49ebd96de9d88d
              • Instruction Fuzzy Hash: 39618F34A1A64E9FEBA6DF68C8686B97BF0FF1D300F1108BAC409D71A1DB34A645C741
              Function 00007FFD9B8829A8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: UWVH
              • API String ID: 0-545401801
              • Opcode ID: c76a27787ac4dc9ba14cb9cb7af39e8d9fc7d1eb73933449a8199f94649741fc
              • Instruction ID: 755407440eca60a40b90acd76805754d7c5b7b0d70aa62aea0c2772db0634c9e
              • Opcode Fuzzy Hash: c76a27787ac4dc9ba14cb9cb7af39e8d9fc7d1eb73933449a8199f94649741fc
              • Instruction Fuzzy Hash: BC51A334A5E64E8FEB669B6888242F97BF0FF09314F0505BAD409C31A2DF78A654C741
              Function 00007FFD9B88F376 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: M
              • API String ID: 0-3664761504
              • Opcode ID: d7fcf872791a5f8558a2b87f78a6866abcd162caa6cf5934fcd8178757cc1961
              • Instruction ID: 84fb8573300611d3a2052772067e3c9560bd3e14d78543b853cf9f797ecd5b08
              • Opcode Fuzzy Hash: d7fcf872791a5f8558a2b87f78a6866abcd162caa6cf5934fcd8178757cc1961
              • Instruction Fuzzy Hash: 625136B0A19A1D8FDBA8DB5488A57E9B7B1FB58300F0001EAD15DE3291CB742A81CF45
              Function 00007FFD9B8803BD Relevance: 1.3, Strings: 1, Instructions: 84COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: sS^
              • API String ID: 0-472316317
              • Opcode ID: 513c6ce2b41565229a825515947654bcf7259997de5af68a9fc3bb78b2907694
              • Instruction ID: 77f115c34f2c5ef8f1dd879b986971d4ea315ed857f44ae71eecc7d0335fc653
              • Opcode Fuzzy Hash: 513c6ce2b41565229a825515947654bcf7259997de5af68a9fc3bb78b2907694
              • Instruction Fuzzy Hash: 0D213782B0FDD32FE7565B790C654586FA0BF2264475D80BFC0B84B0E7D915E80A8385
              Function 00007FFD9B88F654 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: U
              • API String ID: 0-3372436214
              • Opcode ID: a9db1640faabfd03d7775651f73f9f420db408bbea70fd2eb74caa72c67235c9
              • Instruction ID: 68fa454b44a77902b320335d038befafc86847bba1c9afa59af1540fc126931c
              • Opcode Fuzzy Hash: a9db1640faabfd03d7775651f73f9f420db408bbea70fd2eb74caa72c67235c9
              • Instruction Fuzzy Hash: 1DF05430A08A4D8FDB65DF40C8607E977B2FF58350F0102EAD419D32A1CB786B858F00
              Function 00007FFD9B8910C5 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID: %
              • API String ID: 0-2567322570
              • Opcode ID: 25de28e834bd8bc7a8c5d312c3f78d599d5c6ba3a9596943ed58c8e4be8220ad
              • Instruction ID: 312b394c91b0eede2eee94eee45ecaedbbeffd21a008c87fd99b8c4cbf99237d
              • Opcode Fuzzy Hash: 25de28e834bd8bc7a8c5d312c3f78d599d5c6ba3a9596943ed58c8e4be8220ad
              • Instruction Fuzzy Hash: 49E0ED30E0C25D8FDB15EFA0CCA49EDBBB1EB49301F04026AC0498B2A4CB782954CB84
              Function 00007FFD9B894B98 Relevance: .7, Instructions: 747COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 320a396bc1007a6d3aa2a86b3955de3f42545d146071e291ce5944f9cf8f610b
              • Instruction ID: 5d665a370d40f0947c35edc79a83f2773df9530082fc5751fb88f0157d7612d6
              • Opcode Fuzzy Hash: 320a396bc1007a6d3aa2a86b3955de3f42545d146071e291ce5944f9cf8f610b
              • Instruction Fuzzy Hash: E5427F71A0E68E8FEBA5DB6488696FD7FF0FF19300F0505BED418C71A2EA7866448741
              Function 00007FFD9B894C28 Relevance: .7, Instructions: 700COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d0995927f785f54f5f299b319bf64cb18e072d0ac1ead5c6b92ad237a5c155b
              • Instruction ID: 597d8f4a7acea6aeb20306d01442aac1e67202ca8e867cd5474a51aac29548a9
              • Opcode Fuzzy Hash: 6d0995927f785f54f5f299b319bf64cb18e072d0ac1ead5c6b92ad237a5c155b
              • Instruction Fuzzy Hash: 78327E70A0E68E8FEBA5DB6488696FD7FF0FF19300F0505BED419C71A2EA7866448741
              Function 00007FFD9B894CA8 Relevance: .7, Instructions: 668COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fc151889f06c1950238695cb8142b5c5d6acb9f16e5dd738f79eaadfac4fa59
              • Instruction ID: 61b40c0741d97266fd3b6422edb4e6c60b42705fc915fee759f8d5b78960ad34
              • Opcode Fuzzy Hash: 4fc151889f06c1950238695cb8142b5c5d6acb9f16e5dd738f79eaadfac4fa59
              • Instruction Fuzzy Hash: 6E327E70A0E68E8FEBA5DB6488696FD7FF0FF19300F0505BED419C71A2DA7866448741
              Function 00007FFD9B894D48 Relevance: .6, Instructions: 613COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24e4d52f509583f59eb6aff9095d1e344191381e99621db169fcfc892227e09d
              • Instruction ID: c10e1bb11323ef35cfca51f76be5f25bebfab21b40f4c3eeab305add3820a96d
              • Opcode Fuzzy Hash: 24e4d52f509583f59eb6aff9095d1e344191381e99621db169fcfc892227e09d
              • Instruction Fuzzy Hash: EC227E70A0EA8E8FEBA5DB6488696FD7FF0FF19300F0505BED419C71A2DA7866448741
              Function 00007FFD9B88D880 Relevance: .5, Instructions: 488COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0255b6ff45681e5dcd2c76cc1a12b139bf69ebc013c691c3f5745da7a29c4c52
              • Instruction ID: 2a171cb9525f7830d1f02c6b30401b007914d861cb484d6be52faccd089d548d
              • Opcode Fuzzy Hash: 0255b6ff45681e5dcd2c76cc1a12b139bf69ebc013c691c3f5745da7a29c4c52
              • Instruction Fuzzy Hash: 7F023C71E19A5D8FEBA8EB68C8647B8B7B1FF58300F1401BED01DD72A6DA346941CB41
              Function 00007FFD9B891B4F Relevance: .4, Instructions: 448COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4552226cb7fb9ecc536820cc0e442bf418d53d37133f7f6c0d3b7036068c45f3
              • Instruction ID: 54d8206636d274bf80f46cd97af60deb6f24f0131ff405c52f918164d4381eff
              • Opcode Fuzzy Hash: 4552226cb7fb9ecc536820cc0e442bf418d53d37133f7f6c0d3b7036068c45f3
              • Instruction Fuzzy Hash: CDF1923090E7CA8FDB569F7488655E93FF0EF1A304F0605EBD449CB1A3D628AA58C752
              Function 00007FFD9B894F98 Relevance: .4, Instructions: 433COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb987fa52d246e6dcf1860169d95f6b11faa66914c55c0e2d63f20cd3a4940f8
              • Instruction ID: 91feb3d4aeb00e2de2ce51a0a7036f90b46272015d805048e98693acd3906530
              • Opcode Fuzzy Hash: eb987fa52d246e6dcf1860169d95f6b11faa66914c55c0e2d63f20cd3a4940f8
              • Instruction Fuzzy Hash: A9E18170E1AB8E8FEFA5DB6488696FD7BF0FF19300F0505BAD419C71A2DA3869448741
              Function 00007FFD9B88C340 Relevance: .4, Instructions: 413COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fa19ee42fd011c444faa9914ea841e7817412642ded55c7f75aac7381c913d9a
              • Instruction ID: 3a9c314f00c9390ddb1180fe626215bb8923021518be440423b6344e180fe636
              • Opcode Fuzzy Hash: fa19ee42fd011c444faa9914ea841e7817412642ded55c7f75aac7381c913d9a
              • Instruction Fuzzy Hash: F5D18330A4E78E8FDB569B7488696E93FB0FF0A300F0605BBD458C70A6DA389645CB51
              Function 00007FFD9B88D840 Relevance: .4, Instructions: 402COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 893ab8bdd2fdaec2141033456c690cd0a367a7d0483fbbf4f3d79ea6041b1cfe
              • Instruction ID: 2af42dd9294702176eb62a961d50cb5fc8bcd00618d42ba2a34519c85269a41e
              • Opcode Fuzzy Hash: 893ab8bdd2fdaec2141033456c690cd0a367a7d0483fbbf4f3d79ea6041b1cfe
              • Instruction Fuzzy Hash: 45E15F71A19A8E8FEBA9DB6888647F8B7B1FF19300F0401BED01DD71E6DA346941CB41
              Function 00007FFD9B882BF8 Relevance: .4, Instructions: 396COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8144518ae728fe48e3672a8d7b3f15aa84985c8a8a94d9e7acc7b43f21877ec1
              • Instruction ID: 8c12108a2d7ae88854490bdc53a9daf4a52232f1440f6c9dbf7ea331043dd9b5
              • Opcode Fuzzy Hash: 8144518ae728fe48e3672a8d7b3f15aa84985c8a8a94d9e7acc7b43f21877ec1
              • Instruction Fuzzy Hash: B0D1B231A0EA4E8FE762EFB8C8695E97BE1EF19314F0545B6D028C70B6DA38A545C740
              Function 00007FFD9B895E81 Relevance: .4, Instructions: 370COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eed24a15e90eab859d5170c2644c3288dc4e02522208712a62e7cf2df78d308f
              • Instruction ID: ca462cd409bdd4fa891f5ff4d225939f059c9d514fda6336fb9e7388b927092a
              • Opcode Fuzzy Hash: eed24a15e90eab859d5170c2644c3288dc4e02522208712a62e7cf2df78d308f
              • Instruction Fuzzy Hash: C0C18070E0E68E8FEFA59B6488696FD7FB0FF19310F0505BAD45CC61A2DE3866448B41
              Function 00007FFD9B88AD28 Relevance: .4, Instructions: 368COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77c9ba9718391fe1e216ed5cc1e27aa31de79c1a51e7707a9d09a406fced2e40
              • Instruction ID: cf697f671fedb9ce9eb52608a7f651c8ddfaf0c7ffa04b990b33ac63b6a55a65
              • Opcode Fuzzy Hash: 77c9ba9718391fe1e216ed5cc1e27aa31de79c1a51e7707a9d09a406fced2e40
              • Instruction Fuzzy Hash: D0D1A230A0E68E9FDB55EF6488656FA3BF0FF19304F0105BBE819C61A2DB38A654C741
              Function 00007FFD9B8805F0 Relevance: .4, Instructions: 356COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b9f0e3966d095f0a075611250c88a5d0f605a751a4a4dc4a3ebfe9bb9c4e6ec
              • Instruction ID: a368625e07c653ab0e964ed42de60fd99990f87a5f6969eb9beb393dc8a90ff0
              • Opcode Fuzzy Hash: 0b9f0e3966d095f0a075611250c88a5d0f605a751a4a4dc4a3ebfe9bb9c4e6ec
              • Instruction Fuzzy Hash: 24B10230B09A4E8FDB99EF2888645B977E2FF9C300F1545BED429C32A6DE34A941C741
              Function 00007FFD9B8950B8 Relevance: .3, Instructions: 346COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31d214628e2fd95b6e073eb971a2f5a2895d090534df1f5d1d281d7f91fbe211
              • Instruction ID: da4f38b759ec735e022c1ab7dcc08211f12ef906b16059091bc984b36aa55342
              • Opcode Fuzzy Hash: 31d214628e2fd95b6e073eb971a2f5a2895d090534df1f5d1d281d7f91fbe211
              • Instruction Fuzzy Hash: 73B19170E1AB4E8FEBA4DBA888696FD7BF0FF19300F01057AD419C31A6DE3469458B41
              Function 00007FFD9B88AE70 Relevance: .3, Instructions: 340COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96b0b150af85a18a95ec3ba23d1fb88326a2a7d9bc8085cb40b9f0f9f4947c20
              • Instruction ID: f0a03a5cf13aac519d75f065de53ea66d8a1d1b1499b32f097b25b4aa38af053
              • Opcode Fuzzy Hash: 96b0b150af85a18a95ec3ba23d1fb88326a2a7d9bc8085cb40b9f0f9f4947c20
              • Instruction Fuzzy Hash: 7CC18E70A0A64E8FEFA5AB6488696FD7BB0FF19350F0105BAD41DC61A2DE386644CB41
              Function 00007FFD9B88D8F8 Relevance: .3, Instructions: 339COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77d066afddd1e4888e982bb13c74bcd402a9503e2959bf20b0d1e58568da1611
              • Instruction ID: f2154ba7ae59a73d68c36b0d3d61c8bbd5a4de9c5de56f6d7318caed0c179ccd
              • Opcode Fuzzy Hash: 77d066afddd1e4888e982bb13c74bcd402a9503e2959bf20b0d1e58568da1611
              • Instruction Fuzzy Hash: 4CC11B71A19A5E8FEBACEB58C8647B8B7A1FF58300F1401BED01DD72A6DA346941CB41
              Function 00007FFD9B881AD5 Relevance: .3, Instructions: 337COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c21dfd4563517054c87aced48f50a59c94feb2e92d3e1d2d617def473792bdf8
              • Instruction ID: f7ddeccab8449c8faed4eb4ca9ab1722d79e287eee0f00234d9e0cc1f0055600
              • Opcode Fuzzy Hash: c21dfd4563517054c87aced48f50a59c94feb2e92d3e1d2d617def473792bdf8
              • Instruction Fuzzy Hash: B8A1E230A0EB8E8FDB69EF2888655A93BE1FF9D300F0545BED459C71A2DE34A901C741
              Function 00007FFD9B8805A0 Relevance: .3, Instructions: 321COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77faed8f6ed70b234d0e69804dd2f926fa5c604587dd9d71c8e00b5f8e6e035a
              • Instruction ID: fd574d5a931ff504d0035a603a9daab69592d5da84a6ec8944cdce43ccc0b619
              • Opcode Fuzzy Hash: 77faed8f6ed70b234d0e69804dd2f926fa5c604587dd9d71c8e00b5f8e6e035a
              • Instruction Fuzzy Hash: 7F916E43B0FAD64BE72573ADBC791E93F50EF8566470D02F7D0E88A0E7EC2469468281
              Function 00007FFD9B895F19 Relevance: .3, Instructions: 315COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7447e94602e3fb634e0ea0686d772f18f0f8f13318e1f297362d056062fd47a8
              • Instruction ID: 6eb04a61f399e934e1e6cfd7b35e4dccfbcf67775ac7164724dbf1a17089b808
              • Opcode Fuzzy Hash: 7447e94602e3fb634e0ea0686d772f18f0f8f13318e1f297362d056062fd47a8
              • Instruction Fuzzy Hash: 2FB17F70A0A68E8FEFA59B6488697FD7FB0FF19350F0505BAD45CC21E2DE3866448B41
              Function 00007FFD9B8805FA Relevance: .3, Instructions: 307COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 56fc0a00c2cae883b3b61cdd198766fb2b3668bddd3613a55949e9e250dccaf6
              • Instruction ID: 9f9d73dd06732ca142c6bc3f70972272cbb738a76034ef85f6f637cfa67c764d
              • Opcode Fuzzy Hash: 56fc0a00c2cae883b3b61cdd198766fb2b3668bddd3613a55949e9e250dccaf6
              • Instruction Fuzzy Hash: C3914E43B1FAD54BE72573ADBC791E93F50EF8562470D02F7D0E88A0E7EC2469468291
              Function 00007FFD9B88D978 Relevance: .3, Instructions: 304COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a762961809e0ac872b683e7387ea1edce3c167b7a7f4d2082900e78aef9e5e4
              • Instruction ID: cc8a77f72907ef4f082c975a513e48b74e21eaaa10f503e36d52c65542b1cfd6
              • Opcode Fuzzy Hash: 2a762961809e0ac872b683e7387ea1edce3c167b7a7f4d2082900e78aef9e5e4
              • Instruction Fuzzy Hash: FEB12D71A19A5E8FEBACEB58C8647B8B7A1FF58300F1401BED01DD72E6DA346941CB41
              Function 00007FFD9B8820A5 Relevance: .3, Instructions: 303COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d214d9d2518399e9efc19d57ee56f5c08fbfbaac8bf4a3babee8b00faf64e834
              • Instruction ID: 4392d9518746de9093ade0fc9071f065c810c60e2084a2d198bfbb778b9afb2d
              • Opcode Fuzzy Hash: d214d9d2518399e9efc19d57ee56f5c08fbfbaac8bf4a3babee8b00faf64e834
              • Instruction Fuzzy Hash: 79A1E331E0EA1E8FEB69DFA4C8616F8B7A1FF49310F0141BAD05DD71A2DE386A458741
              Function 00007FFD9B88C865 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e94f81538bea0281279a8f2c9c31a69e186f69678a0d8e839a6cf423f736b3fe
              • Instruction ID: cf0dd2b6951bda062c5f99971f2720ef644d85c1b2d784f0d749a31621fadc87
              • Opcode Fuzzy Hash: e94f81538bea0281279a8f2c9c31a69e186f69678a0d8e839a6cf423f736b3fe
              • Instruction Fuzzy Hash: 7DA1D231A0A61E8FDB65EFB8D8686FD7BE0EF09314F0105BAD019D71A6DB34A544CB80
              Function 00007FFD9B8832F0 Relevance: .3, Instructions: 288COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1282e90b3acd03c8d65705400e30e30326c1b2842c25f413a3b73edd2fee84e6
              • Instruction ID: e4398781528b74a787c5db5740b3d8fc55b5a0d9eec1f23e756da662fd1bf5cd
              • Opcode Fuzzy Hash: 1282e90b3acd03c8d65705400e30e30326c1b2842c25f413a3b73edd2fee84e6
              • Instruction Fuzzy Hash: D7A19630A0EA8E4FDB56DB74C8686B97BF0FF1A304F0505BAD429C71E2DA39A545C711
              Function 00007FFD9B88AEFA Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1bf0b139ac471dcc2038b4173b3534d7c473919e6e7bd4e6c43ea232f16dfdb9
              • Instruction ID: f347098464f2a1412de378dade9269b201fb809a14eb7441c319a9147adbd13d
              • Opcode Fuzzy Hash: 1bf0b139ac471dcc2038b4173b3534d7c473919e6e7bd4e6c43ea232f16dfdb9
              • Instruction Fuzzy Hash: 1091D830A0EA4E9FE761DB74C8686ED7BE0FF49300F0545BAD428C70E6DE39A6498741
              Function 00007FFD9B88BB6A Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c54e529afe7b8aab5710d78d162ce38900f228f27185d5ad1480c040b882d0b4
              • Instruction ID: 176b7ed09e395c42281ecf8b66d0f180cf5dff719d1eb6e384df14d006e11723
              • Opcode Fuzzy Hash: c54e529afe7b8aab5710d78d162ce38900f228f27185d5ad1480c040b882d0b4
              • Instruction Fuzzy Hash: BDA14B30E0AA4E8FEB65DFA4C4686FD7BF1FF49310F11057AD429D71A1DA39AA448B40
              Function 00007FFD9B890B9D Relevance: .3, Instructions: 274COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: afd3b66cf20074363940c4b4b6a5a567728980eaef5cc18e439611f1d5aa30ec
              • Instruction ID: 87439e45c12973003e132be9b28ec832ce5e7179805b02c159b3d0329ba5c257
              • Opcode Fuzzy Hash: afd3b66cf20074363940c4b4b6a5a567728980eaef5cc18e439611f1d5aa30ec
              • Instruction Fuzzy Hash: 03A18030A1E78E8FDBA59F6488296EA3FF0FF19704F0505BAD818C71A2DB38A554C741
              Function 00007FFD9B880640 Relevance: .3, Instructions: 270COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2ecb7e94694bc0fb0564b32c632a9926ad74377230539515f788f35fa92dacf9
              • Instruction ID: 38fb67f9148ce423715251d592840ffeb15a73e177fee4daec8968a689d21a6b
              • Opcode Fuzzy Hash: 2ecb7e94694bc0fb0564b32c632a9926ad74377230539515f788f35fa92dacf9
              • Instruction Fuzzy Hash: 63716D43B0FAC54BE72573AC7C791E82F50EF8576470902F7E0E88A0F7EC2569468281
              Function 00007FFD9B895FA8 Relevance: .3, Instructions: 265COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6af0374fd6bbedd5750f18e7d54ef5667d0ff66ff6b91c649076e4299b0c7627
              • Instruction ID: d1224c35ebacfb0bf583e90183a6250babbe0ae365dc2615b7a202e5b59426cf
              • Opcode Fuzzy Hash: 6af0374fd6bbedd5750f18e7d54ef5667d0ff66ff6b91c649076e4299b0c7627
              • Instruction Fuzzy Hash: 40918F70E0E68E8FEF659B6488697F97AB0FF19340F0505BAD45CC21E2DE3866448B42
              Function 00007FFD9B8960D0 Relevance: .3, Instructions: 256COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e2414eaa9487b87987be48ce3158eb9ccd58a32d0771d73b42cf04f48ad3f2de
              • Instruction ID: 8c013ec6f9faedb915f85fc3fa6a76233e70a5d6b50bd0186a92c5b3c47f01d2
              • Opcode Fuzzy Hash: e2414eaa9487b87987be48ce3158eb9ccd58a32d0771d73b42cf04f48ad3f2de
              • Instruction Fuzzy Hash: 86A11D70E0A65E8EEF64EBA484657FD7AB0FF19344F1141BAD41DD31A2DE386A84CB01
              Function 00007FFD9B881628 Relevance: .3, Instructions: 255COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7452da5b768f7859503f98aeec84fcffc0aea19e940258d01d54c63dcb25707f
              • Instruction ID: a755c3ae8344bb45e044b797cc811e8de1ade64989b6b422bae7718486977888
              • Opcode Fuzzy Hash: 7452da5b768f7859503f98aeec84fcffc0aea19e940258d01d54c63dcb25707f
              • Instruction Fuzzy Hash: B371C031B09E4D8FDB59EF5888A15A977E2FF9C300B1545BEE46DC3292DE34AD028781
              Function 00007FFD9B882FE8 Relevance: .3, Instructions: 254COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 90000d2f8cc53b4d0ab14585ab9cd3c39bec41e69e294b5e8b1d64560635522a
              • Instruction ID: a838669607798cec6997b3ad7cb690e8d6a09d3090de2c5b4aca33963504086a
              • Opcode Fuzzy Hash: 90000d2f8cc53b4d0ab14585ab9cd3c39bec41e69e294b5e8b1d64560635522a
              • Instruction Fuzzy Hash: 53916330E0EA4E8FDB55DBA4C8646ED7BF0FF49300F0545BAE419D71A2DA38A944C751
              Function 00007FFD9B892399 Relevance: .2, Instructions: 250COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f36ca1219c2cd55db8e77a638c99a4acb9fafd32e56e3fbd50f289207e07d86
              • Instruction ID: 61559300a8eafd51933b492292e7efb07bc9c250c2b427c7aac0c8c6efa2caeb
              • Opcode Fuzzy Hash: 1f36ca1219c2cd55db8e77a638c99a4acb9fafd32e56e3fbd50f289207e07d86
              • Instruction Fuzzy Hash: 9D81943094E38E8FDB5A9FA488255EA3FF0FF09310F0645BBE459C61A2DB38A645C751
              Function 00007FFD9B88C810 Relevance: .2, Instructions: 249COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d75b47d30661b170821ab297f6b7783490911324295dfdd62cfa57f705192bba
              • Instruction ID: ffc00d3b387d323fd537a2b47e80384514c850e1975bdb897fa3c11b9bf940e1
              • Opcode Fuzzy Hash: d75b47d30661b170821ab297f6b7783490911324295dfdd62cfa57f705192bba
              • Instruction Fuzzy Hash: 3F819530A0A68E8FDB95DF68C8696BE3BF0FF19300F0505BAD419C71A1DB34A554CB51
              Function 00007FFD9B88C950 Relevance: .2, Instructions: 238COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8189433c019d5b49f9108038851dc01ede083c59eb86b9d7f715179820a3bba1
              • Instruction ID: 2049457f789a7ce3cf21baf3332a2d6949839f17d6b7f6934d41cd69995842ff
              • Opcode Fuzzy Hash: 8189433c019d5b49f9108038851dc01ede083c59eb86b9d7f715179820a3bba1
              • Instruction Fuzzy Hash: 7C71FA62A0FFCA4FE757976858395B53FB0EF4621070A01FBC0A9CB0F7D92869498752
              Function 00007FFD9B88ABB8 Relevance: .2, Instructions: 234COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d0a2851f5095f96c578c491eb688a8e7ba22548f63ec07d768bf525018128eb8
              • Instruction ID: 0f447aebdaf568a66110b7fce08664a2282923200594bccd8d048ccc5448d4ee
              • Opcode Fuzzy Hash: d0a2851f5095f96c578c491eb688a8e7ba22548f63ec07d768bf525018128eb8
              • Instruction Fuzzy Hash: 10817030A5A64E8FDB59DFA4C8655FE3BE0FF09304F01457AE819C21A1DB38A645CB81
              Function 00007FFD9B881C19 Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92b3a54c69af38372e6273db8b7957c0aca2c4e5973bdc74e4addcd57b1e7ed3
              • Instruction ID: 4ad9f17a4c33535f4d458e0132f99a862e808e77457f1ff4d5317e35d15def48
              • Opcode Fuzzy Hash: 92b3a54c69af38372e6273db8b7957c0aca2c4e5973bdc74e4addcd57b1e7ed3
              • Instruction Fuzzy Hash: 4861C230B09B4E8FDB59EF1888A45BA77E2FF9C300B15457ED469C7292DE35A902C780
              Function 00007FFD9B8805D0 Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7bcf3665e7d5339817f33043613f2c62b85c6f8270b324cc744340aae2599a67
              • Instruction ID: a565a8e006dc689f75c1925834549853b99bf13abdc8c2279fc051a9b09a8821
              • Opcode Fuzzy Hash: 7bcf3665e7d5339817f33043613f2c62b85c6f8270b324cc744340aae2599a67
              • Instruction Fuzzy Hash: FE61D330B09B4E8FDB59EF1888A45BA77E2FF9C304B15457ED469C7292DE34A902C780
              Function 00007FFD9B88A5B8 Relevance: .2, Instructions: 224COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0b1a676d879c6eb477737967f749dfb362b0120acfd7076be5ea178926dd79e
              • Instruction ID: c28708433e28bbc625930422d4324f15c75be85ee64ff36702d018569947f656
              • Opcode Fuzzy Hash: e0b1a676d879c6eb477737967f749dfb362b0120acfd7076be5ea178926dd79e
              • Instruction Fuzzy Hash: BF718230A1AA8D9FDB65EFA488255FD7BF0FF19300F4105BAE459C71E2EA38A644C741
              Function 00007FFD9B892A01 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 521760c681bb4f3df1c04acac93aa6a74b3d14c576edaefee5d3fc239d07b87b
              • Instruction ID: a24bae6755ed40106007ae2093fbcf89b645b03cff7f1c66fca94f46e84915b5
              • Opcode Fuzzy Hash: 521760c681bb4f3df1c04acac93aa6a74b3d14c576edaefee5d3fc239d07b87b
              • Instruction Fuzzy Hash: 9B81FB30E0955D8FEBA5EFA8C4587EDBBF1FF59300F0141BAD41DE61A5DA346A848B40
              Function 00007FFD9B896038 Relevance: .2, Instructions: 220COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c15202e61ce6e86622edda34ebaa12bb8d019fd393740f202d5bc734b8c5768
              • Instruction ID: d30927847e02e695705e1b040a18aa5470e59317af6aac242f5f7d7312d5d06a
              • Opcode Fuzzy Hash: 6c15202e61ce6e86622edda34ebaa12bb8d019fd393740f202d5bc734b8c5768
              • Instruction Fuzzy Hash: 17817070E0A64E8EFF659BA488697F97BB0FF19340F0505BAD45CD21A2DE3866848B41
              Function 00007FFD9B88C3A0 Relevance: .2, Instructions: 215COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 797ebf4a212f40de48f0e2aad4b2fcd84653e451fd760ed49309a0d9d6893794
              • Instruction ID: 4bc873320e3168618ed4f389d8e70f8489e7b604f27bc2fabe236dcf0021ea49
              • Opcode Fuzzy Hash: 797ebf4a212f40de48f0e2aad4b2fcd84653e451fd760ed49309a0d9d6893794
              • Instruction Fuzzy Hash: 75718030A4EA4E8FDB55DB7488695B93BF0FF19304F0245BFD429C70A6DA34A645CB41
              Function 00007FFD9B88D4C0 Relevance: .2, Instructions: 208COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c4b354dee5b017c5910f2f6706eace0caabceb12011028193176b030a5ffbc3d
              • Instruction ID: aa3eea97f504ff732982082345ea98113dab4203704f789c9055e8e595ffda89
              • Opcode Fuzzy Hash: c4b354dee5b017c5910f2f6706eace0caabceb12011028193176b030a5ffbc3d
              • Instruction Fuzzy Hash: 66718330A5E78E8FD7669B6488282E97FF0FF0A304F0505BFD468C61E2DA789644C741
              Function 00007FFD9B8805B8 Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5c8f6ede40b84f333ae0fc9a2d6387b9679d46b1d23cd45b177f8c1d66f6fe4
              • Instruction ID: 01fc062197d7a0294327d75bcb1d01abfe4a03eb43e3420148cfc640e7cac209
              • Opcode Fuzzy Hash: e5c8f6ede40b84f333ae0fc9a2d6387b9679d46b1d23cd45b177f8c1d66f6fe4
              • Instruction Fuzzy Hash: 6B515D52B1FA964FE72177BCAC791E43FA0EF45724B0945F7D0A8CA0E7EC2465458381
              Function 00007FFD9B893BFB Relevance: .2, Instructions: 200COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c81f8d7f34fbc900212d8a60509c4ae5d1c3e3bca8e1097aa076b33358068658
              • Instruction ID: b93cd73f8b0f9a0fa4a5c2b121726d37bde54742d4adc03fad0c264a7abbbd35
              • Opcode Fuzzy Hash: c81f8d7f34fbc900212d8a60509c4ae5d1c3e3bca8e1097aa076b33358068658
              • Instruction Fuzzy Hash: 03718470E1AA5D4FEB61EB6888697E97BF1FF59300F0104BAD01DD31A2DE346A44CB41
              Function 00007FFD9B88CA05 Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2bc3c1cc14e108bd4f336032311a45f4d1c07b034484123aebc7ad5898f935a
              • Instruction ID: 5b18f0fd6eb47628bfc87cf2086eb85c83a9b9babf724f2115d2fe7a77a8d453
              • Opcode Fuzzy Hash: a2bc3c1cc14e108bd4f336032311a45f4d1c07b034484123aebc7ad5898f935a
              • Instruction Fuzzy Hash: 40617270E0E64E8FEB65DBA4C8242FDBBF0EF0D310F05417AD419D62A2DA3866448B61
              Function 00007FFD9B890CD0 Relevance: .2, Instructions: 177COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 40c1e5f82f95647ef1a413350bfa67a89c64c0098407dc7a9e78c07c4c25afff
              • Instruction ID: d1dd2f596f7921e18ebd214e8874c332749ff86d1d447ea4069c5f77dc14de9e
              • Opcode Fuzzy Hash: 40c1e5f82f95647ef1a413350bfa67a89c64c0098407dc7a9e78c07c4c25afff
              • Instruction Fuzzy Hash: C8516930A1A68E8FDB99EF64C8696BE7FB0FF19304F0105BAD419C71A6DB34A644C741
              Function 00007FFD9B890CC8 Relevance: .2, Instructions: 175COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7c6bd546172c6b46335b9c60590d7e53da617b8b8541ff182608be8793d43bd
              • Instruction ID: 566d1df6b8fbb0c801427cc93e02057ce0d9c6df7b7652308007b1a5240cdb44
              • Opcode Fuzzy Hash: f7c6bd546172c6b46335b9c60590d7e53da617b8b8541ff182608be8793d43bd
              • Instruction Fuzzy Hash: 5D515F30A1E78E8FEBA59F6488252EA7FB0FF19700F0505BAD818C61A1DB78A6548741
              Function 00007FFD9B88C818 Relevance: .2, Instructions: 171COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f236549e231152d1d9e675f82916ab318f6be9f88a804c60dc3a5c365d55569
              • Instruction ID: 08d03c2a545b866bfd2454c2bd179f9cc3a14297a9100a51036fc72e32d3f9f9
              • Opcode Fuzzy Hash: 0f236549e231152d1d9e675f82916ab318f6be9f88a804c60dc3a5c365d55569
              • Instruction Fuzzy Hash: 90516430A0A78E8FDB95DF68C8696BA3BF0FF19301F0505BAE419C71A1DB349554CB91
              Function 00007FFD9B88C820 Relevance: .2, Instructions: 166COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51309e4db7dbdd5c912c3521eede11d5e7830090f63c903b6c1bc4290b496913
              • Instruction ID: ebb8f7116f22fea65fe146f449adc3ed4f9847780b07732d837cab836b51047b
              • Opcode Fuzzy Hash: 51309e4db7dbdd5c912c3521eede11d5e7830090f63c903b6c1bc4290b496913
              • Instruction Fuzzy Hash: 6C51C130A0A64E8FDB99EF64C8696BA3BF1FF19305F1105BED409D71A5CB35A640CB90
              Function 00007FFD9B88112D Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4f19fb27c3fd4b03b4993f72821152d172af1e365f3a55f8ed2a721d8e30989
              • Instruction ID: e6e50fc5677a79425dadc88f2d4fd2aa87efe6ee5b7b539af8db8642f09e6b05
              • Opcode Fuzzy Hash: d4f19fb27c3fd4b03b4993f72821152d172af1e365f3a55f8ed2a721d8e30989
              • Instruction Fuzzy Hash: A651B130A0AA4E4FEB95EB68C8646F97BE0FF5D310F0105BAD019D71A6DE356945C740
              Function 00007FFD9B88D558 Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 79f3f2df6627980ca60a9b46de0087a179389d9d8bcd04394542d2bdfb112e24
              • Instruction ID: c1080b700167bee6ea4edfc0d80987095053dd991264e7ac3e3f90a06b39407a
              • Opcode Fuzzy Hash: 79f3f2df6627980ca60a9b46de0087a179389d9d8bcd04394542d2bdfb112e24
              • Instruction Fuzzy Hash: 22514130A1EA8E8FDB659F64C8282FD7BB0FF09305F0505BED429C61A2DB789A54C741
              Function 00007FFD9B88C858 Relevance: .2, Instructions: 157COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae888270f10c8dd40fae7158f6fdeda234669416982f91793447ae6dc2d1e0b1
              • Instruction ID: 73826f0c429177aabe9a1cb1d039fd5ff088e67ac03c3501eefe05ee44b5ef7c
              • Opcode Fuzzy Hash: ae888270f10c8dd40fae7158f6fdeda234669416982f91793447ae6dc2d1e0b1
              • Instruction Fuzzy Hash: 3E514130A1AA8E8FDB659F64C8282FD7BF0FF09305F0505BED429D61A1DB789A54C741
              Function 00007FFD9B88BFE0 Relevance: .2, Instructions: 151COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1eea7d371be49028cedfcd12bc78da4618dbdef83a3b5b1953cf1905c06489e
              • Instruction ID: d0676b3ddceb9f59ac3aa3b9c494c28f5750601c59703a67793046fe33025299
              • Opcode Fuzzy Hash: d1eea7d371be49028cedfcd12bc78da4618dbdef83a3b5b1953cf1905c06489e
              • Instruction Fuzzy Hash: 6651A330A0AA4E8FDB65DB64C8696F97BF0FF09304F0105BBD419C71A6DE39A644CB41
              Function 00007FFD9B88C74D Relevance: .2, Instructions: 150COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c3c9462de05f8954f064f077b57b513d06ef5a6169fe32bccae7216dc2555e3
              • Instruction ID: 6c26f5e36afd68a713244d31f57d9284f09516699d1a48fa6b0c8ea01fb9bd16
              • Opcode Fuzzy Hash: 3c3c9462de05f8954f064f077b57b513d06ef5a6169fe32bccae7216dc2555e3
              • Instruction Fuzzy Hash: FC514D70E1991D8FEBA4EB98C465BE9B7F1FF59300F1141BAD00DE3295DE346A808B50
              Function 00007FFD9B883090 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df2fd03cd467c9180716fd466ef1dca211cfa876f3ec618d85d841f1b4e1e75c
              • Instruction ID: d5b3a58f17a0077f20eacb9ba37ba47727b0909fa971c88896bee0c6cc899a95
              • Opcode Fuzzy Hash: df2fd03cd467c9180716fd466ef1dca211cfa876f3ec618d85d841f1b4e1e75c
              • Instruction Fuzzy Hash: 49512C30E19A4E8FEB64DBA4C4646EDB7F1FF49300F41007AE419E72A1DB78AA44CB41
              Function 00007FFD9B88C8D3 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e43085be89a049c6cabc673527e2875eee7e43a2635fffbf997501be657a8b7
              • Instruction ID: c92e21b437d54154d4aed46a752a45249ff0c4b5805e69c06f90685f2cf84d55
              • Opcode Fuzzy Hash: 0e43085be89a049c6cabc673527e2875eee7e43a2635fffbf997501be657a8b7
              • Instruction Fuzzy Hash: FE41D82260F7D64FD71797689C754E97F70EF47220B0A01FBC5A4CB0E7D92825498791
              Function 00007FFD9B882D69 Relevance: .1, Instructions: 147COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1bf65e45911cd6c5839fc13e963dc142939a49d3ac0409e43a961672e3ce15bf
              • Instruction ID: 5c7c2609b807db9fe6c72e0e5c0c7754ec48c809d2aeeeb663690ffbcbe12d33
              • Opcode Fuzzy Hash: 1bf65e45911cd6c5839fc13e963dc142939a49d3ac0409e43a961672e3ce15bf
              • Instruction Fuzzy Hash: 6C41B630A5E68E8FE7629FA48C296E97BF0FF0A310F0505B6D418C60E6DB38A645C741
              Function 00007FFD9B88C8CD Relevance: .1, Instructions: 132COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 246ee84b74adf3a6d43f762b61c7e482ca5bbf777f6342e67d055970bb8ef636
              • Instruction ID: f2db5521e8b9106d7bdcf2603bec61177ab3f54d85ac76bae612c84a0906a6d9
              • Opcode Fuzzy Hash: 246ee84b74adf3a6d43f762b61c7e482ca5bbf777f6342e67d055970bb8ef636
              • Instruction Fuzzy Hash: 9D418261A0F7DA4FD71797689C794E93FB0EF07214B0A01FBC4A9CB0E7D92825498792
              Function 00007FFD9B880500 Relevance: .1, Instructions: 132COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8d6408366d4f7b31dcf508a2bdc6188374fe3a5a604e9b8e33a584c8f31cb40
              • Instruction ID: 84fc065aa6b7a3eb9d6b48e94f9116f86c3b8da68155e3470b119784c9c8e961
              • Opcode Fuzzy Hash: b8d6408366d4f7b31dcf508a2bdc6188374fe3a5a604e9b8e33a584c8f31cb40
              • Instruction Fuzzy Hash: CD419330A1AA8E8FDB55EFB4C8685A93BF0FF19304F0544BAD419C71A6DB38E654CB01
              Function 00007FFD9B88C805 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a6ce2bf856b59e6db0929b5ba7ac5901aa80d89a55d3b7a65ff19006fe16afc
              • Instruction ID: 34748bf5c6e28d683b83b6db6feb25d2ab5db70fa6d31e32089f8a0684eb7361
              • Opcode Fuzzy Hash: 6a6ce2bf856b59e6db0929b5ba7ac5901aa80d89a55d3b7a65ff19006fe16afc
              • Instruction Fuzzy Hash: C541C530A0E68E8FDB55DF6488252FA3BF0FF19300F0105BAE818C61A5DB38A694C791
              Function 00007FFD9B88BFD8 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 957cb8add938867be0c0d08fa47ebbc6be6c9bda7b3377b0d30efb16214a18c4
              • Instruction ID: a1c088a29812e6ca4c483185428486465731086e82a5f75603fe5ed7ad6e45bb
              • Opcode Fuzzy Hash: 957cb8add938867be0c0d08fa47ebbc6be6c9bda7b3377b0d30efb16214a18c4
              • Instruction Fuzzy Hash: E1418730A0EB4E8FDB669B6488296F97BF0FF09300F0505BBD415D61E6DA399644CB41
              Function 00007FFD9B881140 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53a44bec679dedd01422ec762ab38c432c433cee79b108d945433b8a4662185d
              • Instruction ID: 6ac3e3ef01828f0792c1b8a9953663a2836d0ba695719f4cfa104c1c4eb18d89
              • Opcode Fuzzy Hash: 53a44bec679dedd01422ec762ab38c432c433cee79b108d945433b8a4662185d
              • Instruction Fuzzy Hash: 3231C030A1AA4E8FEBA5EBA8C8646F977E0FF5D310F01017AD029D71E2DF3869048741
              Function 00007FFD9B88C165 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 073cc5bf05cb3ad98a2532219bbb1b18f4cb7da5ce35a7a6f6058e9cecd343ca
              • Instruction ID: 436b364c960d532757f2526d417a8cc1c231128ea9dd1bf151a2b4fc7a3d44e8
              • Opcode Fuzzy Hash: 073cc5bf05cb3ad98a2532219bbb1b18f4cb7da5ce35a7a6f6058e9cecd343ca
              • Instruction Fuzzy Hash: A631D875E19D1D9FEBA4EBA8D8A5AACB7B1FF58300F41013AD01DE3296DE3469418B40
              Function 00007FFD9B88CD40 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 453cc5f720052af1ab422d77a1c95c7e4c81992867d731a7971602fb79a8436c
              • Instruction ID: 894d5d67c991e0dfd6388634127f1b027954844bfa4ee4162f04caf9231948b7
              • Opcode Fuzzy Hash: 453cc5f720052af1ab422d77a1c95c7e4c81992867d731a7971602fb79a8436c
              • Instruction Fuzzy Hash: FF41D270A0AA4E8FEFA9EF6488656BD7BE1FF19300F0105BEE41DC21A6DE346244C741
              Function 00007FFD9B892548 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89c02bda7b83d0f6c61630a9721e6d5a749bd71c1340fbd78ba4cc5a3ef0b9a6
              • Instruction ID: 5bd100c8c89e8343f1658186b042d0d2b5f18a3d117dc11ea2992ce33d430fcd
              • Opcode Fuzzy Hash: 89c02bda7b83d0f6c61630a9721e6d5a749bd71c1340fbd78ba4cc5a3ef0b9a6
              • Instruction Fuzzy Hash: 7D41A030E1A64E8FDF599FA4C8611EA3BE0FF49300F11413AE849D22A1DA38A644CB81
              Function 00007FFD9B8809B0 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09be2c353a764b57e12be678c48170f27b24ff91e6088f309581264fc1619fd0
              • Instruction ID: 7a906f7718aa3307c8c020f520b55df89e43e23898d65b653255113df104086d
              • Opcode Fuzzy Hash: 09be2c353a764b57e12be678c48170f27b24ff91e6088f309581264fc1619fd0
              • Instruction Fuzzy Hash: 1F31D330E2A90E4FE7A1EBB8C8585B97BE0FF5C700F4145B6D42CC70A6EE34A6448741
              Function 00007FFD9B88AEA5 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb8e9a5e5d03762251e12b77e390d3149fc0c0529fe84a18cd5c7e66add7abf0
              • Instruction ID: 36f32e5803b6ca7b986310092fc38e240a0ca25a793b62ae9f8f510f4cc7e58f
              • Opcode Fuzzy Hash: fb8e9a5e5d03762251e12b77e390d3149fc0c0529fe84a18cd5c7e66add7abf0
              • Instruction Fuzzy Hash: 2A417330E09A4E8FDB66DFA4C8656FA7BF0FF09310F0105BBD419D61A6DA786A44CB41
              Function 00007FFD9B8825ED Relevance: .1, Instructions: 103COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50e79d5bca7b2874f88ed0022aa57282a528bcede38070bb19eb352b7dcbce4d
              • Instruction ID: c2f64782aa1cc018fefccff1a13799f993be7d806e53fa213c139ccb0bf0b9f7
              • Opcode Fuzzy Hash: 50e79d5bca7b2874f88ed0022aa57282a528bcede38070bb19eb352b7dcbce4d
              • Instruction Fuzzy Hash: C1316F3091E7CE8FD766DF6488686A53FB0BF1A204F0644FBD458C60A6EB389658C701
              Function 00007FFD9B883430 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a95896f397cd151c33e7c7cc7be9e35c7a0710631d771d48a3b40f3583d85e22
              • Instruction ID: ff73bfa623128bc1d3f724c11f09630529f8a1a0c8dfc82039f6c2022adb53d3
              • Opcode Fuzzy Hash: a95896f397cd151c33e7c7cc7be9e35c7a0710631d771d48a3b40f3583d85e22
              • Instruction Fuzzy Hash: 09317431E1FA8E4FEB669B7488257F93BA0FF19314F05057AE42DC60E2DB38A6448741
              Function 00007FFD9B882DF8 Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc28dadcdde32eb476ab28e7807589cd20b1d15b99abfe700a1060bbf1128f27
              • Instruction ID: 25eac738efff0263479f1d2e7aa7bde88ba2e4407b8ab82d5405e0d1ec540ce4
              • Opcode Fuzzy Hash: cc28dadcdde32eb476ab28e7807589cd20b1d15b99abfe700a1060bbf1128f27
              • Instruction Fuzzy Hash: A131A530A5EA4E8FE7729FE48C646F97BA0FF0A310F060576D428C50E6EB78A644C641
              Function 00007FFD9B88D4F0 Relevance: .1, Instructions: 98COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba2ffde9f60f2ce8e008d279b8f42edf2dee2fb3ac9101fffe30b9b6a5422b8a
              • Instruction ID: 46c0ea58545b3cbd11f0014730d5031c0c736303758c5512522be9108e7da6b4
              • Opcode Fuzzy Hash: ba2ffde9f60f2ce8e008d279b8f42edf2dee2fb3ac9101fffe30b9b6a5422b8a
              • Instruction Fuzzy Hash: 3E316130A1EA8D8FD756EB64C8686A97BF0FF19304F5504BBD429C60A6DE39E544C701
              Function 00007FFD9B8968C6 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a315ebdf0f08e193f72848003a8d1ab0a5dab9684b119aa4fc7b68b7a9eeaf9
              • Instruction ID: fa6028462844439cc263978ce392f141f87b6f6fc1c4a4e25b6b8c98ca0f4a7b
              • Opcode Fuzzy Hash: 2a315ebdf0f08e193f72848003a8d1ab0a5dab9684b119aa4fc7b68b7a9eeaf9
              • Instruction Fuzzy Hash: D8410B70D0961D8FDBA4EF94D4A47ECBBB1EF58350F1002BAD45DA22A1CB786A91CF01
              Function 00007FFD9B88C048 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e862464a1b4329811e13a4516afc53138cac70084f83c93fbdbad3daea675c1
              • Instruction ID: bf86a39f1072d9e603f2c14af944d68c90367a3a8ed9465bade5e56e3ca43f3f
              • Opcode Fuzzy Hash: 8e862464a1b4329811e13a4516afc53138cac70084f83c93fbdbad3daea675c1
              • Instruction Fuzzy Hash: E1316334E0DA4E8FEB65DB6488696FA7BF0FF09300F0105BAD429D61A6DA785A44CB41
              Function 00007FFD9B880805 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6d09e9d595e114157896b75da2218b44d9d83287aa7912877068748a7851d4b
              • Instruction ID: 225c1395ab2ccac67256fce3997acb540ab138a93fa4597aa3c4a308a80ab14c
              • Opcode Fuzzy Hash: c6d09e9d595e114157896b75da2218b44d9d83287aa7912877068748a7851d4b
              • Instruction Fuzzy Hash: 34216B61B1E65B9BE71563BCEC792E87B90FF01718F0941B7C0A9CD093ED24A19A8281
              Function 00007FFD9B88C825 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6d6f59eb33b3ea5ff32c1b51b3ef5c0ece7d1f9b410fb749fc296667576ca9b
              • Instruction ID: 288198896e12d15f654b04038c9061afc05ecd4cad0629de08ea94420a77ae81
              • Opcode Fuzzy Hash: a6d6f59eb33b3ea5ff32c1b51b3ef5c0ece7d1f9b410fb749fc296667576ca9b
              • Instruction Fuzzy Hash: 0421BA30A0A64E8FDB65DF68CC695FE7BE0FF18305F01057AE819D21A1DB34A550CB81
              Function 00007FFD9B880991 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f24c627e58a75bc8dc6713b54145bdec36de16cbe729f8fa699c397aa6f5106
              • Instruction ID: 3767a05e2c9817886c7c3f4b8f7463af55d9068e6aaeb13a25a002200a60cedc
              • Opcode Fuzzy Hash: 9f24c627e58a75bc8dc6713b54145bdec36de16cbe729f8fa699c397aa6f5106
              • Instruction Fuzzy Hash: 4521C831E6FA8E4FE7619B648C652F97BE0FF59600F4505B6D468C60E3EE38A6448341
              Function 00007FFD9B8A10D0 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aea40a479e9eeed30a842939c4a0ebc0809ec00d9b88738c13f552e703e86d79
              • Instruction ID: 76b900f5344f153b769414bcf9d22b90a89081daf48b0bdc8f57d09e90eb97c0
              • Opcode Fuzzy Hash: aea40a479e9eeed30a842939c4a0ebc0809ec00d9b88738c13f552e703e86d79
              • Instruction Fuzzy Hash: D2318E70A0A64E8FDB65DFA498652FE7BB0FF59300F01007AE419D22A5DA34AA548B91
              Function 00007FFD9B890DE8 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba5a0c155ef5d3d92f31d79c0a5c9083d05a0b8e248e72d7cc5d153085ef58c4
              • Instruction ID: 9a3fc9ec8252e729a50a67e275a0b039beba64a9663b9e8ff8b9efe4bede9016
              • Opcode Fuzzy Hash: ba5a0c155ef5d3d92f31d79c0a5c9083d05a0b8e248e72d7cc5d153085ef58c4
              • Instruction Fuzzy Hash: 54318231A1E79E8FEF659B64C8242EE7BA1FF09700F05057AD418C71E1DB78AA548741
              Function 00007FFD9B88CD30 Relevance: .1, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8afa536bb8f6fa6d633935029926967d6cd578265043c16dc86130387800e164
              • Instruction ID: bfce91f313af989f9128546d563ca51236a73afabfe622b9687e22d7839cb42f
              • Opcode Fuzzy Hash: 8afa536bb8f6fa6d633935029926967d6cd578265043c16dc86130387800e164
              • Instruction Fuzzy Hash: 11210732A0992E8BDF68AF98E8246FD7BA0FF58320F00013BD409D7196DE2465558BC4
              Function 00007FFD9B88CD38 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 01b23c9281c38339b25d1e286c21678b07f436bbf6f5d4b53b4448e95f7d1685
              • Instruction ID: 4e19478b8906cbd59470af79048e6d759da500f48933fa0d50b21c80c2e6b935
              • Opcode Fuzzy Hash: 01b23c9281c38339b25d1e286c21678b07f436bbf6f5d4b53b4448e95f7d1685
              • Instruction Fuzzy Hash: 6021F632E0992E8BDF68AF98E8246FD7BA0FF58320F00013BD409D7296DE2465558BD4
              Function 00007FFD9B892CA2 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d02666719672ffa3a830248c1a877e4b724cad667409343946001eb766ad23be
              • Instruction ID: 71825ca2555a1136728f861b097b4b52b4dcea80990ecebc36ba4b40a5be43ba
              • Opcode Fuzzy Hash: d02666719672ffa3a830248c1a877e4b724cad667409343946001eb766ad23be
              • Instruction Fuzzy Hash: EA319770E1961D8FEB54EFA4D865BEDBBB1FF18300F5041A9D01CA3296DE3469818F41
              Function 00007FFD9B88CD48 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66e5b9ff30d30409a8b9d926a17e52b9466d38f711f70c2ff7c4a78909d5a50c
              • Instruction ID: 2e07f22984de247de1d8dd0317a05934b31dc20231fd3d8b4c69e6cbb8453ed3
              • Opcode Fuzzy Hash: 66e5b9ff30d30409a8b9d926a17e52b9466d38f711f70c2ff7c4a78909d5a50c
              • Instruction Fuzzy Hash: DA11B431A09A2E8BDF64AB98E8645ED7BA0FF58310F00013BE409D3195DE24694587D0
              Function 00007FFD9B88B814 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 298eb05ee0efb9063f1c180eddcaef76c22794c63a0182e9a4caa0189ec2e7ed
              • Instruction ID: c8ec4466f6d35b55f4adc1f22424d105069d063f8808081e0f0e7c1d4e7953d9
              • Opcode Fuzzy Hash: 298eb05ee0efb9063f1c180eddcaef76c22794c63a0182e9a4caa0189ec2e7ed
              • Instruction Fuzzy Hash: 3321FE70E0691E8FDB64EFA4C8546EDB6B1EF5C300F4145BAD41DE22A1DE386A818F50
              Function 00007FFD9B88CD50 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abdbe3a8c22c7b215866d7ed8ac68ba09f81428cf9dc1406966d5783c2c9b8a0
              • Instruction ID: 0fca9a9763ec8c3b6d5193c1f5ec5d1aff576e1be9532ee30f21abae0cb4a8cf
              • Opcode Fuzzy Hash: abdbe3a8c22c7b215866d7ed8ac68ba09f81428cf9dc1406966d5783c2c9b8a0
              • Instruction Fuzzy Hash: 18119331A09A1E8BDF64AB98E8649FE7BA0FF58310F00013BE419D2195DE2465458790
              Function 00007FFD9B881F59 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1bcf0aad6f866e9a70ee6918a228d579dc40501132949515d3fb4b2281140b9f
              • Instruction ID: c2228767d1939bac1e385f3085215ba4d85bcce1dc60963d8f414b207c1e054e
              • Opcode Fuzzy Hash: 1bcf0aad6f866e9a70ee6918a228d579dc40501132949515d3fb4b2281140b9f
              • Instruction Fuzzy Hash: AA11821164FAC64FDB2367B948704656F904F0B224B1E46FBD0E8CB0E3DE185946C302
              Function 00007FFD9B880EEB Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db5b9c8107b20bdf82e4f4a46319a8342ec740bc7c79366d9aa0833620bafc4c
              • Instruction ID: 1cb1d8151257be02c1d28a2bee1885d74354e8372c555c8f54f952347c58e0a5
              • Opcode Fuzzy Hash: db5b9c8107b20bdf82e4f4a46319a8342ec740bc7c79366d9aa0833620bafc4c
              • Instruction Fuzzy Hash: 1F219231F19D0E8BEB64EB94C865FED73A1EF88310F118279C419AB1E5CE346A458B80
              Function 00007FFD9B895DD8 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75da5ed6064fff9180a11f046d1da7fcb00360809ffcda13f07d53c28e6dfbe8
              • Instruction ID: 6bcca2efcdee2a8d5c9c70202a93f626e18ca2c7d410df966a52611f9e1d0928
              • Opcode Fuzzy Hash: 75da5ed6064fff9180a11f046d1da7fcb00360809ffcda13f07d53c28e6dfbe8
              • Instruction Fuzzy Hash: 74116131A0DA5E8FDF95EF98D8246ED7BE0FF58310F04017AE409E3295DE3459548791
              Function 00007FFD9B8804F8 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e1e10a9642313199dd8e2101dd3d0a4bbccc42c0f7f693b2f284eee9c60a038
              • Instruction ID: 1dd411c8d1333a8bb1315d299860b140999edde5a91c8a0b7e0a0dc5be4153f8
              • Opcode Fuzzy Hash: 0e1e10a9642313199dd8e2101dd3d0a4bbccc42c0f7f693b2f284eee9c60a038
              • Instruction Fuzzy Hash: 4B11663091EA8E8FEB69EFA4C8282B93BE0FF19304F4504BAD419C61E5DB38A554C741
              Function 00007FFD9B88C9F5 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0483b385ef01d1f16c30ef250f0333124759fe7dcbcb5ab879275d66e95b3dab
              • Instruction ID: 84af75ba45e50b0e41b0b3a7f38c258a1b87fa6c8e169d5fbb4afc39072d3b89
              • Opcode Fuzzy Hash: 0483b385ef01d1f16c30ef250f0333124759fe7dcbcb5ab879275d66e95b3dab
              • Instruction Fuzzy Hash: 57016D30F0D54E8BDB60EFA8E4655FFBBF0EF48310F111476E419E2295DA74AA5086A1
              Function 00007FFD9B8A3660 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b0d4495e417fe96a1b7164b3005aafb9d415ed71af28c14aa98da3ff86b12b4e
              • Instruction ID: 5dd84817897074f891efe2367f2d42c882ff38e0ccace3242755b14da3360a82
              • Opcode Fuzzy Hash: b0d4495e417fe96a1b7164b3005aafb9d415ed71af28c14aa98da3ff86b12b4e
              • Instruction Fuzzy Hash: DE015E30A19A4D8FE7A1EB64C86C6AA7BF0FF1D300F4645BBC408C7161EA34A644C711
              Function 00007FFD9B89379D Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce64465f43e9886d11e3f0ce266ca6eceded3bfea08a4c39f8ebba4ef750249b
              • Instruction ID: e737b3ca3bcc6712354fdc226b7454b6e66c90d06c7dcede781d09cabd3cddfa
              • Opcode Fuzzy Hash: ce64465f43e9886d11e3f0ce266ca6eceded3bfea08a4c39f8ebba4ef750249b
              • Instruction Fuzzy Hash: 29118E70E0A54E9EEB61EB7888696F97BF0FF19300F0109B6D46CC20A6EE34A6448741
              Function 00007FFD9B8805D8 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e74d0dad025606725e1626f87ef036054a39a918d31e5a415e3243a39250d331
              • Instruction ID: 42d9d6c5ec13383bff93791d1caccdcd139301f20bef7efc171e967d663c557b
              • Opcode Fuzzy Hash: e74d0dad025606725e1626f87ef036054a39a918d31e5a415e3243a39250d331
              • Instruction Fuzzy Hash: 0E014F30A0990E8FEB98EF65C0A86BA77E2EF5C305F51447ED41ED21A4CE35A651CB40
              Function 00007FFD9B880A18 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 63b0c6f1024aba402b546353a8bbbd6f0cbbadecbab6908c58acda012823e068
              • Instruction ID: a808feacb71d8853ca131c8a6d0537e720431459516b1a694889cf590d7db021
              • Opcode Fuzzy Hash: 63b0c6f1024aba402b546353a8bbbd6f0cbbadecbab6908c58acda012823e068
              • Instruction Fuzzy Hash: 4C01A225E2AD4F4BE7A0EBA888651F977A0FF48A00F410475D43CD60E2EE386A048741
              Function 00007FFD9B880610 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57c2e21096eb0ac8235b1a0cfe5bfb1e728bdb2d33113832d921c2568cef7d54
              • Instruction ID: 1ecb32371c8beef5a96675e6cd0638629cc57424c8c90a509bd7a6bce93f4d3b
              • Opcode Fuzzy Hash: 57c2e21096eb0ac8235b1a0cfe5bfb1e728bdb2d33113832d921c2568cef7d54
              • Instruction Fuzzy Hash: C4014B30A1990E8BEB68AFA484686B972A0FF18305F5108BED42EC21E5DE35A650CA00
              Function 00007FFD9B88274D Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cee17a2b12a8d96fd32208677b11f3a1a91ffd556fe4752292b87461397c073
              • Instruction ID: 212e714b41de255d7fd6207e463df90e392fd50b796379ba222985c6284f8835
              • Opcode Fuzzy Hash: 4cee17a2b12a8d96fd32208677b11f3a1a91ffd556fe4752292b87461397c073
              • Instruction Fuzzy Hash: 04F0BB3090EB8ECFDB69AFA488251F93BA0FF19301F4645BED419C51E6DB399550CB01
              Function 00007FFD9B880608 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 47cfa072a0f39b6102c1bbb1e5383e33db7932404d11ddc041f66e35e1d2a5d5
              • Instruction ID: 138ddc22659a1f1a339331a0d539df885c4f1a0f4e79e4960082366d3fd33d61
              • Opcode Fuzzy Hash: 47cfa072a0f39b6102c1bbb1e5383e33db7932404d11ddc041f66e35e1d2a5d5
              • Instruction Fuzzy Hash: 7DF06C3095A94FCBEB6CEFA484242F93294FF08304F41087AE42EC11D4DF346154C641
              Function 00007FFD9B8826E9 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7688056ba8fda497c2abc2cbed092e122e51371a761b7f3a3a3d161368eec22
              • Instruction ID: 562ba0522fb5e40246375e1be97380475c288a401fff041e5571868e39a9829e
              • Opcode Fuzzy Hash: b7688056ba8fda497c2abc2cbed092e122e51371a761b7f3a3a3d161368eec22
              • Instruction Fuzzy Hash: D2F0A73050A64ECBDB6CEF6484682F937A0FF09304F40097EE42DC10D5DF799254CA40
              Function 00007FFD9B892C65 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4000ed23e2c400793e2fd7907249fff8f2af15dccbfbf22ab9ae226fa7baf19c
              • Instruction ID: 4c199b4a2003c598fbd283165bcefcc43524159303bcdfd7c526b69fb836a11a
              • Opcode Fuzzy Hash: 4000ed23e2c400793e2fd7907249fff8f2af15dccbfbf22ab9ae226fa7baf19c
              • Instruction Fuzzy Hash: 8FF03030E0590E9BEB60EB99C854BEDB7A1FB48301F1081B5C418E21A5CE386A84CF50
              Function 00007FFD9B881690 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 23e6303cb1bdaf0436858807ef98a79680f147598c5c1ff5afc55bcb72e1197e
              • Instruction ID: 7831a75fca22ed4a6f76c25817cf68fc95cfff171d2859939b2e6fda72d7f639
              • Opcode Fuzzy Hash: 23e6303cb1bdaf0436858807ef98a79680f147598c5c1ff5afc55bcb72e1197e
              • Instruction Fuzzy Hash: 2BE0E520F0AC0A47E6747799849557461D15F4C314FBA8675F03DCA1F1EF38ED81D201
              Function 00007FFD9B884031 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1f2c41630708f6af9bfe3ff9ef4e636f81ef5d5a029c0cf20231580bf5eecc1
              • Instruction ID: 70d59db3d3d54aa0e5a13b50bb9406676ee000a1d4b7a1e4adf1702d995bbb3f
              • Opcode Fuzzy Hash: c1f2c41630708f6af9bfe3ff9ef4e636f81ef5d5a029c0cf20231580bf5eecc1
              • Instruction Fuzzy Hash: B7E09AB0D4E6298FDBA1DF6489587A977F0AB09380F5101E5901DE6161DA345B849F10

              Non-executed Functions

              Function 00007FFD9B889CC9 Relevance: .6, Instructions: 563COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1696285694.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b880000_inxVlfQD8T.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2d4be5497718294874c99b5af00750c7646f04c3c8b00daabcff7d461f9caaf
              • Instruction ID: cb0ace3d468c87def3f9df5e3bc054f8c799dfbdedf747591404ce7d34f14d2f
              • Opcode Fuzzy Hash: c2d4be5497718294874c99b5af00750c7646f04c3c8b00daabcff7d461f9caaf
              • Instruction Fuzzy Hash: 3312B03194E7CA8FDB539B7488655E53FB0EF1B200B0A05EBD494CB0B3D638A959C752

              Executed Functions

              Function 00007FFD9B8935EA Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33ce7e64d773a21ecb7d340353f87614250ac894d25501f8a10cc8d4a949f754
              • Instruction ID: 6b13926698733ae31186d860eaf38f5dc4b51f6355fb2c90e33c6377ed836d71
              • Opcode Fuzzy Hash: 33ce7e64d773a21ecb7d340353f87614250ac894d25501f8a10cc8d4a949f754
              • Instruction Fuzzy Hash: 3F518262B1994D8FEB58DB6CD8257A87FA1EF9A350F9002BAD00DD33DADBB414028741
              Function 00007FFD9B89EDF0 Relevance: 3.8, Strings: 3, Instructions: 82COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: [$]$g
              • API String ID: 0-3773536528
              • Opcode ID: 119df42caabe3b8705a77adf826bc15c8c88b8e5afc42950e66cf57bee976a7b
              • Instruction ID: 194a3736bd6b056cff7ab335a11a6daa5ee7b44e1cfde05155c11d98fa952c73
              • Opcode Fuzzy Hash: 119df42caabe3b8705a77adf826bc15c8c88b8e5afc42950e66cf57bee976a7b
              • Instruction Fuzzy Hash: 1641D470E0962E8FEB79DF54C8547F9BAB1AB58301F0141FAD40DA66A1CB782A84DF00
              Function 00007FFD9B89EFF8 Relevance: 2.6, Strings: 2, Instructions: 59COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: U${
              • API String ID: 0-2735307867
              • Opcode ID: c7e43faaad9e3a8ac0c5656701c5fb6a236625944fd0e6085730b7b08b54beb8
              • Instruction ID: ed5077fbbdb92008ee63a700d8090cff0cb5e52a7b6aac60491c06828b78ee06
              • Opcode Fuzzy Hash: c7e43faaad9e3a8ac0c5656701c5fb6a236625944fd0e6085730b7b08b54beb8
              • Instruction Fuzzy Hash: 9621EC70A09A6D8BEF79DF54C8647B97AB1BB48301F1141FED40DA66A0CB782A849F41
              Function 00007FFD9B8A15B9 Relevance: 2.5, Strings: 2, Instructions: 27COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: %$*
              • API String ID: 0-3952375145
              • Opcode ID: aeb5c86f0e53fd377f3f08fd4fa6fda95bb1783ef070feebfb1a06938e0f1fac
              • Instruction ID: 7f1f9fbf3e976124c91bd56ff411681ffbf17357c9df7c02b7a4388dbd90f200
              • Opcode Fuzzy Hash: aeb5c86f0e53fd377f3f08fd4fa6fda95bb1783ef070feebfb1a06938e0f1fac
              • Instruction Fuzzy Hash: 2CF03A30A0862DCBEB24EF90CC686EDB3B1FB56301F04422AC4099B2E4DBB86944CF55
              Function 00007FFD9B89C7FB Relevance: 1.4, Strings: 1, Instructions: 154COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: ^
              • API String ID: 0-1590793086
              • Opcode ID: b5dd0f760e6108305f96fffd2dc957bb4957a745d800a8b3b3f192725accfd03
              • Instruction ID: 9577362d2d31d18d69d1da859cec0484c8b5be018d4d4a1643ff2ba3cdc78791
              • Opcode Fuzzy Hash: b5dd0f760e6108305f96fffd2dc957bb4957a745d800a8b3b3f192725accfd03
              • Instruction Fuzzy Hash: 5041352770962E8EDB167FB8BC590F97B60EF45364F1502BBD419C6097EB24605A8BC0
              Function 00007FFD9B89F376 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: M
              • API String ID: 0-3664761504
              • Opcode ID: 7a2af81881d972a2253f8f96749c0ed3c1e8804845053490c276f4bcda25ad5e
              • Instruction ID: f21f486f0e4283a946ea2d0e8ba6e1eea9781757b542b7bbd471e9a780488a41
              • Opcode Fuzzy Hash: 7a2af81881d972a2253f8f96749c0ed3c1e8804845053490c276f4bcda25ad5e
              • Instruction Fuzzy Hash: 425117B1E19A1D8FEF68DB5488A57E9BBB1FB58300F4001EAD14DA3291CB746A81CF45
              Function 00007FFD9B8903BD Relevance: 1.3, Strings: 1, Instructions: 84COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: sR^
              • API String ID: 0-558288941
              • Opcode ID: 3190a4d243a5b644905f224865a1a96a6da245b248bdf54f761fe634bb09d967
              • Instruction ID: 97e078beccfa02e5a72aa861c9f294c3ee8bc9249df200f95f971a09135a4bef
              • Opcode Fuzzy Hash: 3190a4d243a5b644905f224865a1a96a6da245b248bdf54f761fe634bb09d967
              • Instruction Fuzzy Hash: 7C214983B0FAD32BEB565B790C654586FA0FF2264475D80BFC0A8470E7D909E80A8389
              Function 00007FFD9B89F654 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: U
              • API String ID: 0-3372436214
              • Opcode ID: a9db1640faabfd03d7775651f73f9f420db408bbea70fd2eb74caa72c67235c9
              • Instruction ID: 253c5d9181c988806f93663aea52ff1fceeb89c916867f3fd2d427291a3c7069
              • Opcode Fuzzy Hash: a9db1640faabfd03d7775651f73f9f420db408bbea70fd2eb74caa72c67235c9
              • Instruction Fuzzy Hash: 93F03030A08A4D8FEB29DB40C8607E97BB6FF58350F0501EAD409D62A0CB746B858B40
              Function 00007FFD9B8A10C5 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: %
              • API String ID: 0-2567322570
              • Opcode ID: a8251bfa4ca0ea7820a232e01b404abed5f3cdb520a8bd9ffb129f4a33f17504
              • Instruction ID: e2ee485a60fae72f12a94c7b93e1950f26a6460172969ce79e1e2022ec72f993
              • Opcode Fuzzy Hash: a8251bfa4ca0ea7820a232e01b404abed5f3cdb520a8bd9ffb129f4a33f17504
              • Instruction Fuzzy Hash: CEE02230A0C25D8FDB14EFA0CCA49EDB7B1FF4A301F08026AC0498B2E4CB782944CB84
              Function 00007FFD9B8A3395 Relevance: .5, Instructions: 546COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 18937b6db395f1e192af4570e59e9f76e9c655f59bab7fbdd0390fd4f20ea297
              • Instruction ID: 2c258e019aeaa7a328b62b2014dde1aca4dd290b0c15eaa6f2436dece4cf5653
              • Opcode Fuzzy Hash: 18937b6db395f1e192af4570e59e9f76e9c655f59bab7fbdd0390fd4f20ea297
              • Instruction Fuzzy Hash: AF51C752A0F7D94FE713A7785C7A1A87FB0EF17214B0905FBD098CB0E7E91869458352
              Function 00007FFD9B890498 Relevance: .4, Instructions: 420COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da9713c0c24cfb5cf09fbd9e70124eea539c79837ccf8ec1c109a4b16d5ff12f
              • Instruction ID: 123c720158638a85465d1509fd796e867a1772942531596d3d735289175fd1b2
              • Opcode Fuzzy Hash: da9713c0c24cfb5cf09fbd9e70124eea539c79837ccf8ec1c109a4b16d5ff12f
              • Instruction Fuzzy Hash: B5C11743B0F6E65BEB2663AC7C795E93F90DF4166970902F7E0D8CA0E7EC0865468381
              Function 00007FFD9B89D969 Relevance: .4, Instructions: 389COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cdd31c579b8701b535b1d4b79dd6c6cc544880ec90835092e65d908347df7b7
              • Instruction ID: afff0838bb1b58bb005e423ddb707b35973cba01d582c0d5fcc00105c3326a2f
              • Opcode Fuzzy Hash: 0cdd31c579b8701b535b1d4b79dd6c6cc544880ec90835092e65d908347df7b7
              • Instruction Fuzzy Hash: 96E14C71E1965D8FEBACDB98C8A47B8BBB1FF58300F0401BAD01DD32A6DA346941CB45
              Function 00007FFD9B8905A0 Relevance: .3, Instructions: 321COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e82335043e5d4d29c39723592400b5f6f8fba9daa5c54e762d736f4142a84d1b
              • Instruction ID: 25c5cfebe6ae0b91cd1e301471f9f0e5e02abab66cfc9ccf78c151aa1ccb0d10
              • Opcode Fuzzy Hash: e82335043e5d4d29c39723592400b5f6f8fba9daa5c54e762d736f4142a84d1b
              • Instruction Fuzzy Hash: 5B912943B0F6E65BEB2663EC7C791E92F90DF4566470902F7E098CA0E7EC1865468381
              Function 00007FFD9B8905FA Relevance: .3, Instructions: 307COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c8028866f9bd961e051a40d5d93ef2ddcfe6c9e4425e240882940913cf5ffe42
              • Instruction ID: 33a2c4ced4446d9eece47b5eef032139cea44d7d02c15f48f29b6712e312c8c0
              • Opcode Fuzzy Hash: c8028866f9bd961e051a40d5d93ef2ddcfe6c9e4425e240882940913cf5ffe42
              • Instruction Fuzzy Hash: A7914943B0F6D55BEB2663EC7C791E97F90EF45664B0902F7E098CA0E7EC1865068381
              Function 00007FFD9B891628 Relevance: .3, Instructions: 286COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3a2d5fb1f18b04cbbbaa909aa39815b84e112dfc2df5e08d81893852f2d62d4
              • Instruction ID: baa6010f17ae221bf8cdb170970ed0fdca11c656644af897244f46a819ce739b
              • Opcode Fuzzy Hash: a3a2d5fb1f18b04cbbbaa909aa39815b84e112dfc2df5e08d81893852f2d62d4
              • Instruction Fuzzy Hash: CD81D031B0DA494BEF59EF5C98615A97BE2EFD8300B15057AE49EC3292DE34AD028780
              Function 00007FFD9B890640 Relevance: .3, Instructions: 270COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f21802976e6fa3cafef2b478d0ec33b66351fe0a8ececa7e6acc798b7a7d6691
              • Instruction ID: 786099183296a6a6e28f9904314d0df4d468c862e70d4b4a48dfef2b640d2585
              • Opcode Fuzzy Hash: f21802976e6fa3cafef2b478d0ec33b66351fe0a8ececa7e6acc798b7a7d6691
              • Instruction Fuzzy Hash: BE714843B0F6D55BEB2667EC6C691F92FA0EF45664B0902F7E0D8CA0F7EC1565068381
              Function 00007FFD9B8905B8 Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ef36574941f01b3529b415d655f4e24ed0d9b3399dc561c7b92a643a54075a1
              • Instruction ID: 65cd69c8a0950afe696c739aa05c873e5c9423b459bcaeb062107a1a1bd9275c
              • Opcode Fuzzy Hash: 5ef36574941f01b3529b415d655f4e24ed0d9b3399dc561c7b92a643a54075a1
              • Instruction Fuzzy Hash: BA517942B1F6965BEB2267FCAC691E43FA0EF45760B0901FBD098CA0E7EC14A5468381
              Function 00007FFD9B891C8D Relevance: .2, Instructions: 193COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d6e729f01ae85b0fbac910190b4e2a968207a61711456861958f431abba4a5d
              • Instruction ID: 691c9a829db448d528e3732c77dab37b359665a4de9d0047591ea154460a2e6c
              • Opcode Fuzzy Hash: 4d6e729f01ae85b0fbac910190b4e2a968207a61711456861958f431abba4a5d
              • Instruction Fuzzy Hash: 6951C131B0DB498FDF59DF1888A05BA7BE2FF98704B15457EE45AC7292DE34E8028780
              Function 00007FFD9B8A2A81 Relevance: .2, Instructions: 165COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 939a2ceba0e32fc2013b0cc9e2fe598c4bf32e33453d9cfdb6ca0982bc45e2f3
              • Instruction ID: fe88fbaf5ab496108ea984e86d8687515b67dd656e0b7464d9b36a97e9765457
              • Opcode Fuzzy Hash: 939a2ceba0e32fc2013b0cc9e2fe598c4bf32e33453d9cfdb6ca0982bc45e2f3
              • Instruction Fuzzy Hash: AF51DC70E0951D8FEBA4EF98C5647ECBBB1FB58300F5141BAC01DE7291DA746A848F50
              Function 00007FFD9B8930E1 Relevance: .2, Instructions: 151COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7f2a909a51e1ac2f866ad19d4f839be67c5330393cf00d360498eb64e52a8d3
              • Instruction ID: eacadd679e00e09d408e39c1739ac687e1d3956ac42167b5f216de872a5ac50a
              • Opcode Fuzzy Hash: b7f2a909a51e1ac2f866ad19d4f839be67c5330393cf00d360498eb64e52a8d3
              • Instruction Fuzzy Hash: D8510970E0A51E8FEF68DBD8C464AECBBB1FF59301F510179D009E72A1DA38AA44CB40
              Function 00007FFD9B8920A5 Relevance: .1, Instructions: 145COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d97eabf135d62dc5f5a9c3c1404313f04e44b69f8a56212437c7d9da83c4899
              • Instruction ID: d2e708a8e1e4e587b4e71c859ea3ca5a184603db512f2cf81ff11db9f3379384
              • Opcode Fuzzy Hash: 7d97eabf135d62dc5f5a9c3c1404313f04e44b69f8a56212437c7d9da83c4899
              • Instruction Fuzzy Hash: 36415D31B0E64E4FEB6ADBB898655B87BE0FF89310B0545FBD04DC71A6DE28B9418341
              Function 00007FFD9B89BCC9 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe00794c445cb7738e0972b4c2e711f254943ec6f63bc34073080a1c8e9a0c31
              • Instruction ID: bd48c0742745601da24cf32fd94c4cb2eb967cc1cf722392454981dc0dc11e8d
              • Opcode Fuzzy Hash: fe00794c445cb7738e0972b4c2e711f254943ec6f63bc34073080a1c8e9a0c31
              • Instruction Fuzzy Hash: D241E570E0A64E8FEF68DFA4C4646ED7BB5EF48710F11047ED01AE72A1DA396A408B50
              Function 00007FFD9B89C165 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef0ed357558358d1d9aebe8469983058cdad250a4a60a61e8c6afa2d46b116e0
              • Instruction ID: d47748ea694a063089a0569a81781f99b08c612e73386c9764b9a4bd87174721
              • Opcode Fuzzy Hash: ef0ed357558358d1d9aebe8469983058cdad250a4a60a61e8c6afa2d46b116e0
              • Instruction Fuzzy Hash: F131BB75E1991D9FEFA4EB98D8A5AACBBB1FF9C300F510139D00DE3292DE3569418B40
              Function 00007FFD9B89AEFA Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91c9c2c0b1f57180d88ce6482b48441d80eb96dc38726c1448f7f5045dfe858d
              • Instruction ID: 7573b2b66f2067e1d251a91ba54ff01f8ce9e12f1152d2e816149a29024ab8ed
              • Opcode Fuzzy Hash: 91c9c2c0b1f57180d88ce6482b48441d80eb96dc38726c1448f7f5045dfe858d
              • Instruction Fuzzy Hash: B5312865F0E98EAFEB61DBB888280E87FE0FF59300F0505BAC058C70E6EE3466058351
              Function 00007FFD9B890805 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6bd86430406886935b8c109393ceb60ba84c3526c7367748bfed23dfd448b162
              • Instruction ID: 34f755f49c0ad8a04338d695ddabd7128d1f4737cf42b8c8e9cb2382dad89640
              • Opcode Fuzzy Hash: 6bd86430406886935b8c109393ceb60ba84c3526c7367748bfed23dfd448b162
              • Instruction Fuzzy Hash: C1216B52B1E65A97EB1563BCDC792E97F90FF00318F0945B7C0A9C9093ED14A1568281
              Function 00007FFD9B8A2CA2 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66bd9facd4a856bfeb18ecdae62c742d92484a8bf396034a5c6a0a9c0c57f95f
              • Instruction ID: 193eb0b2f2c1ec49a6db2bf8857e92dc0c07809abc84dc2ea395b000b7123561
              • Opcode Fuzzy Hash: 66bd9facd4a856bfeb18ecdae62c742d92484a8bf396034a5c6a0a9c0c57f95f
              • Instruction Fuzzy Hash: 03319770E1961D8FEB64EBA4D865BEDBBB1FF58300F5041A9D01CA3296DE3469818F41
              Function 00007FFD9B8A3BFA Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2250509b697367af480745c72ff497ec8b3b969ff30b5ff131a63360581f064
              • Instruction ID: 4bc137b622ccda40aa04ac4797a2d259cec27b4fab98f057fdafb5236ac94ad2
              • Opcode Fuzzy Hash: b2250509b697367af480745c72ff497ec8b3b969ff30b5ff131a63360581f064
              • Instruction Fuzzy Hash: 8D21F831A0F68E4FE762EBA88C691E97BE0FF1A310F0605B7D448C70A3D9249644C711
              Function 00007FFD9B8932F0 Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5060600324f92895fabfdece0ca308edd608190237406dce583335b6d8769873
              • Instruction ID: af8409d0e3636ddb2f1e530b87cde3e575c65afd0f741a6fdad6190666fff4b7
              • Opcode Fuzzy Hash: 5060600324f92895fabfdece0ca308edd608190237406dce583335b6d8769873
              • Instruction Fuzzy Hash: 06213D3094E78A4FD7439B7488685A97FF0EF0B314B0A45FBD088CB0B3DA29A545D751
              Function 00007FFD9B893391 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 367b61be3661fb70518a762acabefb8667ba6151033017494f0acfda5b011e03
              • Instruction ID: 9c5f07183db705569a945f7f83fca1548218e8892d59c3b0c8eab43baed00a34
              • Opcode Fuzzy Hash: 367b61be3661fb70518a762acabefb8667ba6151033017494f0acfda5b011e03
              • Instruction Fuzzy Hash: EC214C30A4A60E8FEF65EBA488696BE7BE0FF18305F01057AD41DC31A5DF39A640E740
              Function 00007FFD9B893485 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9bb4c5eddce3121ce4d6d16bad222844505d731ee8a4b963c2e46e5427dfd9de
              • Instruction ID: 3dfd965f9a4ed770f7f97d954d5dfb275a4b9bd57e2635496f745fbf5de12c69
              • Opcode Fuzzy Hash: 9bb4c5eddce3121ce4d6d16bad222844505d731ee8a4b963c2e46e5427dfd9de
              • Instruction Fuzzy Hash: 13218631E1A64E4FEF66DBA488696F97FE0FF28304F4204BAD41DD61A1DA39A650C701
              Function 00007FFD9B89A5A1 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 088ec135954d156acd393d5474ed0b46733908d5841cc4a16c25d51ec1a91645
              • Instruction ID: 94f90e6c0ad926b2bda5f3e1515250daa1e596c6dc03a9e9def022fa5064b257
              • Opcode Fuzzy Hash: 088ec135954d156acd393d5474ed0b46733908d5841cc4a16c25d51ec1a91645
              • Instruction Fuzzy Hash: 70215B70A1564D9FCF85EF58C499AA93BE0FF2C305F01016AE80AC7265DB34E581CB40
              Function 00007FFD9B89B814 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f05e0050bc032d3885d70fc77fcb1ed70d5324fea69f911e82ea350be658f248
              • Instruction ID: 2ef2e95d1f7b27aa055925259c50ccb0d5aaeaffcda174bccaf19a7ebd0d2387
              • Opcode Fuzzy Hash: f05e0050bc032d3885d70fc77fcb1ed70d5324fea69f911e82ea350be658f248
              • Instruction Fuzzy Hash: 4C21ED70E0551DCADF64EFA4C8646EDBAF0EF1C300F4145BAD40DE22A1DE345A818F50
              Function 00007FFD9B890A01 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 06cd6b156ee50503859b819edb2c013fa47927680f9010b8dae0dbd7ceddbad6
              • Instruction ID: fe54d6f9dac165b516a77c729159e89166b2f5166390f1d49dd0998b32f9f917
              • Opcode Fuzzy Hash: 06cd6b156ee50503859b819edb2c013fa47927680f9010b8dae0dbd7ceddbad6
              • Instruction Fuzzy Hash: 4B11C431F2A50E4FEB94EBA8C8695BD7BE1FF58700F4145B6D41CC71A6EE34A6408740
              Function 00007FFD9B890EEB Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a5bdf4fa0d2b76c86b987609c4d84182547281ca14755ad44718f9cfe48078f
              • Instruction ID: 2401bae920dbc583fb31db359ce943d0939648e6ce602cb5292535a94c8d9596
              • Opcode Fuzzy Hash: 5a5bdf4fa0d2b76c86b987609c4d84182547281ca14755ad44718f9cfe48078f
              • Instruction Fuzzy Hash: 51218031F1990E8BEB64DB94C864FED7BB1EF48710F114279C40AA72E5DE346A458B80
              Function 00007FFD9B8A2531 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f12b2ce52781cf09f632c929cde88ef2e38d28fecf375245161cdb7d01809939
              • Instruction ID: ebf98378d4c18c1461e56da2550357e397a50c4c629b8be57d67c9682c3c931b
              • Opcode Fuzzy Hash: f12b2ce52781cf09f632c929cde88ef2e38d28fecf375245161cdb7d01809939
              • Instruction Fuzzy Hash: 0811BE70A1964D8FDBA8DFA8C4A55F93BE1FF5D304F02017EE849C32A1CA34A540CB91
              Function 00007FFD9B891F59 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42c30ccf538e7728c526bccaa43105a074e0e3a8f5a08e5651c9b65de4157da8
              • Instruction ID: fd5e0a78e66d9655cd4600b3671944fc8605fcf30a74ea7d481bc3bfcbde9da2
              • Opcode Fuzzy Hash: 42c30ccf538e7728c526bccaa43105a074e0e3a8f5a08e5651c9b65de4157da8
              • Instruction Fuzzy Hash: F1115111A4F6CA6EEF2367B948754656F905F07224B2E46FBD0D8CB4F3DA085946C302
              Function 00007FFD9B89C8D3 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a75e4aec418cafb7eeb8e5055f41b28a1f15af75dbe4c70f0621c30f0180fa01
              • Instruction ID: dbffa708de857e45b7bf207afbd8c3cf7091beffab3b927e2cb18bd8c172b603
              • Opcode Fuzzy Hash: a75e4aec418cafb7eeb8e5055f41b28a1f15af75dbe4c70f0621c30f0180fa01
              • Instruction Fuzzy Hash: E711273560A69E8FDB59AF18D8681F97FB0FF4A221F4106BBD408C60A2CA351605CB91
              Function 00007FFD9B89112D Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4546515870cbc424c171108f7295009453b506a98190c4821c9394b09e2b0205
              • Instruction ID: 0f02432312ba7d894586546975fc6776f989b38b32ec05f3051cca9350ce8632
              • Opcode Fuzzy Hash: 4546515870cbc424c171108f7295009453b506a98190c4821c9394b09e2b0205
              • Instruction Fuzzy Hash: D111B670A0E64E6EEF6AABA8C8686B97FE0FF59310F0115BED419C61E1DF256540C740
              Function 00007FFD9B89C950 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e4bbbb2eba25b810f8a3b58c05df2f86b856e76d766525a52f99553a90d14b5
              • Instruction ID: 9c04eee01cda58d774a422cb292545d733e752b7be350ec52e98ee4096ac3be3
              • Opcode Fuzzy Hash: 8e4bbbb2eba25b810f8a3b58c05df2f86b856e76d766525a52f99553a90d14b5
              • Instruction Fuzzy Hash: 9F118F30A0A65E9FDB5AEB68C8686B93FF0FF09304F0105BBD41DC61A6DE355640CB41
              Function 00007FFD9B89BC45 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7c54bb06af29c6b0c3ff160beae98ab4e08fc6a5b882963935f12f0aa4c0951
              • Instruction ID: 334350af63c0c6920e961e7aca9abefda68ea36c15a544076193a476839f7c69
              • Opcode Fuzzy Hash: f7c54bb06af29c6b0c3ff160beae98ab4e08fc6a5b882963935f12f0aa4c0951
              • Instruction Fuzzy Hash: 47118230A0A64E4FDF59EF64C4685BD7BE0FF18305F4105BAD41DC61A1DE35A650C700
              Function 00007FFD9B89C035 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6e079d1a73ee5e5c46c9d24408a1267512a34e6ccd659076ba7331779b82dde
              • Instruction ID: 2e0ec7ae4c7183b6b02806e64d1aeca584f545f4bdcf97cbe3e94765c658c848
              • Opcode Fuzzy Hash: a6e079d1a73ee5e5c46c9d24408a1267512a34e6ccd659076ba7331779b82dde
              • Instruction Fuzzy Hash: C6118630A1964D4FEF95DF68C8692BD7BE0FF19300F01057ED419C61A1DE359640CB00
              Function 00007FFD9B8A2399 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e03a1df81f2231910d4230c9e8ce61335e44c1a843c3d0c44aec9c0da05b6f6
              • Instruction ID: 4f04c6aefe5d4043118193eda540f06e608f4249163b09738a2bfb873c34e784
              • Opcode Fuzzy Hash: 4e03a1df81f2231910d4230c9e8ce61335e44c1a843c3d0c44aec9c0da05b6f6
              • Instruction Fuzzy Hash: F2115E6188E3CA4FD7274BB058355E57FB4AF07214F0A05EBE889CA0E3D65C265AC323
              Function 00007FFD9B8A2A01 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52e56a70e7c6bb9049abf520bb477b04b8474eadd5ac6d2cce339a2bfbe517bf
              • Instruction ID: d134b3f1919d75c8d75b08d4af5c695973d465e8a1ba9e84e7944dde07937d3b
              • Opcode Fuzzy Hash: 52e56a70e7c6bb9049abf520bb477b04b8474eadd5ac6d2cce339a2bfbe517bf
              • Instruction Fuzzy Hash: FF118430A1D68E9FEB62EFB484595F97FE0EF1A300F0544B6D418C6076EA34A284C751
              Function 00007FFD9B89C479 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29da0b71effca06c5c1866f51d108ae509c8534f214648575bc16d160b96e38d
              • Instruction ID: 88d992fee36c7426f2220d9d949985c548e330c3ecfb4a9f675d1a68a41e2ed2
              • Opcode Fuzzy Hash: 29da0b71effca06c5c1866f51d108ae509c8534f214648575bc16d160b96e38d
              • Instruction Fuzzy Hash: DF11A330A0A64D4FDF59EF6484692B93FB1FF59304F5241BBD419C60A2CA35A550CB40
              Function 00007FFD9B892DE1 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f26a611efdf0b51cf156a3a35fa2b88b2f8e2d4d469a41814cc317a6ffde0084
              • Instruction ID: 949b52b1d3a7690d9503541a1462447e2b9f0f73905af802f036a721809fff59
              • Opcode Fuzzy Hash: f26a611efdf0b51cf156a3a35fa2b88b2f8e2d4d469a41814cc317a6ffde0084
              • Instruction Fuzzy Hash: B6018B30A0A20E8FEB55EFA4C4996A97BE1EF19300F0646B6D40CC70B6EA38E6408700
              Function 00007FFD9B8905D8 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 821c0637cfc876c9f7604fc0b6fe0839bcf642a897fa655ca27f3c6229e48dba
              • Instruction ID: f0ccb9398cc7e69b08cd0bdcb164798e1936a00e8e0daed9b595d37e7c23f892
              • Opcode Fuzzy Hash: 821c0637cfc876c9f7604fc0b6fe0839bcf642a897fa655ca27f3c6229e48dba
              • Instruction Fuzzy Hash: 54019230A0950E9FEF98EF65C4A56B97BA1FF5C308F51047EE41EC21A4CA35A650C740
              Function 00007FFD9B891C01 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15c4e193139ba171d6b8e2e5c94e8261aa8340fe1e6d0fb30f343752accef51c
              • Instruction ID: 230f660e11bbf20bbbcfc18d7663671692c9ef84edf534e5ffb42ca81e7fec3c
              • Opcode Fuzzy Hash: 15c4e193139ba171d6b8e2e5c94e8261aa8340fe1e6d0fb30f343752accef51c
              • Instruction Fuzzy Hash: DA01A230A0E68E8FEF99EF2588655A97FA0FF59304F45057AE418C61A2DA359650C740
              Function 00007FFD9B8A0DF0 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0c462b6f7d8da65b154afe86edd84107bd86ce8a79fd4391c3c6414c51f5aa0
              • Instruction ID: b3a8dfe45509ab99d126ee223897b1b695eebcb9b7c4e6df3c9dafd04df73d93
              • Opcode Fuzzy Hash: a0c462b6f7d8da65b154afe86edd84107bd86ce8a79fd4391c3c6414c51f5aa0
              • Instruction Fuzzy Hash: 16012C30A2590E8FEB98EFA4C4686BE7BE1FF18305F11047AD41ED21A5DF35A660C711
              Function 00007FFD9B892E59 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b4eeb98d9f48bb060e687d4659ecd580b7ee0d37ba33e34539ed3b976c85ea4
              • Instruction ID: 7bb147d268344e220449b7e4e7e0bb58633f850c74b93041d104ebc3095fab1a
              • Opcode Fuzzy Hash: 4b4eeb98d9f48bb060e687d4659ecd580b7ee0d37ba33e34539ed3b976c85ea4
              • Instruction Fuzzy Hash: 70018830A0F64D4FEB65AFB488995AD3FE0EF4A300F5645F2D418C60B7DA28A5448701
              Function 00007FFD9B89AAE9 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 03825044e195fd84b812d2386e79505e005622dc55156b6f1306debf5cd8b40b
              • Instruction ID: 7159bfbb2ebd2ac7547fa4f7c9623b8fe9d156a1fb084bf81c8d172fd5bdf209
              • Opcode Fuzzy Hash: 03825044e195fd84b812d2386e79505e005622dc55156b6f1306debf5cd8b40b
              • Instruction Fuzzy Hash: E0018434A4E64E9FDB52ABB488696A97BE1EF09304F4609F3D00CC60B6DE38A5448701
              Function 00007FFD9B8927BD Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15732fee58c5da76e6a2375cae6b55bfed41585b41d6ede022fe6589a08af453
              • Instruction ID: 9cec2f920568151303e773cc494b0712c4e06b9e08a79c4b8143960cc2946846
              • Opcode Fuzzy Hash: 15732fee58c5da76e6a2375cae6b55bfed41585b41d6ede022fe6589a08af453
              • Instruction Fuzzy Hash: 5B018F30A1E64E8FEB65EFA488695E97FE0FF19300F4644B6D408D70A6EA38E6448701
              Function 00007FFD9B890610 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e458b29f2bda49fcd7cf6524165f9c906077a04086e83f4847915c1b0d70a5ed
              • Instruction ID: 44e7562131a3330a085ce9d54ba1c20fefe69644842fe80685f8097670a2bed6
              • Opcode Fuzzy Hash: e458b29f2bda49fcd7cf6524165f9c906077a04086e83f4847915c1b0d70a5ed
              • Instruction Fuzzy Hash: A5016D30A1950EDAEF6CEFA4C4686B977A0FF1C305F5108BEE41ED21E5DE35A650CA01
              Function 00007FFD9B890608 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ad3210f684c12ad7e0682a278165558611f918fd4275bea0bac05acf55801ba
              • Instruction ID: 859a6b07289d58a857a8b4f658b00c550f5aea05115decd691f325df90f38e87
              • Opcode Fuzzy Hash: 6ad3210f684c12ad7e0682a278165558611f918fd4275bea0bac05acf55801ba
              • Instruction Fuzzy Hash: 23016D30A1A50E9AEF5DEFA4C4686B976A0FF18308F11087EE41ED21E5DF35A254CA00
              Function 00007FFD9B8A0DD1 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ceeb755b7f343d69a5fbe17d3faa35dfa2341055b018457b72e5c365d495afd
              • Instruction ID: cfa2070cf26cd8b6e51dc235aa9b6496f4e8c6db44024740deabd6b72d0e7d17
              • Opcode Fuzzy Hash: 5ceeb755b7f343d69a5fbe17d3faa35dfa2341055b018457b72e5c365d495afd
              • Instruction Fuzzy Hash: E2F08131A1A68E8FEB95DF6488282FE7BE0FF19301F01057AD81CC20A1EB745A608701
              Function 00007FFD9B891140 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86bfa4fa52013dee690b19e71acc6b5a93a0fffe027ed39de8044330e8af6905
              • Instruction ID: be606458a11da82167e17e3c52c4c51853ce824f650250944e5fc825371fabe6
              • Opcode Fuzzy Hash: 86bfa4fa52013dee690b19e71acc6b5a93a0fffe027ed39de8044330e8af6905
              • Instruction Fuzzy Hash: 15F0C870E1E61E6AFFA9ABA898683FA7BE4FF59355F00157AE41DC20E1DF341214C640
              Function 00007FFD9B89ABB8 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e2bfa2b7555ad8398de03ea4ee9d9bff0bdb2595821c07598d72a8dbb60b2ad3
              • Instruction ID: 301d0b4451e8f31a7e67a9a3d2b145f5e0c65d4c90a4fcd9f66673a79a675607
              • Opcode Fuzzy Hash: e2bfa2b7555ad8398de03ea4ee9d9bff0bdb2595821c07598d72a8dbb60b2ad3
              • Instruction Fuzzy Hash: 13F0AF30A1A50E8BEB68EFA4C5696FE77E4FF08314F11087EE41ED20E5DE39A250C650
              Function 00007FFD9B8905D0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f96acea8c7cad3e98c8266d4c39f57d3a50417ab9bf795bf8fbdf57a6353ef14
              • Instruction ID: ccd1a1c81148dd45aa7599810dce95861826ad7c8b10445ea420de293d238b2b
              • Opcode Fuzzy Hash: f96acea8c7cad3e98c8266d4c39f57d3a50417ab9bf795bf8fbdf57a6353ef14
              • Instruction Fuzzy Hash: 89F0C230A0E60E9FEF99EF6494656FA7BA0EF09308F41047AE81DC21E1CA35A650C740
              Function 00007FFD9B89274D Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30ac4a006ff5347f3ad4d95fd532c239e2762f00683b81a82ca0865c1dcf945c
              • Instruction ID: 7f1ac59a2e186042c40e0b468ae9fe7f9538aa12239e4b8d8720b487fae79d82
              • Opcode Fuzzy Hash: 30ac4a006ff5347f3ad4d95fd532c239e2762f00683b81a82ca0865c1dcf945c
              • Instruction Fuzzy Hash: F3F0F63090E78EDFDB6D9FA488241A93FA0FF09200F4645BAD409C50E2DB389540CB01
              Function 00007FFD9B8926D9 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8004c170ce4f256503cdf9fc773600d3c1e203418e3058865a9e259cebf24b32
              • Instruction ID: 9623c9da25caf843c877481067d885130cbbe2fdb74bbcbb49430f5db4120406
              • Opcode Fuzzy Hash: 8004c170ce4f256503cdf9fc773600d3c1e203418e3058865a9e259cebf24b32
              • Instruction Fuzzy Hash: 0FF06230A0E78D8FDF6E9FA488391A93FA0BF0A204F4604BBD409C60E3DB389558C701
              Function 00007FFD9B8A2C65 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4000ed23e2c400793e2fd7907249fff8f2af15dccbfbf22ab9ae226fa7baf19c
              • Instruction ID: fb7ff9285d4835763ac0e3a02361504c605a996be72a4b11c645df8e26a645bb
              • Opcode Fuzzy Hash: 4000ed23e2c400793e2fd7907249fff8f2af15dccbfbf22ab9ae226fa7baf19c
              • Instruction Fuzzy Hash: DAF0D070E0551E9BEB60EB99C854BEDB7A1FB58301F1081B5C409E21A5DE386A84CF50
              Function 00007FFD9B891690 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 23e6303cb1bdaf0436858807ef98a79680f147598c5c1ff5afc55bcb72e1197e
              • Instruction ID: 5bb82c9ae59f4e51d817eda91e22b336504931222ca8b252574c89460ad9dc86
              • Opcode Fuzzy Hash: 23e6303cb1bdaf0436858807ef98a79680f147598c5c1ff5afc55bcb72e1197e
              • Instruction Fuzzy Hash: 3EE06D20F0E40E5AEF34B7998494634A5D19B48304FBA8675F02DCA1F1EB28EE82C201
              Function 00007FFD9B894031 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1760962920.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_7ffd9b890000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1f2c41630708f6af9bfe3ff9ef4e636f81ef5d5a029c0cf20231580bf5eecc1
              • Instruction ID: f01b63976795f394742030fa3689e68c9c098800c2124099435bc81ab60d2b00
              • Opcode Fuzzy Hash: c1f2c41630708f6af9bfe3ff9ef4e636f81ef5d5a029c0cf20231580bf5eecc1
              • Instruction Fuzzy Hash: 42E09AB0D4D229CEEFA1DF6489587AC7BF4AB09380F5101E5900DE6161DA345B849F10

              Executed Functions

              Function 00007FFD9B8A35EA Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b43c8677c0dac354b9d1cb0721e453193930bb463f45e71c72270365aaa5c81
              • Instruction ID: 43127f35983cc2d2a8e6358fb21853c5c1e026ca4add41caf68d2ca823c2dc45
              • Opcode Fuzzy Hash: 3b43c8677c0dac354b9d1cb0721e453193930bb463f45e71c72270365aaa5c81
              • Instruction Fuzzy Hash: F551B662B18A4D8FE758DBACD8257AC7BE1EF9A350F9041BAD00DD72DADBB414028741
              Function 00007FFD9B8AEDF0 Relevance: 3.8, Strings: 3, Instructions: 82COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: [$]$g
              • API String ID: 0-3773536528
              • Opcode ID: 119df42caabe3b8705a77adf826bc15c8c88b8e5afc42950e66cf57bee976a7b
              • Instruction ID: c060c35d2037185729d83e7d6241603a0cbbb2552b67658b0ce42cd2e50480fd
              • Opcode Fuzzy Hash: 119df42caabe3b8705a77adf826bc15c8c88b8e5afc42950e66cf57bee976a7b
              • Instruction Fuzzy Hash: BD41D270E0962E8FEB78DF54C8A47F9B6B1AB58301F0141FAD44DA66A1CB781B84CF10
              Function 00007FFD9B8AEFF8 Relevance: 2.6, Strings: 2, Instructions: 59COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: U${
              • API String ID: 0-2735307867
              • Opcode ID: c7e43faaad9e3a8ac0c5656701c5fb6a236625944fd0e6085730b7b08b54beb8
              • Instruction ID: 0448266c28378c828deea2e11f3122c35057f4c8270e88f9c535ffe2742c74bc
              • Opcode Fuzzy Hash: c7e43faaad9e3a8ac0c5656701c5fb6a236625944fd0e6085730b7b08b54beb8
              • Instruction Fuzzy Hash: FC21E670A0966E8BEB78DF54C8647F9B6B1BF48301F1141FED40EE26A0CB781A848F11
              Function 00007FFD9B8B15B9 Relevance: 2.5, Strings: 2, Instructions: 27COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: %$*
              • API String ID: 0-3952375145
              • Opcode ID: 5602029b0c230e69c2a096e686a445c8f256d7b5ae941a4155efa4b3d2697d99
              • Instruction ID: f4a90b6c1e5315f71cd9196bb76a96703dd996ac6a6613cdf813014c1021c074
              • Opcode Fuzzy Hash: 5602029b0c230e69c2a096e686a445c8f256d7b5ae941a4155efa4b3d2697d99
              • Instruction Fuzzy Hash: BCF03030A0862DCBDB24EF94CC586EDB3B1FB55301F04422AC4195B2E4DB786948CF85
              Function 00007FFD9B8AC80F Relevance: 1.4, Strings: 1, Instructions: 170COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: ^
              • API String ID: 0-1590793086
              • Opcode ID: d19972a4ded03b1c34982c56ef742bf706890fa66377118fa29949b22f623d70
              • Instruction ID: 1ddc32b4b7730e046afb1c0b9f9a84ec32bcde903137233ce000c3dbe8c650eb
              • Opcode Fuzzy Hash: d19972a4ded03b1c34982c56ef742bf706890fa66377118fa29949b22f623d70
              • Instruction Fuzzy Hash: D9517B27B0D22A8AE7167BBCBC690FD7794EF45334F05057BC05DC60E7EB2820568AA5
              Function 00007FFD9B8AF376 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: M
              • API String ID: 0-3664761504
              • Opcode ID: 624735885b8cca576076d6f20ecf96b46e541171cb52ed75284c696eec4a8f25
              • Instruction ID: 1756c71f76ea0addc8a63e83d75469866217dd858d5a23ccbfb671e7d6abcf34
              • Opcode Fuzzy Hash: 624735885b8cca576076d6f20ecf96b46e541171cb52ed75284c696eec4a8f25
              • Instruction Fuzzy Hash: EE5125B0E1961D8FEBA8DB5888A57E9B7B1FB58300F4001EAD14DE3291CB742A81CF55
              Function 00007FFD9B8A03BD Relevance: 1.3, Strings: 1, Instructions: 84COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: sQ^
              • API String ID: 0-1726393085
              • Opcode ID: f1d68f161f6e83a05717de2719a277da68f7690f287aa59accdad305ab43e4a7
              • Instruction ID: 6c4079b1a754f7cb89be18eedb9f5dd30c982fa4b5ad44bb630fb6cb407dafe4
              • Opcode Fuzzy Hash: f1d68f161f6e83a05717de2719a277da68f7690f287aa59accdad305ab43e4a7
              • Instruction Fuzzy Hash: 51216E93B0FAD32BE7166B790CA54586FA0FF2264475D40BFC0AC4B0DBD909E8098395
              Function 00007FFD9B8AC8FF Relevance: 1.3, Strings: 1, Instructions: 80COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: {L_^
              • API String ID: 0-1426764109
              • Opcode ID: 335aca7e9ad4facb444b1e633d4dfca2651bc01bdba11d0b2b6d074a6baab4c6
              • Instruction ID: 481eef6accda7429014844807874e97490514bb61f015e776c7fc9e00774c831
              • Opcode Fuzzy Hash: 335aca7e9ad4facb444b1e633d4dfca2651bc01bdba11d0b2b6d074a6baab4c6
              • Instruction Fuzzy Hash: 3921E971E0D66F8BEB567BE8AC691F83794EF09328F090577D01DC60E7DE2821404665
              Function 00007FFD9B8AF654 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: U
              • API String ID: 0-3372436214
              • Opcode ID: a9db1640faabfd03d7775651f73f9f420db408bbea70fd2eb74caa72c67235c9
              • Instruction ID: f4e49ad7d253eeb95eb21d9c35c1656876f819640de72d9375cd39306cebf190
              • Opcode Fuzzy Hash: a9db1640faabfd03d7775651f73f9f420db408bbea70fd2eb74caa72c67235c9
              • Instruction Fuzzy Hash: 76F05E30A08A4D8FEB69DF40C8A0BE977B2FF58350F0101EAD409D32A0CB786B858F10
              Function 00007FFD9B8B10C5 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID: %
              • API String ID: 0-2567322570
              • Opcode ID: b6b5cb5139d92e9e81abe0fcb7b18ff7940c244326f27c8ada70f9e9d21bbd30
              • Instruction ID: 60a3bba91ecd2e547a6ddac9eda1f0da9b278c5855f3e5dc2bdffe2d17e778a3
              • Opcode Fuzzy Hash: b6b5cb5139d92e9e81abe0fcb7b18ff7940c244326f27c8ada70f9e9d21bbd30
              • Instruction Fuzzy Hash: 03E0E530A0C26D8FDB14DF64CC945ED77B1EB46301F04026EC0498F2A4CB741944CF84
              Function 00007FFD9B8B3395 Relevance: .5, Instructions: 544COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 671a41d270e03849b0cf0621b2427c1231c96be93e44b641cae0a7cac79a2590
              • Instruction ID: 07936fc51b82615d9412e88cba020cac761d1527c07a8a92d5288c4d3c09cc8f
              • Opcode Fuzzy Hash: 671a41d270e03849b0cf0621b2427c1231c96be93e44b641cae0a7cac79a2590
              • Instruction Fuzzy Hash: D351EA52A0F7E54FE71797B85C791A47FB0EF17214B0904FBD098CB0E7D91869458782
              Function 00007FFD9B8A0498 Relevance: .4, Instructions: 420COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a68cf3b8000c5b7211e73b2fefaf7ab89e2e6c5f1c3153e52a08324a4d0e7c5d
              • Instruction ID: d69e17b6aafd77ef24b16758c9043945779af1030de2dde238f7c43c7500f221
              • Opcode Fuzzy Hash: a68cf3b8000c5b7211e73b2fefaf7ab89e2e6c5f1c3153e52a08324a4d0e7c5d
              • Instruction Fuzzy Hash: 04C13643B0F6EA4BE32663AC7C754F97B60DF4266870D43F7D09C8A0E7EC19650682A5
              Function 00007FFD9B8AD969 Relevance: .4, Instructions: 389COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bec14e98a53811e1ccab23734c4e8300b133123950d9df1604a8078955f7f056
              • Instruction ID: d7da61cc4e1959f928b95b2c147b40316a48f094576e0281ed9aa679841f1ec5
              • Opcode Fuzzy Hash: bec14e98a53811e1ccab23734c4e8300b133123950d9df1604a8078955f7f056
              • Instruction Fuzzy Hash: 49E13B71E1965D8FEBA8DB98D8A4BB8B7B1FF58300F4441BAD00DD32E6DA346941CB11
              Function 00007FFD9B8A05A0 Relevance: .3, Instructions: 321COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 087ff58287c128076c2ed7193e287d9f522ebbe1f93cd57149aa2123ad3811b8
              • Instruction ID: 1897a80f4f632c4b40158d91c45032a83b9037edce687bc4d5028c54f5306078
              • Opcode Fuzzy Hash: 087ff58287c128076c2ed7193e287d9f522ebbe1f93cd57149aa2123ad3811b8
              • Instruction Fuzzy Hash: 93913743B1F6DA4BE32567AC7C390F97B90EF4666870D43F7E09C8A0E7EC1965068291
              Function 00007FFD9B8A05FA Relevance: .3, Instructions: 307COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07b4b8ae701d591f2d7cc049cb7a2c99d60f24152a17368093fce6337472e730
              • Instruction ID: 9ee7bc2d1a90dfb2070bda6db4553a3a5d8d5793b36685e03e59ac16fe3123d8
              • Opcode Fuzzy Hash: 07b4b8ae701d591f2d7cc049cb7a2c99d60f24152a17368093fce6337472e730
              • Instruction Fuzzy Hash: 06913843B1F6D94BE32567AC7C390E97F90EF46668B0D43F7E09C8A0E7EC1965068291
              Function 00007FFD9B8A1628 Relevance: .3, Instructions: 286COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b7932464fa793c595814de603500099470dae1b5ede7aae2b002c823f6267d0
              • Instruction ID: aaed521a8e17c8b44d1a02412ae2b59e49dde82103ef2ed558b092bb2a5797cd
              • Opcode Fuzzy Hash: 3b7932464fa793c595814de603500099470dae1b5ede7aae2b002c823f6267d0
              • Instruction Fuzzy Hash: AC81D031B0DA4D4BDB99EF5888605A977E2FFD9300B15057EE49DC3292DE34AD02C781
              Function 00007FFD9B8A0640 Relevance: .3, Instructions: 270COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d44ebd08362d591a2478ff6c013f4fc35d90d04b64ee857a28fa3361c4809e15
              • Instruction ID: f3052531c9b4a8c9c6d596fba17b3ba7793c967e021fe18d9c7451354b3ab066
              • Opcode Fuzzy Hash: d44ebd08362d591a2478ff6c013f4fc35d90d04b64ee857a28fa3361c4809e15
              • Instruction Fuzzy Hash: DB713A43B1F6D94BE32567AC7C290E86F90EF4676470D43F7E09C8A0F7EC1965068295
              Function 00007FFD9B8A05B8 Relevance: .2, Instructions: 200COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76bd5f659853c3f149cdded45ffbaada2d67b8d8ed190571ff8cf2a682355b5b
              • Instruction ID: 182d0a9d9891aeb72aef2937b109c37604972391951127d2f48f3fc063023ce7
              • Opcode Fuzzy Hash: 76bd5f659853c3f149cdded45ffbaada2d67b8d8ed190571ff8cf2a682355b5b
              • Instruction Fuzzy Hash: 1C516C42B1F6D94BE32167BC6C390E87FA0EF45754B0942F7D09C8A0E7EC1975458395
              Function 00007FFD9B8A1C8D Relevance: .2, Instructions: 193COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4da7ad36a2dd483ef144b476b15a491e2b6c5ed3f8a68014bda0d05512fc78c2
              • Instruction ID: 329ce16940e9be959582f5fb7c00982eb05316f3574f011577966ef579d9c02b
              • Opcode Fuzzy Hash: 4da7ad36a2dd483ef144b476b15a491e2b6c5ed3f8a68014bda0d05512fc78c2
              • Instruction Fuzzy Hash: 5951D131B09B8D8FDB59DF5888A05BA77E2FF99300B15457EE45AC7292DE34E802C780
              Function 00007FFD9B8B2A81 Relevance: .2, Instructions: 165COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4dc161cf13c35ef655ced98c21247964a9263a8d637dce7e16395ec7f84ebf0b
              • Instruction ID: 6805eee2b23399d3eec5ffb1b261012c5bf562e5ef0bdfb3e43fc158020a2620
              • Opcode Fuzzy Hash: 4dc161cf13c35ef655ced98c21247964a9263a8d637dce7e16395ec7f84ebf0b
              • Instruction Fuzzy Hash: 1151CE70E0951D8EEB64EFA8D8687ECBBB1FB58300F1141BAC41DE7291DE745A848F50
              Function 00007FFD9B8A30E1 Relevance: .2, Instructions: 151COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 416195ddc698e087f7e21514127fd7d4ddcb5ad45f3a33be6e911b63be38f25c
              • Instruction ID: 3010251e751ca1b18d7427e7b7ab40275df8ec8aa83fa1e2ea8d08cd09808d99
              • Opcode Fuzzy Hash: 416195ddc698e087f7e21514127fd7d4ddcb5ad45f3a33be6e911b63be38f25c
              • Instruction Fuzzy Hash: 1B512D70E0961E8FEB64DFA8C4A56EDBBF1FF59301F414079D009E72A1DA38AA44CB10
              Function 00007FFD9B8A20A5 Relevance: .1, Instructions: 142COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2cc930db3f58342ced256018fda4c15f301b3fc2b3025df2d8171d222e0512ac
              • Instruction ID: 167831b79f6db6151364906fe6ac224527c32cc7d55dded692f6ae0147555d12
              • Opcode Fuzzy Hash: 2cc930db3f58342ced256018fda4c15f301b3fc2b3025df2d8171d222e0512ac
              • Instruction Fuzzy Hash: 1B415A31B0E64E4FE766DBB898655B87BE0FF49300B0545BBD44CC71A2EE28B9418351
              Function 00007FFD9B8ABCC9 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aebb351cc65dc118cc80ffa68fa9cd7b58a4c09f4626e12a22125777ed531f95
              • Instruction ID: 76b51f33146646a9cc88f160d97b651faa20298d3633213f60eb705d5ec26d50
              • Opcode Fuzzy Hash: aebb351cc65dc118cc80ffa68fa9cd7b58a4c09f4626e12a22125777ed531f95
              • Instruction Fuzzy Hash: 9F41E570E0A64E8FEB68DFA4D4646ED77B5FF08310F11047ED00AE72A1DA396A40CB60
              Function 00007FFD9B8AC165 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e16738b7f80d6a7eb6eff828410aa8083890de82da1e199357039cbb4fb124ca
              • Instruction ID: c43563b753011ee55792539e10cd3daf3bf93d616fec3e39f283528cdcee81c6
              • Opcode Fuzzy Hash: e16738b7f80d6a7eb6eff828410aa8083890de82da1e199357039cbb4fb124ca
              • Instruction Fuzzy Hash: CE31DA75E1D91D9EEBA4EB98D8A5AACB7B5FF5C300F41013AD00DE3292DE3469418B50
              Function 00007FFD9B8AAEFA Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e3152f202a36bbfbbce05a8646382699291167d854eff48d472a1504858ddbbc
              • Instruction ID: f83764d6b43fc397afdf506f01ea33ced7dcb02a6d554fecff66512e5ae58543
              • Opcode Fuzzy Hash: e3152f202a36bbfbbce05a8646382699291167d854eff48d472a1504858ddbbc
              • Instruction Fuzzy Hash: 31313771F0E98E6FE765DBB888281E87BE0FF19340F0544BBC058C70A6EE346A058761
              Function 00007FFD9B8A0805 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58dc46fbf338952b0460acdf34569ad55d6cf2a99ccf857924b09ee0adf95af7
              • Instruction ID: 305dfdc923b28a385b0570ba745e24c782f2ef37421854e0522cafb529b6ec88
              • Opcode Fuzzy Hash: 58dc46fbf338952b0460acdf34569ad55d6cf2a99ccf857924b09ee0adf95af7
              • Instruction Fuzzy Hash: D5219B51B1F18B97E71523BC9C7A5E8BB90FF05618F0942B7C0ACC90D3ED08A15A82D5
              Function 00007FFD9B8B2CA2 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f94992c194b7dbd157ddc2e5d67436d8b0c1b773b8485851c89be42961f87380
              • Instruction ID: 5620abbe201c660a59ecd18997d9ee87f3c2667d82276605fccee140dd6d32a1
              • Opcode Fuzzy Hash: f94992c194b7dbd157ddc2e5d67436d8b0c1b773b8485851c89be42961f87380
              • Instruction Fuzzy Hash: EA319770E1961D9FEB54EFA4D865BEDBBB1FF18300F5041A9D00CA3296DE346A818F41
              Function 00007FFD9B8B3BFB Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d17490c5c8c926f6b7a67ef6f341af456144f340fdb6545886f2ad49bd0e1da7
              • Instruction ID: 51584327bec87691393e9dca3def607213aaded35a9f397b8541cf065208c651
              • Opcode Fuzzy Hash: d17490c5c8c926f6b7a67ef6f341af456144f340fdb6545886f2ad49bd0e1da7
              • Instruction Fuzzy Hash: 9821C771B0E69E5FE762ABB88C795E97BE0FF59310F0605B7D408C70A3D92466448B81
              Function 00007FFD9B8A32F0 Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15e89c5ce7a4e7cd62dffb965a08ea88cc904b68625630afa7daf2c451476b62
              • Instruction ID: 183b44d74497f222296c9a3b059d9e6625a92924a7f914510d9b958f98a1e62e
              • Opcode Fuzzy Hash: 15e89c5ce7a4e7cd62dffb965a08ea88cc904b68625630afa7daf2c451476b62
              • Instruction Fuzzy Hash: F0213D3094E78A5FD743AB7488685A57FF0EF0B314B0A05FBD048CB0B3DA29A545C761
              Function 00007FFD9B8A3391 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc1fff091bba32b35bd6031479fe5f648891948cbffc21047143e3bfd242b783
              • Instruction ID: 8a657b9bda215e0b5e3b5ff8d8f9b114d46a77fd6b656eb16ea6c6165763e2eb
              • Opcode Fuzzy Hash: bc1fff091bba32b35bd6031479fe5f648891948cbffc21047143e3bfd242b783
              • Instruction Fuzzy Hash: C1214C30A0A60E8FEB65EBA498696BE77A0FF18305F01097AD42DC71A5DF79A600D750
              Function 00007FFD9B8AB814 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 83091c74e3c13d792a4ef20064727768b40486125e1541c44d73d5e2872cb4ac
              • Instruction ID: 9360ef4be7f58b1c87918660b1c56be95274f305c090a11eba31ad94eeb33aa1
              • Opcode Fuzzy Hash: 83091c74e3c13d792a4ef20064727768b40486125e1541c44d73d5e2872cb4ac
              • Instruction Fuzzy Hash: 7B21DC70E0551E8FEB74EFA4C8656EDB6B1EF5C300F5145BAD40DE22A1DE386A818F50
              Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 004e1a20dd9acd48649ed86b7e6cebfc22e0c393a3bb21924e8f5b96e538b471
              • Instruction ID: cb14622e0bcd6e70aef80103ff992565c93e800687294c4a13cdb02acdba3f6c
              • Opcode Fuzzy Hash: 004e1a20dd9acd48649ed86b7e6cebfc22e0c393a3bb21924e8f5b96e538b471
              • Instruction Fuzzy Hash: 4911B230E1A50E4FE790EBA888595BD77E1FF58700F4146B6D41CC70A6EE34B6458710
              Function 00007FFD9B8A0EEB Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44a53455ee95e60bf77b08c3dbff5d19ff67c90a93d457acf4943dd209a79a67
              • Instruction ID: 834b11f7b4b73db32b305ab074158c9ef3035193c77a0214bc2f49aade1c9284
              • Opcode Fuzzy Hash: 44a53455ee95e60bf77b08c3dbff5d19ff67c90a93d457acf4943dd209a79a67
              • Instruction Fuzzy Hash: 66219230F1990E8FEB68DB94D865FED73A1EF58310F114279C00DA71E5CE346A458B90
              Function 00007FFD9B8B2531 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d11a86c63f30caf56e608b1ec7d1ad5c3dae6852bd5615e7493588044aca3e96
              • Instruction ID: 0d9e94864d1b77da184b495b0d52db1168c08f512581d07f8a832247dc7b08f2
              • Opcode Fuzzy Hash: d11a86c63f30caf56e608b1ec7d1ad5c3dae6852bd5615e7493588044aca3e96
              • Instruction Fuzzy Hash: DA11B170A1964D8FDB98DF68D4A55E93FE1FF5C304F02017EE849C31A5CA34A540CB81
              Function 00007FFD9B8A1F59 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec1dfde7b1666587fcad3c44fd98e898f2964f0fe5551e1f20f4468154c6fc80
              • Instruction ID: a6fcc75d1c594dbcfece43c37e4bb56148a6260bbd06d22a036f9f4f77623ebd
              • Opcode Fuzzy Hash: ec1dfde7b1666587fcad3c44fd98e898f2964f0fe5551e1f20f4468154c6fc80
              • Instruction Fuzzy Hash: 87114C11A4F6C65EEB2367B948754656FA05F07224B2E46FBD0D8CF0E3DA08598AC322
              Function 00007FFD9B8AC8D3 Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf8171ba79f884860c4d6d4e008c86433c19b04239a4380982c3b1bb63c4fb00
              • Instruction ID: 5f16828cec4fe2880b90f9f7217fc0a74e6a544c74b085cf222436e39911af61
              • Opcode Fuzzy Hash: cf8171ba79f884860c4d6d4e008c86433c19b04239a4380982c3b1bb63c4fb00
              • Instruction Fuzzy Hash: 1D110435A0A65E4FDB59AF58DC681F93BA0FF4A211F4514BBC408C60A2DA345504CBA1
              Function 00007FFD9B8A112D Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0c030c373e65fc2f3bf4b708c762f645c8bb7cda05a9e92ea4a249bb978dcfc
              • Instruction ID: 7446c5b2aead9cdb51a3c68921d8ebfd44941a6990e2bd001e0d1b702b5836a2
              • Opcode Fuzzy Hash: c0c030c373e65fc2f3bf4b708c762f645c8bb7cda05a9e92ea4a249bb978dcfc
              • Instruction Fuzzy Hash: 59110870E0EA4E4EEB6AAB68C8786B97FE0FF5A314F0116BED019C61E1DF256540C710
              Function 00007FFD9B8AC950 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 805d0739d42fe08fc877ad408deaa0323d33ab75dab3f784c9fe5b4134b4d4f0
              • Instruction ID: 17197cc8ac0abccae5030e6c3868dd6b5e6b4680e9368e5270162f9941807fc9
              • Opcode Fuzzy Hash: 805d0739d42fe08fc877ad408deaa0323d33ab75dab3f784c9fe5b4134b4d4f0
              • Instruction Fuzzy Hash: E8116D30A0A65E8FDB56EF6888A86B93BF0FF09304F0505BBD419C61A6DA346540CB51
              Function 00007FFD9B8ABC45 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a723237e920a69518032042bbd2f45f7b28318cec1679e4abb11838e6ac300c6
              • Instruction ID: 6a317119076c7a47b9fbf3044ec48176eeefaf3fec1fad7c34a0ea5d62e69608
              • Opcode Fuzzy Hash: a723237e920a69518032042bbd2f45f7b28318cec1679e4abb11838e6ac300c6
              • Instruction Fuzzy Hash: 08118230A0A64E4FDB55EFA4C8A85BD7BE1FF18301F4105BED419C61A1DE35A650C700
              Function 00007FFD9B8AC035 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8e933110357ad360e1c525bba936d09297e9a857ae969931a156b00df912aaf
              • Instruction ID: 88b31bf9defd8de0eb5b25f45a6b66f5f608b6e00a8f03d4184272d4740bfde7
              • Opcode Fuzzy Hash: d8e933110357ad360e1c525bba936d09297e9a857ae969931a156b00df912aaf
              • Instruction Fuzzy Hash: 36118230A0AA4E8FDB95EF68C8682BD7BE0FF19300F0105BED419D61A2DE34A644CB00
              Function 00007FFD9B8B2399 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15e49a2f976b2f4e51fd2bd04b9f0cc5fbf328dd871a2382b939520be552998a
              • Instruction ID: 87cba14a95e4dd87e2838533bfb2613515481a027d12f1d8a4df25c7974d2921
              • Opcode Fuzzy Hash: 15e49a2f976b2f4e51fd2bd04b9f0cc5fbf328dd871a2382b939520be552998a
              • Instruction Fuzzy Hash: A1119E6184E3CA4FD7274BB05C355E67FB4AF07214F0A05EBE489CA0A3D61C265AC363
              Function 00007FFD9B8B2A01 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a225e2598ebd23538c462fbfb953103dafacd3358144f1df881aa8af6881e68c
              • Instruction ID: 560df53b600ccdc58989d8ff75c0e11f44d32604112766bb294d68aad5f60938
              • Opcode Fuzzy Hash: a225e2598ebd23538c462fbfb953103dafacd3358144f1df881aa8af6881e68c
              • Instruction Fuzzy Hash: AD118430A1D65E9FEB62EFB484595FA7FE4EF1A300F0549B6D418C6076DA34A284CB41
              Function 00007FFD9B8A3485 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fa551d41c2c0da65cdfaed20f86f17944d4a6639fcfb3f56a8f3cede1af4d615
              • Instruction ID: 2566a701dd2487f1218475f6992e70db4765927b62f1131c6e69c44071d6e912
              • Opcode Fuzzy Hash: fa551d41c2c0da65cdfaed20f86f17944d4a6639fcfb3f56a8f3cede1af4d615
              • Instruction Fuzzy Hash: 29117030A0A64E4FDB66EFA4C8685BD7BA0FF29301F0104BED419D61A1DA35A5408710
              Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51742fdd79ff88d02e973308e6a84369edfd7253d95ad210a7d7c07e761758af
              • Instruction ID: 3fc031dbce15509f06451cf7a5a0e479ca62cf60794855107cdefc200f4f78ca
              • Opcode Fuzzy Hash: 51742fdd79ff88d02e973308e6a84369edfd7253d95ad210a7d7c07e761758af
              • Instruction Fuzzy Hash: A5019E30A0A90E8FEB98FF64C4A96BA77A1FF5D304F51447ED41EC21A4CA35A650CB50
              Function 00007FFD9B8A1C01 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed00a3f9401873641420fa4c407a3bd0c061783ed672d1af27339fcf15c21593
              • Instruction ID: 0645cddebdca363f90e7485ded11603168c26ebb4b32e2f083b0ad924b57e941
              • Opcode Fuzzy Hash: ed00a3f9401873641420fa4c407a3bd0c061783ed672d1af27339fcf15c21593
              • Instruction Fuzzy Hash: 5B01D630A0E68E8FEB99EF24C8A55B97BA1FF5A300F45117ED408C71A2DB35D650C740
              Function 00007FFD9B8B0DF0 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68b00f06cbd421ff6762739289c13553b1ceec0afc82189cb22d44a0bc33c1e1
              • Instruction ID: efa612b9ad69de63b3060da96516246cb66179cb1a9240e9452b9ba62b4d2108
              • Opcode Fuzzy Hash: 68b00f06cbd421ff6762739289c13553b1ceec0afc82189cb22d44a0bc33c1e1
              • Instruction Fuzzy Hash: CE012C30A2591E8FEB99EFA4C4686BE77E1FF18305F11047AD41ED21A5DF35A650CB40
              Function 00007FFD9B8A2E59 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1ae871a621875f5b990c0bf8f9ee55f619764ebc7a13b64b688d0490509db98
              • Instruction ID: 967e4c238be46bc958ede311dbe632964b0fbb15c362eb09e411513c486a0be1
              • Opcode Fuzzy Hash: b1ae871a621875f5b990c0bf8f9ee55f619764ebc7a13b64b688d0490509db98
              • Instruction Fuzzy Hash: E701D830A0E64D4FD771AFB489585A93BE0EF0A300F0645F2D408C60B7DA28A5948310
              Function 00007FFD9B8AAAE9 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6668de09b2d2001eedb2fc060dd6609ebff590d409f855a6a6218678f915d785
              • Instruction ID: a2b4eb35017c6683f4855d1ea333e26598cb143423b871fe337b980d94a08789
              • Opcode Fuzzy Hash: 6668de09b2d2001eedb2fc060dd6609ebff590d409f855a6a6218678f915d785
              • Instruction Fuzzy Hash: EF018430A4E64D9FD762ABB488696A97BE1EF09304F4609F3D40CC64F6DE38A544C721
              Function 00007FFD9B8A27BD Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3be0e7573f670ea4585358e224c16ab82b1a5e8fd4a328d07cd394d94f2f033f
              • Instruction ID: e778f34dcf210a7d8fbf8b7f524b4e85d660dbe96a7ca4ca783f3006a472260f
              • Opcode Fuzzy Hash: 3be0e7573f670ea4585358e224c16ab82b1a5e8fd4a328d07cd394d94f2f033f
              • Instruction Fuzzy Hash: 0C018F30A1E64E8FE761EFA489695A97BE0FF19304F0644B6D40CC70A6EE38E644C711
              Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5edd3a8cfa0e3ac68a99c3c5fa50fee21511a123fdf0f1c6f228847c819e933d
              • Instruction ID: 00d9e99c202ceae4d5c374f2d878f386b8652ed2bf4f4ba918714cd854285f01
              • Opcode Fuzzy Hash: 5edd3a8cfa0e3ac68a99c3c5fa50fee21511a123fdf0f1c6f228847c819e933d
              • Instruction Fuzzy Hash: 1B016D30A1990ECAEB68EFA4C5686B973A0FF1C305F5108BED41EC21E5DE35B690CA10
              Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 258c8338aae6e262305e8862a74422960208256c61c38d59753341ac826a1132
              • Instruction ID: 57f75f81ce72c14529a86873e1160a702864846e5a1f13351f4f8594b2093872
              • Opcode Fuzzy Hash: 258c8338aae6e262305e8862a74422960208256c61c38d59753341ac826a1132
              • Instruction Fuzzy Hash: 98016D30A1A50E8AEB6DEFA4C4686B972A0FF18304F11087EE41EC21E5DF35B650CA10
              Function 00007FFD9B8B0DD1 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6cb95f4359227ee0159498999817b78402fec45db0bdf522623907a6325ae040
              • Instruction ID: dd25a4aea110386929de925d80b6ce2d4735488f6b556c3d542ff6ee283d84a9
              • Opcode Fuzzy Hash: 6cb95f4359227ee0159498999817b78402fec45db0bdf522623907a6325ae040
              • Instruction Fuzzy Hash: 67F0A471A1E69E8FEB95DF64C8282FE7BE0FF19301F02057AE818C20A1EB745650CB40
              Function 00007FFD9B8A1140 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b3c6ae801bc118f61fd4c3b7ff1501b6efd67dd2a9baded56b10c5feb7b58c1
              • Instruction ID: 89d7ad0f724e8bac58fbbe65a9c98711be34fea67353c823573ee3d5f664bad2
              • Opcode Fuzzy Hash: 2b3c6ae801bc118f61fd4c3b7ff1501b6efd67dd2a9baded56b10c5feb7b58c1
              • Instruction Fuzzy Hash: E7F0CD70F1E61E49FB656BA898643FA7BE4FF5A315F00157AD41DC10E1DF341214C651
              Function 00007FFD9B8AABB8 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf16e23429ee5fba756df0842ae37385626fa591302027dfd0125e58ce779311
              • Instruction ID: 2ca5f76932ff0df6fbee52093a88a6b897977502d482e74a159605a4a14c962d
              • Opcode Fuzzy Hash: cf16e23429ee5fba756df0842ae37385626fa591302027dfd0125e58ce779311
              • Instruction Fuzzy Hash: 96F08130A1951E8BDB58EFB4D4656BE7AA0FF08314F11087EE41ED24E5DE356250CA81
              Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7525c96a262af4e3bba8e649a7cc8bde3e6eed06e5669266a3b39232df78ca3c
              • Instruction ID: c865455778ab29b1b37e5924583fcd27ecbdfd39a665eb8099947ba146fe7001
              • Opcode Fuzzy Hash: 7525c96a262af4e3bba8e649a7cc8bde3e6eed06e5669266a3b39232df78ca3c
              • Instruction Fuzzy Hash: 8AF0C230A0A61E8FEB98FF6494696FA77A0EF0A308F41047AE81DC21A1DA35A650C750
              Function 00007FFD9B8A2290 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f28ed5438a6762e00f0c761e24e04e672620895af3244585a2b70f3bdda282e
              • Instruction ID: 592511a4a9460c95caa63a2ee3c92b143a3cc8eae961578aa1fbae5e320be53d
              • Opcode Fuzzy Hash: 7f28ed5438a6762e00f0c761e24e04e672620895af3244585a2b70f3bdda282e
              • Instruction Fuzzy Hash: DEF03031E2E51E8AEB35AFD599216FCF265EF19311F511235D12E560F1DD28220586A0
              Function 00007FFD9B8A274D Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38b0a47b3e708a7cedacb949168a4d5f0aa0c77307bddea8b4fbe861efa65083
              • Instruction ID: d9275d1cfaeec9ec2d48dacdb7c07364282398220e35166073b04a15dd5f3eed
              • Opcode Fuzzy Hash: 38b0a47b3e708a7cedacb949168a4d5f0aa0c77307bddea8b4fbe861efa65083
              • Instruction Fuzzy Hash: 9DF0963090E68ECFDB799FA489251A93BA0FF19200F4645BED419C51E6DB38A654CB11
              Function 00007FFD9B8A26D9 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9277d2820f84ce3dbb4770e399b69f92a7e8c7a33c280817b97ef8cfc3a1976c
              • Instruction ID: 377317b2919e62aca4e61814f2b98e47a79ae51f03c1d8bc8156914721283392
              • Opcode Fuzzy Hash: 9277d2820f84ce3dbb4770e399b69f92a7e8c7a33c280817b97ef8cfc3a1976c
              • Instruction Fuzzy Hash: 45F0683090F78D8FDB699F6488351A93BA0FF1A204F4504BBD409C50E2DB386654C711
              Function 00007FFD9B8B2C65 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4000ed23e2c400793e2fd7907249fff8f2af15dccbfbf22ab9ae226fa7baf19c
              • Instruction ID: ed490c142cc48069fab975938879706cbc1170b653097b48690381d7d89fead1
              • Opcode Fuzzy Hash: 4000ed23e2c400793e2fd7907249fff8f2af15dccbfbf22ab9ae226fa7baf19c
              • Instruction Fuzzy Hash: DBF0D070E0551E9BEB60EBA9D854BEDB7A5FB58301F1081B5C409E21A5DE386A84CF50
              Function 00007FFD9B8A1690 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 23e6303cb1bdaf0436858807ef98a79680f147598c5c1ff5afc55bcb72e1197e
              • Instruction ID: 486c596960f2089ffe6158ff5986bcdd50f1b2e86c9448bc0d99d99c5715b0c2
              • Opcode Fuzzy Hash: 23e6303cb1bdaf0436858807ef98a79680f147598c5c1ff5afc55bcb72e1197e
              • Instruction Fuzzy Hash: B6E06520F0A44A4AEA347798809453461D15B4A304FBA8675F01DC61F1EA2CED81C211
              Function 00007FFD9B8A4031 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000017.00000002.1761025769.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_23_2_7ffd9b8a0000_xzCoZyfxKxCkf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1f2c41630708f6af9bfe3ff9ef4e636f81ef5d5a029c0cf20231580bf5eecc1
              • Instruction ID: dcc0fb5e19eaf8f62a0e0f541b820d2d20dc4f85923d9dee78303ab7f0a4b56b
              • Opcode Fuzzy Hash: c1f2c41630708f6af9bfe3ff9ef4e636f81ef5d5a029c0cf20231580bf5eecc1
              • Instruction Fuzzy Hash: E4E09AB0D4E229CEDBA1DF6489587A877F0AB09380F5141E5900DE61A1DA345B849F20